Created
December 18, 2019 15:11
-
-
Save joshuaquek/12f287fd3d74b30450d39fac91538729 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Summary: Single set of policy permissions needed by a user to deploy Lambdas using the Serverless Framework. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Gotten from https://github.com/serverless/serverless/issues/1439 | |
| Version: '2012-10-17' | |
| Statement: | |
| # Allow S3 deployment bucket creation and management | |
| - Effect: Allow | |
| Action: s3:* | |
| Resource: arn:aws:s3:::<stack-name>-serverlessdeploymentbucket* | |
| # Allow cloud formation stack creation, management, and template validation | |
| - Effect: Allow | |
| Action: cloudformation:ValidateTemplate | |
| Resource: "*" | |
| - Effect: Allow | |
| Action: cloudformation:* | |
| Resource: | |
| - arn:aws:cloudformation:*:<AWS_AccountId>:changeset/<stack-name>/* | |
| - arn:aws:cloudformation:*:<AWS_AccountId>:stack/<stack-name>/* | |
| # Allow limited IAM role creation limited to roles in the stack | |
| - Effect: Allow | |
| Action: | |
| - iam:GetRole | |
| - iam:PassRole | |
| - iam:DeleteRolePolicy | |
| - iam:CreateRole | |
| - iam:DeleteRole | |
| - iam:AttachRolePolicy | |
| - iam:DetachRolePolicy | |
| - iam:PutRolePolicy | |
| Resource: arn:aws:iam::<AWS_AccountId>:role/<StackName>* | |
| # Allow log creation and management | |
| - Effect: Allow | |
| Action: logs:* | |
| Resource: arn:aws:logs:*:<AWS_AccountId>:log-group:/aws/lambda/<StackName>* | |
| # Allow lambda creation and management | |
| - Effect: Allow | |
| Action: lambda:* | |
| Resource: arn:aws:lambda:*:<AWS_AccountId>:function:<StackName>* | |
| # Allow lambda layer creation and management | |
| - Effect: Allow | |
| Action: lambda:* | |
| Resource: arn:aws:lambda:*:<AWS_AccountId>:layer:<StackName>* | |
| # Allow secret creation and management | |
| - Effect: Allow | |
| Action: secretsmanager:* | |
| Resource: arn:aws:secretsmanager:*:<AWS_AccountId>:secret:<SecretName>* | |
| # Allow list secrets, necessary to be able to modify secret. Only allows listing, i.e the secret names and descriptions | |
| - Effect: Allow | |
| Action: secretsmanager:ListSecrets | |
| Resource: "*" | |
| # Allow creating and deleting network interfaces for VPC | |
| - Effect: Allow | |
| Action: | |
| - ec2:CreateNetworkInterface | |
| - ec2:DescribeNetworkInterfaces | |
| - ec2:DeleteNetworkInterface | |
| Resource: "*" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment