Setting different permissions for different resources in Serverless

Question

I am using Serverless and I have a running stack that consists of Lambdas, Dynamodbs vs... However, I want to deploy one more lambda that has different permissions than others for security reasons. For example; I want it to only have read permission to my dbs. However, other Lambdas I have built need to have write permission on dbs.

I come up with two different solutions;

1. Changing the Lambda's permissions after the Serverless deployment. (I am not in favor of this; the reason I am using serverless is to escape from deployment configurations such as this one)
2. Creating 2 different projects thus, two different serverless files, and operating on them. (This also brings overhead and complicates the maintenance)

It would be best, if there was a way to define different permissions for different resources in one Serverless.yml. However, I couldn't find resources on this topic.

Thank you for your time!

Answer 1

There is a serverless plugin called "Serverless IAM Roles Per Function" that allows you to create separated roles for your functions. You can also have a default role that will be inherited in some functions.

In a nutshell it's something like:

provider:
  name: aws
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - xray:PutTelemetryRecords
        - xray:PutTraceSegments
      Resource: "*"
  ...
functions:
  func1:
    handler: handler.get
    iamRoleStatementsInherit: true
    iamRoleStatements:
      - Effect: "Allow"        
        Action: s3:GetObject        
        Resource: arn:aws:s3:::my-bucket/*

Here is the author's post with all details and here is the serverless official page about it.