Not able to add policies in SAM template

前端 未结 3 989
猫巷女王i
猫巷女王i 2021-02-20 13:46

I am working on SAM template for publishing my Application in AWS Serverless repository. But when I try to add policies for my lambda it shows me error: Invalid Serverless Appli

相关标签:
3条回答
  • 2021-02-20 14:12

    As of today (2018-10-09), SAM template already supports inline policy document.

    Here is an example:-

    Resources:
      SomeFunction:
        Type: AWS::Serverless::Function
        Properties:
          Handler: index.handler
          Runtime: nodejs8.10
          Policies:
          - Statement:
            - Sid: SSMDescribeParametersPolicy
              Effect: Allow
              Action:
              - ssm:DescribeParameters
              Resource: '*'
            - Sid: SSMGetParameterPolicy
              Effect: Allow
              Action:
              - ssm:GetParameters
              - ssm:GetParameter
              Resource: '*'
    

    References:

    1. AWS::Serverless::Function's Policies property on AWS SAM Specification
    2. Related issue on GitHub
    0 讨论(0)
  • 2021-02-20 14:24

    Here's the full list of policy templates from the official repo example.

    
    Transform: AWS::Serverless-2016-10-31
    Resources:
      MyFunction:
        Type: 'AWS::Serverless::Function'
        Properties:
          CodeUri: src/
          Handler: index.handler
          Runtime: nodejs4.3
          Policies:
    
            - SQSPollerPolicy:
                QueueName: name
    
            - LambdaInvokePolicy:
                FunctionName: name
    
            - CloudWatchPutMetricPolicy: {}
    
            - EC2DescribePolicy: {}
    
            - DynamoDBCrudPolicy:
                TableName: name
    
            - DynamoDBReadPolicy:
                TableName: name
    
            - SESSendBouncePolicy:
                IdentityName: name
    
            - ElasticsearchHttpPostPolicy:
                DomainName: name
    
            - S3ReadPolicy:
                BucketName: name
    
            - S3CrudPolicy:
                BucketName: name
    
            - AMIDescribePolicy: {}
    
            - CloudFormationDescribeStacksPolicy: {}
    
            - RekognitionDetectOnlyPolicy: {}
    
            - RekognitionNoDataAccessPolicy:
                CollectionId: id
    
            - RekognitionReadPolicy:
                CollectionId: id
    
            - RekognitionWriteOnlyAccessPolicy:
                CollectionId: id
    
            - RekognitionLabelsPolicy: {}
    
            - SQSSendMessagePolicy:
                QueueName: name
    
            - SNSPublishMessagePolicy:
                TopicName: name
    
            - VPCAccessPolicy: {}
    
            - DynamoDBStreamReadPolicy:
                TableName: name
                StreamName: name
    
            - KinesisStreamReadPolicy:
                StreamName: name
    
            - SESCrudPolicy:
                IdentityName: name
    
            - SNSCrudPolicy:
                TopicName: name
    
            - KinesisCrudPolicy:
                StreamName: name
    
            - KMSDecryptPolicy:
                KeyId: keyId
    
            - SESBulkTemplatedCrudPolicy:
                IdentityName: name
    
            - SESEmailTemplateCrudPolicy: {}
    
            - FilterLogEventsPolicy:
                LogGroupName: name
    
            - StepFunctionsExecutionPolicy:
                StateMachineName: name
    
    
    0 讨论(0)
  • 2021-02-20 14:30

    It seems, that currently only SAM Policy Templates can be used.

    AWS maintains the authoritative information/overview of SAM Policy Templates here: https://docs.aws.amazon.com/serverlessrepo/latest/devguide/using-aws-sam.html

    This document also states that, if you need further AWS Resources and/or Policy Templates, you should contact the AWS Support.

    A short overview and example of how to use them can be found here: https://github.com/awslabs/serverless-application-model/blob/master/examples/2016-10-31/policy_templates/all_policy_templates.yaml

    Here's the overview of currently supported SAM Policy Templates at the time of posting this answer:

    • SQSPollerPolicy (provides sqs:DeleteMessage, sqs:ReceiveMessage)
    • LambdaInvokePolicy (provides lambda:InvokeFunction)
    • CloudWatchPutMetricPolicy (provides cloudwatch:PutMetricData)
    • EC2DescribePolicy (provides ec2:DescribeRegions, ec2:DescribeInstances)
    • DynamoDBCrudPolicy (provides dynamodb:GetItem, dynamodb:DeleteItem, dynamodb:PutItem, dynamodb:Scan, dynamodb:Query, dynamodb:UpdateItem, dynamodb:BatchWriteItem, dynamodb:BatchGetItem)
    • DynamoDBReadPolicy (provides dynamodb:GetItem, dynamodb:Scan, dynamodb:Query, dynamodb:BatchGetItem)
    • SESSendBouncePolicy (provides ses:SendBounce)
    • ElasticsearchHttpPostPolicy (provides es:ESHttpPost)
    • S3ReadPolicy (provides s3:GetObject, s3:ListBucket, s3:GetBucketLocation, s3:GetObjectVersion, s3:GetLifecycleConfiguration)
    • S3CrudPolicy (provides s3:GetObject, s3:ListBucket, s3:GetBucketLocation, s3:GetObjectVersion, s3:PutObject, s3:GetLifecycleConfiguration, s3:PutLifecycleConfiguration)
    • AMIDescribePolicy (provides ec2:DescribeImages)
    • CloudFormationDescribeStacksPolicy (provides cloudformation:DescribeStacks)
    • RekognitionNoDataAccessPolicy (provides rekognition:CompareFaces, rekognition:DetectFaces, rekognition:DetectLabels, rekognition:DetectModerationLabels)
    • RekognitionReadPolicy (provides rekognition:ListCollections, rekognition:ListFaces, rekognition:SearchFaces, rekognition:SearchFacesByImage)
    • RekognitionWriteOnlyAccessPolicy (provides rekognition:CreateCollection, rekognition:IndexFaces)
    • SQSSendMessagePolicy (provides sqs:SendMessage*)
    • SNSPublishMessagePolicy (provides sns:Publish)
    • VPCAccessPolicy (provides ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface)
    • DynamoDBStreamReadPolicy (provides dynamodb:DescribeStream, dynamodb:GetRecords, dynamodb:GetShardIterator, dynamodb:ListStreams)
    • KinesisStreamReadPolicy (provides kinesis:ListStreams, kinesis:DescribeLimits)
    • SESCrudPolicy (provides ses:GetIdentityVerificationAttributes, ses:SendEmail, ses:VerifyEmailIdentity)
    • SNSCrudPolicy (provides sns:ListSubscriptionsByTopic, sns:CreateTopic, sns:SetTopicAttributes, sns:Subscribe, sns:Publish)
    • KinesisCrudPolicy (provides kinesis:AddTagsToStream, kinesis:CreateStream, kinesis:DecreaseStreamRetentionPeriod, kinesis:DeleteStream, kinesis:DescribeStream, kinesis:GetShardIterator, kinesis:IncreaseStreamRetentionPeriod, kinesis:ListTagsForStream, kinesis:MergeShards, kinesis:PutRecord, kinesis:PutRecords, kinesis:SplitShard, kinesis:RemoveTagsFromStream)
    • KMSDecryptPolicy (provides kms:Decrypt)

    Almost any of those Policy Templates have to be configured. Please read the AWS documentation (links above) about how to configure these templates.

    0 讨论(0)
提交回复
热议问题