发表新帖
发表新帖

Not able to add policies in SAM template

前端 未结
关注
3 961
猫巷女王i
猫巷女王i 2021-02-20 13:46

I am working on SAM template for publishing my Application in AWS Serverless repository. But when I try to add policies for my lambda it shows me error: Invalid Serverless Appli

相关标签:
3条回答
  • 攒了一身酷
    2021-02-20 14:12

    As of today (2018-10-09), SAM template already supports inline policy document.

    Here is an example:-

    Resources:
  SomeFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs8.10
      Policies:
      - Statement:
        - Sid: SSMDescribeParametersPolicy
          Effect: Allow
          Action:
          - ssm:DescribeParameters
          Resource: '*'
        - Sid: SSMGetParameterPolicy
          Effect: Allow
          Action:
          - ssm:GetParameters
          - ssm:GetParameter
          Resource: '*'

    References:

    1. AWS::Serverless::Function's Policies property on AWS SAM Specification
    2. Related issue on GitHub
    0 讨论(0)
  • -上瘾入骨i
    2021-02-20 14:24

    Here's the full list of policy templates from the official repo example.

    
Transform: AWS::Serverless-2016-10-31
Resources:
  MyFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      CodeUri: src/
      Handler: index.handler
      Runtime: nodejs4.3
      Policies:

        - SQSPollerPolicy:
            QueueName: name

        - LambdaInvokePolicy:
            FunctionName: name

        - CloudWatchPutMetricPolicy: {}

        - EC2DescribePolicy: {}

        - DynamoDBCrudPolicy:
            TableName: name

        - DynamoDBReadPolicy:
            TableName: name

        - SESSendBouncePolicy:
            IdentityName: name

        - ElasticsearchHttpPostPolicy:
            DomainName: name

        - S3ReadPolicy:
            BucketName: name

        - S3CrudPolicy:
            BucketName: name

        - AMIDescribePolicy: {}

        - CloudFormationDescribeStacksPolicy: {}

        - RekognitionDetectOnlyPolicy: {}

        - RekognitionNoDataAccessPolicy:
            CollectionId: id

        - RekognitionReadPolicy:
            CollectionId: id

        - RekognitionWriteOnlyAccessPolicy:
            CollectionId: id

        - RekognitionLabelsPolicy: {}

        - SQSSendMessagePolicy:
            QueueName: name

        - SNSPublishMessagePolicy:
            TopicName: name

        - VPCAccessPolicy: {}

        - DynamoDBStreamReadPolicy:
            TableName: name
            StreamName: name

        - KinesisStreamReadPolicy:
            StreamName: name

        - SESCrudPolicy:
            IdentityName: name

        - SNSCrudPolicy:
            TopicName: name

        - KinesisCrudPolicy:
            StreamName: name

        - KMSDecryptPolicy:
            KeyId: keyId

        - SESBulkTemplatedCrudPolicy:
            IdentityName: name

        - SESEmailTemplateCrudPolicy: {}

        - FilterLogEventsPolicy:
            LogGroupName: name

        - StepFunctionsExecutionPolicy:
            StateMachineName: name
    0 讨论(0)
  • 粉色の甜心
    2021-02-20 14:30

    It seems, that currently only SAM Policy Templates can be used.

    AWS maintains the authoritative information/overview of SAM Policy Templates here: https://docs.aws.amazon.com/serverlessrepo/latest/devguide/using-aws-sam.html

    This document also states that, if you need further AWS Resources and/or Policy Templates, you should contact the AWS Support.

    A short overview and example of how to use them can be found here: https://github.com/awslabs/serverless-application-model/blob/master/examples/2016-10-31/policy_templates/all_policy_templates.yaml

    Here's the overview of currently supported SAM Policy Templates at the time of posting this answer:

    • SQSPollerPolicy (provides sqs:DeleteMessage, sqs:ReceiveMessage)
    • LambdaInvokePolicy (provides lambda:InvokeFunction)
    • CloudWatchPutMetricPolicy (provides cloudwatch:PutMetricData)
    • EC2DescribePolicy (provides ec2:DescribeRegions, ec2:DescribeInstances)
    • DynamoDBCrudPolicy (provides dynamodb:GetItem, dynamodb:DeleteItem, dynamodb:PutItem, dynamodb:Scan, dynamodb:Query, dynamodb:UpdateItem, dynamodb:BatchWriteItem, dynamodb:BatchGetItem)
    • DynamoDBReadPolicy (provides dynamodb:GetItem, dynamodb:Scan, dynamodb:Query, dynamodb:BatchGetItem)
    • SESSendBouncePolicy (provides ses:SendBounce)
    • ElasticsearchHttpPostPolicy (provides es:ESHttpPost)
    • S3ReadPolicy (provides s3:GetObject, s3:ListBucket, s3:GetBucketLocation, s3:GetObjectVersion, s3:GetLifecycleConfiguration)
    • S3CrudPolicy (provides s3:GetObject, s3:ListBucket, s3:GetBucketLocation, s3:GetObjectVersion, s3:PutObject, s3:GetLifecycleConfiguration, s3:PutLifecycleConfiguration)
    • AMIDescribePolicy (provides ec2:DescribeImages)
    • CloudFormationDescribeStacksPolicy (provides cloudformation:DescribeStacks)
    • RekognitionNoDataAccessPolicy (provides rekognition:CompareFaces, rekognition:DetectFaces, rekognition:DetectLabels, rekognition:DetectModerationLabels)
    • RekognitionReadPolicy (provides rekognition:ListCollections, rekognition:ListFaces, rekognition:SearchFaces, rekognition:SearchFacesByImage)
    • RekognitionWriteOnlyAccessPolicy (provides rekognition:CreateCollection, rekognition:IndexFaces)
    • SQSSendMessagePolicy (provides sqs:SendMessage*)
    • SNSPublishMessagePolicy (provides sns:Publish)
    • VPCAccessPolicy (provides ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface)
    • DynamoDBStreamReadPolicy (provides dynamodb:DescribeStream, dynamodb:GetRecords, dynamodb:GetShardIterator, dynamodb:ListStreams)
    • KinesisStreamReadPolicy (provides kinesis:ListStreams, kinesis:DescribeLimits)
    • SESCrudPolicy (provides ses:GetIdentityVerificationAttributes, ses:SendEmail, ses:VerifyEmailIdentity)
    • SNSCrudPolicy (provides sns:ListSubscriptionsByTopic, sns:CreateTopic, sns:SetTopicAttributes, sns:Subscribe, sns:Publish)
    • KinesisCrudPolicy (provides kinesis:AddTagsToStream, kinesis:CreateStream, kinesis:DecreaseStreamRetentionPeriod, kinesis:DeleteStream, kinesis:DescribeStream, kinesis:GetShardIterator, kinesis:IncreaseStreamRetentionPeriod, kinesis:ListTagsForStream, kinesis:MergeShards, kinesis:PutRecord, kinesis:PutRecords, kinesis:SplitShard, kinesis:RemoveTagsFromStream)
    • KMSDecryptPolicy (provides kms:Decrypt)

    Almost any of those Policy Templates have to be configured. Please read the AWS documentation (links above) about how to configure these templates.

    0 讨论(0)
 看不清?
提交回复
热议问题