问题
Background:
IAM policies can be created in two ways:
Managed policies(newer way)
- AWS managed policies
- Customer managed policies
Inline policies(older way)
Below SAM template is creating inline policy:
Resources:
HelloWorldFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: hello-world/
Handler: app.LambdaHandler
Runtime: nodejs8.10
Policies:
- Statement:
- Sid: AccessToS3Policy
Effect: Allow
Action:
- s3:GetObject
- s3:GetObjectACL
Resource: 'arn:aws:s3:::some-bucket/*'
in the resultant role, as shown below:
{
"roleName": "somestack-HelloWorldFunctionRole-AAAAAAAA",
"policies": [
{
"document": {
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:GetObjectACL"
],
"Resource": "arn:aws:s3:::some-bucket/*",
"Effect": "Allow",
"Sid": "AccessToS3Policy"
}
]
},
"name": "HelloWorldFunctionRolePolicy0",
"type": "inline"
},
.....
]
}
In case of Lambda function,
1) How to create Customer managed policy?
2) How inline policy different from Customer managed policy?
回答1:
If you are using this syntax in your SAM template
Policies:
- Statement:
- Sid: AccessToS3Policy
Effect: Allow
Action:
- s3:GetObject
- s3:GetObjectACL
Resource: 'arn:aws:s3:::some-bucket/*'
It will automatically create inline policy. If you want to create customer managed policy instead of inline policy then you need to define the policy as a separate Resource in you template and reference it in policies. Or you can create the role outside of the template (e.g. via AWS console) and reference that policy, in the same way you would reference AWS managed policy.
How inline policy different from Customer managed policy?
I wouldn't really say that inline policy is the old way of doing things. The only difference between inline policy and customer managed policy is that inline policy cannot be reused (you cannot assign inline policy to two or more entities). But this can often be handy if you need a specific policy that you are not planning to reuse in future.
来源:https://stackoverflow.com/questions/57029985/lambda-how-to-create-customer-managed-policy