Sie sind auf Seite 1von 14

framework › docs › providers › aws › guide › iam Docs Version: 1.36.

Edit on github
⚡ Search docs
IAM
User Guide
Every AWS Lambda function needs permission to interact with other AWS
Intro infrastructure resources within your account. These permissions are set via an AWS
IAM Role which the Serverless Framework automatically creates for each Serverless
Quick Start
Service, and is shared by all of your Functions. The Framework allows you to modify
Installation this Role or create Function-specific Roles, easily.
Credentials

Services # The Default IAM Role


Functions
By default, one IAM Role is shared by all of the Lambda functions in your service.
Events Also by default, your Lambda functions have permission to create and write to
Layers
CloudWatch logs. When VPC configuration is provided the default AWS
AWSLambdaVPCAccessExecutionRole will be associated in order to communicate
Resources with your VPC resources.
Deploying To add specific rights to this service-wide Role, define statements in
Testing provider.iamRoleStatements which will be merged into the generated policy. As
those statements will be merged into the CloudFormation template, you can use
Variables Join , Ref or any other CloudFormation method or feature.
Packaging

IAM

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Plugins
1 service: new-service
Workflow 2

Serverless.yml 3 provider:
4 name: aws
V.0 & V.1 5 iamRoleStatements:
6 - Effect: "Allow"
7 Action:
Have questions?
8 - "s3:ListBucket"
Head over to the forums to 9 Resource:
search for your questions and 10 Fn::Join:
issues or post a new one. 11 - ""
12 - - "arn:aws:s3:::"
13 - Ref: ServerlessDeploymentBucket
14 - Effect: "Allow"
15 Action:
16 - "s3:PutObject"
17 Resource:
18 Fn::Join:
19 - ""
20 - - "arn:aws:s3:::"
21 - Ref: ServerlessDeploymentBucket
22 - "/*"

Alongside provider.iamRoleStatements managed policies can also be added to this


service-wide Role, define managed policies in provider.iamManagedPolicies . These
will also be merged into the generated IAM Role so you can use Join , Ref or any
other CloudFormation method or feature here too.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
1 service: new-service
2
3 provider:
4 name: aws
5 iamManagedPolicies:
6 - 'some:aws:arn:xxx:*:*'
7 - 'someOther:aws:arn:xxx:*:*'
8 - { 'Fn::Join': [':', ['arn:aws:iam:', { Ref: 'AWSAccountId' }, 'some/path']] }

# Custom IAM Roles


WARNING: You need to take care of the overall role setup as soon as you define
custom roles.

That means that iamRoleStatements you've defined on the provider level won't be
applied anymore. Furthermore, you need to provide the corresponding permissions
for your Lambdas logs and stream events.

Serverless empowers you to define custom roles and apply them to your functions
on a provider or individual function basis. To do this, you must declare a role
a ribute at the level at which you would like the role to be applied.

Defining it on the provider will make the role referenced by the role value the
default role for any Lambda without its own role declared. This is to say that
defining a role a ribute on individual functions will override any provider level
declared role. If every function within your service has a role assigned to it (either via
provider level role declaration, individual declarations, or a mix of the two) then the

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
default role and policy will not be generated and added to your Cloud Formation
Template.

The role a ribute can have a value of the logical name of the role, the ARN of the
role, or an object that will resolve in the ARN of the role. The declaration { function: {
role: 'myRole' } } will result in { 'Fn::GetA ': ['myRole', 'Arn'] } . You can of course just
declare an ARN like so { function: { role: 'an:aws:arn:xxx:*:*' } } . This use case is
primarily for those who must create their roles and / or policies via a means outside
of Serverless.

Here are some examples of using these capabilities to specify Lambda roles.

# One Custom IAM Role For All Functions

1 service: new-service
2
3 provider:
4 name: aws
5 # declare one of the following...
6 role: myDefaultRole # must validly reference a role defined in the serv
7 role: arn:aws:iam::0123456789:role//my/default/path/roleInMyAccount # must validly reference a role define
8 role: # must validly resolve to the ARN of a role you have the
9 Fn::GetA :
10 - myRole
11 - Arn
12
13 functions:
14 func0: # will assume 'myDefaultRole'
15 ... # does not define role
16 func1: # will assume 'myDefaultRole'

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
17 ... # does not define role
18
19 resources:
20 Resources:
21 myDefaultRole:
22 Type: AWS::IAM::Role
23 Properties:
24 Path: /my/default/path/
25 RoleName: MyDefaultRole # required if you want to use 'serverless deploy --function' later on
26 AssumeRolePolicyDocument:
27 Version: '2017'
28 Statement:
29 - Effect: Allow
30 Principal:
31 Service:
32 - lambda.amazonaws.com
33 Action: sts:AssumeRole
34 # note that these rights are needed if you want your function to be able to communicate with resource
35 ManagedPolicyArns:
36 - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
37 Policies:
38 - PolicyName: myPolicyName
39 PolicyDocument:
40 Version: '2017'
41 Statement:
42 - Effect: Allow # note that these rights are given in the default policy and are required if you want lo
43 Action:
44 - logs:CreateLogGroup
45 - logs:CreateLogStream
46 - logs:PutLogEvents
47 Resource:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
48 - 'Fn::Join':
49 - ':'
50 -
51 - 'arn:aws:logs'
52 - Ref: 'AWS::Region'
53 - Ref: 'AWS::AccountId'
54 - 'log-group:/aws/lambda/*:*:*'
55 - Effect: "Allow"
56 Action:
57 - "s3:PutObject"
58 Resource:
59 Fn::Join:
60 - ""
61 - - "arn:aws:s3:::"
62 - "Ref" : "ServerlessDeploymentBucket"

# Custom IAM Roles For Each Function

1 service: new-service
2
3 provider:
4 name: aws
5 ... # does not define role
6
7 functions:
8 func0:
9 role: myCustRole0
10
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
10 ...
11 func1:
12 role: myCustRole1
13 ...
14
15 resources:
16 Resources:
17 myCustRole0:
18 Type: AWS::IAM::Role
19 Properties:
20 Path: /my/cust/path/
21 RoleName: MyCustRole0
22 AssumeRolePolicyDocument:
23 Version: '2017'
24 Statement:
25 - Effect: Allow
26 Principal:
27 Service:
28 - lambda.amazonaws.com
29 Action: sts:AssumeRole
30 Policies:
31 - PolicyName: myPolicyName
32 PolicyDocument:
33 Version: '2017'
34 Statement:
35 - Effect: Allow
36 Action:
37 - logs:CreateLogGroup
38 - logs:CreateLogStream
39 - logs:PutLogEvents
40 Resource:
41 'F J i '
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
41 - 'Fn::Join':
42 - ':'
43 -
44 - 'arn:aws:logs'
45 - Ref: 'AWS::Region'
46 - Ref: 'AWS::AccountId'
47 - 'log-group:/aws/lambda/*:*:*'
48 - Effect: Allow
49 Action:
50 - ec2:CreateNetworkInterface
51 - ec2:DescribeNetworkInterfaces
52 - ec2:DetachNetworkInterface
53 - ec2:DeleteNetworkInterface
54 Resource: "*"
55 myCustRole1:
56 Type: AWS::IAM::Role
57 Properties:
58 Path: /my/cust/path/
59 RoleName: MyCustRole1
60 AssumeRolePolicyDocument:
61 Version: '2017'
62 Statement:
63 - Effect: Allow
64 Principal:
65 Service:
66 - lambda.amazonaws.com
67 Action: sts:AssumeRole
68 Policies:
69 - PolicyName: myPolicyName
70 PolicyDocument:
71 Version: '2017'

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
72 Statement:
73 - Effect: Allow # note that these rights are given in the default policy and are required if you want lo
74 Action:
75 - logs:CreateLogGroup
76 - logs:CreateLogStream
77 - logs:PutLogEvents
78 Resource:
79 - 'Fn::Join':
80 - ':'
81 -
82 - 'arn:aws:logs'
83 - Ref: 'AWS::Region'
84 - Ref: 'AWS::AccountId'
85 - 'log-group:/aws/lambda/*:*:*'
86 - Effect: "Allow"
87 Action:
88 - "s3:PutObject"
89 Resource:
90 Fn::Join:
91 - ""
92 - - "arn:aws:s3:::"
93 - "Ref" : "ServerlessDeploymentBucket"

# A Custom Default Role & Custom Function Roles

1 service: new-service
2
3 provider:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
3 provider:
4 name: aws
5 role: myDefaultRole
6
7 functions:
8 func0:
9 role: myCustRole0
10 ...
11 func1:
12 ... # does not define role
13
14 resources:
15 Resources:
16 myDefaultRole:
17 Type: AWS::IAM::Role
18 Properties:
19 Path: /my/default/path/
20 RoleName: MyDefaultRole
21 AssumeRolePolicyDocument:
22 Version: '2017'
23 Statement:
24 - Effect: Allow
25 Principal:
26 Service:
27 - lambda.amazonaws.com
28 Action: sts:AssumeRole
29 Policies:
30 - PolicyName: myPolicyName
31 PolicyDocument:
32 Version: '2017'
33 Statement:
34 Effect: Allow # note that these rights are given in the default policy and are required if you want lo
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
34 - Effect: Allow # note that these rights are given in the default policy and are required if you want lo
35 Action:
36 - logs:CreateLogGroup
37 - logs:CreateLogStream
38 - logs:PutLogEvents
39 Resource:
40 - 'Fn::Join':
41 - ':'
42 -
43 - 'arn:aws:logs'
44 - Ref: 'AWS::Region'
45 - Ref: 'AWS::AccountId'
46 - 'log-group:/aws/lambda/*:*:*'
47 - Effect: "Allow"
48 Action:
49 - "s3:PutObject"
50 Resource:
51 Fn::Join:
52 - ""
53 - - "arn:aws:s3:::"
54 - "Ref" : "ServerlessDeploymentBucket"
55 myCustRole0:
56 Type: AWS::IAM::Role
57 Properties:
58 Path: /my/cust/path/
59 RoleName: MyCustRole0
60 AssumeRolePolicyDocument:
61 Version: '2017'
62 Statement:
63 - Effect: Allow
64 Principal:
65 S i
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
65 Service:
66 - lambda.amazonaws.com
67 Action: sts:AssumeRole
68 Policies:
69 - PolicyName: myPolicyName
70 PolicyDocument:
71 Version: '2017'
72 Statement:
73 - Effect: Allow
74 Action:
75 - logs:CreateLogGroup
76 - logs:CreateLogStream
77 - logs:PutLogEvents
78 Resource:
79 - 'Fn::Join':
80 - ':'
81 -
82 - 'arn:aws:logs'
83 - Ref: 'AWS::Region'
84 - Ref: 'AWS::AccountId'
85 - 'log-group:/aws/lambda/*:*:*'
86 - Effect: Allow
87 Action:
88 - ec2:CreateNetworkInterface
89 - ec2:DescribeNetworkInterfaces
90 - ec2:DetachNetworkInterface
91 - ec2:DeleteNetworkInterface
92 Resource: "*"

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
products developers community learn company blog Join our monthly newsle er to get the
latest Serverless news, updates and
framework docs partners why? team enterprise
happenings.
platform plugins forum use cases jobs

support examples events comparisions champions

quick starts slack case studies contact


email address subscribe
workshops

Serverless, Inc. © 2019 terms of service privacy policy

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD