From 52522977c97c7b792cbb2362b01a1548d5df3c8c Mon Sep 17 00:00:00 2001 From: Bruno Agutoli Date: Sun, 12 May 2019 15:07:02 +1000 Subject: [PATCH 1/2] it's really important to be transparent with user which policy they need to execute our component --- README.md | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 60 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3341bb8..a9a2405 100644 --- a/README.md +++ b/README.md @@ -77,7 +77,7 @@ myFunction: # if you'd like to include any shims shims: - - ../shims/shim.js + - ../shims/shim.js # specifying an existing deployment bucket would optimise deployment speed # by using accelerated multipart uploads and dependency management with layers @@ -99,9 +99,9 @@ aws-lambda (master)$ components shims: [] handler: 'handler.hello' runtime: 'nodejs8.10' - env: + env: TABLE_NAME: my-table - role: + role: name: 'serverless' arn: 'arn:aws:iam::552760238299:role/serverless' service: 'lambda.amazonaws.com' @@ -118,6 +118,63 @@ For a real world example of how this component could be used, [take a look at ho   +### Suggested Policy + +We recommend you to create an user for your application with following policies: + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "lambda:CreateFunction", + "iam:UpdateAssumeRolePolicy", + "s3:CreateBucket", + "iam:CreateRole", + "lambda:GetFunctionConfiguration", + "iam:AttachRolePolicy", + "iam:PutRolePolicy", + "s3:GetBucketPolicy", + "s3:GetObjectAcl", + "iam:PassRole", + "logs:CreateLogStream", + "s3:DeleteBucketWebsite", + "iam:DetachRolePolicy", + "iam:DeleteRolePolicy", + "lambda:DeleteLayerVersion", + "s3:PutBucketAcl", + "lambda:DeleteFunction", + "s3:DeleteObject", + "iam:DetachUserPolicy", + "s3:DeleteBucket", + "s3:PutObjectAcl", + "iam:GetRole", + "lambda:UpdateFunctionConfiguration", + "iam:AttachUserPolicy", + "iam:DeleteRole", + "lambda:AddLayerVersionPermission", + "s3:PutBucketCORS", + "s3:GetBucketAcl", + "s3:DeleteBucketPolicy", + "logs:PutLogEvents", + "lambda:UpdateFunctionCode", + "s3:PutObject", + "s3:GetObject", + "s3:PutBucketWebsite", + "iam:PutUserPolicy", + "s3:GetBucketCORS", + "s3:PutBucketPolicy", + "lambda:PublishVersion" + ], + "Resource": "*" + } + ] +} +``` + ### New to Components? Checkout the [Serverless Components](https://github.com/serverless/components) repo for more information. From 91c24c650e0e6649a2215a3e1d8bafca75de393f Mon Sep 17 00:00:00 2001 From: Bruno Agutoli Date: Sun, 12 May 2019 17:42:23 +1000 Subject: [PATCH 2/2] update policy --- README.md | 56 +++++++++++++++++++++++++++---------------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index a9a2405..c526e15 100644 --- a/README.md +++ b/README.md @@ -130,44 +130,44 @@ We recommend you to create an user for your application with following policies: "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ - "lambda:CreateFunction", - "iam:UpdateAssumeRolePolicy", + "logs:PutLogEvents", + "logs:CreateLogStream", "s3:CreateBucket", - "iam:CreateRole", - "lambda:GetFunctionConfiguration", - "iam:AttachRolePolicy", - "iam:PutRolePolicy", + "s3:GetObject", + "s3:GetBucketCORS", "s3:GetBucketPolicy", "s3:GetObjectAcl", - "iam:PassRole", - "logs:CreateLogStream", + "s3:GetBucketAcl", + "s3:DeleteBucket", + "s3:DeleteObject", "s3:DeleteBucketWebsite", - "iam:DetachRolePolicy", - "iam:DeleteRolePolicy", - "lambda:DeleteLayerVersion", + "s3:DeleteBucketPolicy", + "s3:PutObject", + "s3:PutObjectAcl", "s3:PutBucketAcl", + "s3:PutBucketCORS", + "s3:PutBucketPolicy", + "s3:PutBucketWebsite", + "lambda:AddLayerVersionPermission", + "lambda:PublishVersion", + "lambda:CreateFunction", + "lambda:GetFunctionConfiguration", + "lambda:DeleteLayerVersion", "lambda:DeleteFunction", - "s3:DeleteObject", - "iam:DetachUserPolicy", - "s3:DeleteBucket", - "s3:PutObjectAcl", - "iam:GetRole", + "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", + "iam:AttachRolePolicy", "iam:AttachUserPolicy", + "iam:CreateRole", "iam:DeleteRole", - "lambda:AddLayerVersionPermission", - "s3:PutBucketCORS", - "s3:GetBucketAcl", - "s3:DeleteBucketPolicy", - "logs:PutLogEvents", - "lambda:UpdateFunctionCode", - "s3:PutObject", - "s3:GetObject", - "s3:PutBucketWebsite", + "iam:DeleteRolePolicy", + "iam:DetachRolePolicy", + "iam:DetachUserPolicy", + "iam:UpdateAssumeRolePolicy", + "iam:PassRole", + "iam:PutRolePolicy", "iam:PutUserPolicy", - "s3:GetBucketCORS", - "s3:PutBucketPolicy", - "lambda:PublishVersion" + "iam:GetRole" ], "Resource": "*" }