Skip to content

Instantly share code, notes, and snippets.

@codingforentrepreneurs

codingforentrepreneurs/Serverless Framework IAM Policy.md

Last active May 27, 2025 18:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save codingforentrepreneurs/03f6ddb7ba284e4f82a6c66b3103feda to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save codingforentrepreneurs/03f6ddb7ba284e4f82a6c66b3103feda to your computer and use it in GitHub Desktop.
Download ZIP
IAM Policy for Serverless Node.js API on AWS Lambda
Raw
Serverless Framework IAM Policy.md

Serverless Framework IAM Policy

Use this IAM policy for the Serverless Framework with the AWS Provider for deploying Node.js apps as serverless functions on AWS Lambda.

Replace AWS_ID with your AWS Account ID (e.g. 123456789) which you can find under AWS IAM in the console.

Raw
serverless-nodejs-api-iam-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudformation:List*",
"cloudformation:Get*",
"cloudformation:ValidateTemplate",
"ssm:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:CreateUploadBucket",
"cloudformation:DeleteStack",
"cloudformation:Describe*",
"cloudformation:UpdateStack",
"cloudformation:CreateChangeSet",
"cloudformation:ListChangeSets",
"cloudformation:DeleteChangeSet",
"cloudformation:ExecuteChangeSet"
],
"Resource": [
"arn:aws:cloudformation:*:AWS_ID:stack/serverless-*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:Get*",
"lambda:List*",
"lambda:CreateFunction",
"lambda:TagResource",
"lambda:UntagResource"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:ListBucket",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:ListBucketVersions",
"s3:PutAccelerateConfiguration",
"s3:GetEncryptionConfiguration",
"s3:PutEncryptionConfiguration",
"s3:DeleteBucketPolicy",
"s3:PutBucketTagging",
"s3:UntagResource",
"s3:TagResource",
"s3:GetBucketTagging",
"s3:ListTagsForResource"
],
"Resource": [
"arn:aws:s3:::serverless-*serverlessdeploy*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::serverless-*serverlessdeploy*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:AddPermission",
"lambda:CreateAlias",
"lambda:DeleteFunction",
"lambda:InvokeFunction",
"lambda:PublishVersion",
"lambda:RemovePermission",
"lambda:Update*"
],
"Resource": [
"arn:aws:lambda:*:AWS_ID:function:serverless-*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics"
],
"Resource": [
"*"
]
},
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DeleteLogGroup",
"logs:TagResource",
"logs:UntagResource"
],
"Resource": [
"arn:aws:logs:*:AWS_ID:*"
],
"Effect": "Allow"
},
{
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:AWS_ID:*"
],
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:FilterLogEvents"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"events:Put*",
"events:Remove*",
"events:Delete*"
],
"Resource": [
"arn:aws:events:*:AWS_ID:rule/serverless-*"
]
},
{
"Effect": "Allow",
"Action": [
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:*:AWS_ID:rule/serverless-*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::AWS_ID:role/serverless-*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:TagRole",
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:DeleteRole"
],
"Resource": [
"arn:aws:iam::AWS_ID:role/serverless-*"
]
},
{
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": [
"arn:aws:apigateway:*::/apis*",
"arn:aws:apigateway:*::/restapis*",
"arn:aws:apigateway:*::/apikeys*",
"arn:aws:apigateway:*::/tags*",
"arn:aws:apigateway:*::/usageplans*"
]
},
{
"Effect": "Allow",
"Action": [
"tag:*"
],
"Resource": [
"*"
]
}
]
}
@realtebo
Copy link

realtebo commented Mar 13, 2024

Actually, it's needed also iam:TagRole

@codingforentrepreneurs
Copy link
Author

codingforentrepreneurs commented Mar 15, 2024

@realtebo thank you. It's been added.

@tindo2003
Copy link

tindo2003 commented May 27, 2025

I think the s3 portion should be changed to this

    {
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketLocation",
            "s3:CreateBucket",
            "s3:DeleteBucket",
            "s3:ListBucket",
            "s3:GetBucketPolicy",
            "s3:PutBucketPolicy",
            "s3:ListBucketVersions",
            "s3:PutAccelerateConfiguration",
            "s3:GetEncryptionConfiguration",
            "s3:PutEncryptionConfiguration",
            "s3:DeleteBucketPolicy",
            "s3:PutBucketTagging",
            "s3:UntagResource",
            "s3:TagResource",
            "s3:GetBucketTagging",
            "s3:ListTagsForResource",
            "s3:PutBucketVersioning"
        ],
        "Resource": [
            "arn:aws:s3:::serverless-*",
            "arn:aws:s3:::serverless-framework-*",
            "arn:aws:s3:::serverlessdeploy*"
        ]
    },

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment