Skip to content

Docs: HomePage - Least-privileged IAM permissions to deploy Layer has syntax errors #1207

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
michaelbrewer opened this issue May 17, 2022 · 1 comment
Closed

Docs: HomePage - Least-privileged IAM permissions to deploy Layer has syntax errors #1207

michaelbrewer opened this issue May 17, 2022 · 1 comment
Labels
documentation Improvements or additions to documentation

Comments

@michaelbrewer
Copy link
Contributor

michaelbrewer commented May 17, 2022
edited
Loading

Expected Behaviour

Examples SAM templates should be valid and pass cfn-lint and sam validate.

Current Behaviour

When coping Example: Least-privileged IAM permissions to deploy Layer from the SAR Docs, cfn-lint and sam validate produces the following errors

Screen Shot 2022-05-17 at 10 38 09 AM

Code snippet

AWSTemplateFormatVersion: "2010-09-09"
Resources:
    PowertoolsLayerIamRole:
    Type: "AWS::IAM::Role"
    Properties:
        AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
            - Effect: "Allow"
            Principal:
                Service:
                - "cloudformation.amazonaws.com"
            Action:
                - "sts:AssumeRole"
        Path: "/"
    PowertoolsLayerIamPolicy:
    Type: "AWS::IAM::Policy"
    Properties:
        PolicyName: PowertoolsLambdaLayerPolicy
        PolicyDocument:
        Version: "2012-10-17"
        Statement:
            - Sid: CloudFormationTransform
            Effect: Allow
            Action: cloudformation:CreateChangeSet
            Resource:
                - arn:aws:cloudformation:us-east-1:aws:transform/Serverless-2016-10-31
            - Sid: GetCfnTemplate
            Effect: Allow
            Action:
                - serverlessrepo:CreateCloudFormationTemplate
                - serverlessrepo:GetCloudFormationTemplate
            Resource:
                # this is arn of the powertools SAR app
                - arn:aws:serverlessrepo:eu-west-1:057560766410:applications/aws-lambda-powertools-python-layer
            - Sid: S3AccessLayer
            Effect: Allow
            Action:
                - s3:GetObject
            Resource:
                # AWS publishes to an external S3 bucket locked down to your account ID
                # The below example is us publishing lambda powertools
                # Bucket: awsserverlessrepo-changesets-plntc6bfnfj
                # Key: *****/arn:aws:serverlessrepo:eu-west-1:057560766410:applications-aws-lambda-powertools-python-layer-versions-1.10.2/aeeccf50-****-****-****-*********
                - arn:aws:s3:::awsserverlessrepo-changesets-*/*
            - Sid: GetLayerVersion
            Effect: Allow
            Action:
                - lambda:PublishLayerVersion
                - lambda:GetLayerVersion
            Resource:
                - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:layer:aws-lambda-powertools-python-layer*
        Roles:
        - Ref: "PowertoolsLayerIamRole"

Possible Solution

A fix for this can be found in the following PR #1113 and deployed here: https://gyft.github.io/aws-lambda-powertools-python/latest/#sar

AWSTemplateFormatVersion: "2010-09-09"
Resources:
    PowertoolsLayerIamRole:
      Type: "AWS::IAM::Role"
      Properties:
          AssumeRolePolicyDocument:
            Version: "2012-10-17"
            Statement:
                - Effect: "Allow"
                  Principal:
                    Service:
                      - "cloudformation.amazonaws.com"
                  Action:
                    - "sts:AssumeRole"
            Path: "/"
    PowertoolsLayerIamPolicy:
      Type: "AWS::IAM::Policy"
      Properties:
          PolicyName: PowertoolsLambdaLayerPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
                - Sid: CloudFormationTransform
                  Effect: Allow
                  Action: cloudformation:CreateChangeSet
                  Resource:
                    - arn:aws:cloudformation:us-east-1:aws:transform/Serverless-2016-10-31
                - Sid: GetCfnTemplate
                  Effect: Allow
                  Action:
                    - serverlessrepo:CreateCloudFormationTemplate
                    - serverlessrepo:GetCloudFormationTemplate
                  Resource:
                    # this is arn of the powertools SAR app
                    - arn:aws:serverlessrepo:eu-west-1:057560766410:applications/aws-lambda-powertools-python-layer
                - Sid: S3AccessLayer
                  Effect: Allow
                  Action:
                    - s3:GetObject
                  Resource:
                    # AWS publishes to an external S3 bucket locked down to your account ID
                    # The below example is us publishing lambda powertools
                    # Bucket: awsserverlessrepo-changesets-plntc6bfnfj
                    # Key: *****/arn:aws:serverlessrepo:eu-west-1:057560766410:applications-aws-lambda-powertools-python-layer-versions-1.10.2/aeeccf50-****-****-****-*********
                    - arn:aws:s3:::awsserverlessrepo-changesets-*/*
                - Sid: GetLayerVersion
                  Effect: Allow
                  Action:
                    - lambda:PublishLayerVersion
                    - lambda:GetLayerVersion
                  Resource:
                    - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:layer:aws-lambda-powertools-python-layer*
          Roles:
          - Ref: "PowertoolsLayerIamRole"

Steps to Reproduce

  1. copy template from https://awslabs.github.io/aws-lambda-powertools-python/latest/#sar
  2. Run cfn-lint or sam validate

AWS Lambda Powertools for Python version

latest

AWS Lambda function runtime

3.9

Packaging format used

Serverless Application Repository (SAR) App

Debugging logs

N/A
@michaelbrewer michaelbrewer added bug Something isn't working triage Pending triage from maintainers labels May 17, 2022
@michaelbrewer michaelbrewer changed the title Bug: Least-privileged IAM permissions to deploy Layer has syntax errors Bug: Home, Least-privileged IAM permissions to deploy Layer has syntax errors May 18, 2022
@michaelbrewer michaelbrewer changed the title Bug: Home, Least-privileged IAM permissions to deploy Layer has syntax errors Bug: HomePage, Least-privileged IAM permissions to deploy Layer has syntax errors May 18, 2022
@michaelbrewer michaelbrewer changed the title Bug: HomePage, Least-privileged IAM permissions to deploy Layer has syntax errors Bug: HomePage - Least-privileged IAM permissions to deploy Layer has syntax errors May 18, 2022
@sthulb sthulb changed the title Bug: HomePage - Least-privileged IAM permissions to deploy Layer has syntax errors Docs: HomePage - Least-privileged IAM permissions to deploy Layer has syntax errors May 18, 2022
@heitorlessa heitorlessa added documentation Improvements or additions to documentation and removed bug Something isn't working labels May 20, 2022
@sthulb sthulb closed this as completed Jun 14, 2022
@github-actions
Copy link
Contributor

Comments on closed issues are hard for our team to see.

@heitorlessa heitorlessa removed the triage Pending triage from maintainers label Feb 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs(home): extract and fix examples gyft/aws-lambda-powertools-python
3 participants
@sthulb @heitorlessa @michaelbrewer