Skip to content
/ serverless-iam-roles-per-function Public

Serverless Plugin for easily defining IAM roles per function via the use of iamRoleStatements at the function level.

License

MIT license
414 stars 57 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

functionalone/serverless-iam-roles-per-function

BranchesTags

Repository files navigation

Serverless IAM Roles Per Function Plugin

serverless npm package

A Serverless plugin to easily define IAM roles per function via the use of iamRoleStatements at the function definition block.

Installation

npm install --save-dev serverless-iam-roles-per-function

Add the plugin to serverless.yml:

plugins:
  - serverless-iam-roles-per-function

Note: Node 6.10 or higher runtime required.

Usage

Define iamRoleStatements definitions at the function level:

functions:
  func1:
    handler: handler.get
    iamRoleStatements:
      - Effect: "Allow"        
        Action:
          - dynamodb:GetItem        
        Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/mytable"
    ...
  func2:
    handler: handler.put
    iamRoleStatements:
      - Effect: "Allow"        
        Action:
          - dynamodb:PutItem        
        Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/mytable"
    ...

The plugin will create a dedicated role for each function that has an iamRoleStatements definition. It will include the permissions for create and write to CloudWatch logs and if VPC is defined: AWSLambdaVPCAccessExecutionRole will be included (as is done when using iamRoleStatements at the provider level).

By deafault, function level iamRoleStatements override the provider level definition. It is also possible to inherit the provider level definition by specifying the option iamRoleStatementsInherit: true:

provider:
  name: aws
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - xray:PutTelemetryRecords
        - xray:PutTraceSegments
      Resource: "*"
  ...
functions:
  func1:
    handler: handler.get
    iamRoleStatementsInherit: true
    iamRoleStatements:
      - Effect: "Allow"        
        Action:
          - dynamodb:GetItem        
        Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/mytable"

The generated role for func1 will contain both the statements defined at the provider level and the ones defined at the function level.

If you wish to change the default behaviour to inherit instead of override it is possible to specify the following custom configuration:

custom:
  serverless-iam-roles-per-function:
    defaultInherit: true

More Info

Introduction post: Serverless Framework: Defining Per-Function IAM Roles

Note: Servless Framework provides support for defining custom IAM roles on a per function level through the use of the role property and creating CloudFormation resources, as documented here. This plugin doesn't support defining both the role property and iamRoleStatements at the function level.

About

Serverless Plugin for easily defining IAM roles per function via the use of iamRoleStatements at the function level.

Topics

aws lambda serverless serverless-framework iam-policy iam-role

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

414 stars

Watchers

17 watching

Forks

57 forks
Report repository

Releases

23 tags

Packages

No packages published

Contributors 15

Languages