Skip to content

Document IAM requirements for lambda layer installation #203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mwarkentin opened this issue Nov 2, 2020 · 7 comments
Closed

Document IAM requirements for lambda layer installation #203

mwarkentin opened this issue Nov 2, 2020 · 7 comments
Assignees
@am29d
Labels
documentation Improvements or additions to documentation

Comments

@mwarkentin
Copy link

What were you initially searching for in the docs?
We would like a well-defined, least-privilege IAM policy to enable installing powertools as a lambda layer. We had to bungle through a few sets of errors in our build pipeline in order to get something working, and even so we have granted more permissions than we'd like to (trying to figure out how to scope it down safely without breaking things again).

Is this related to an existing part of the documentation? Please share a link

https://awslabs.github.io/aws-lambda-powertools-python/#lambda-layer

Provide a working policy (or at least a template where you could insert your own account id, etc) for installation of lambda layer.

If you have a proposed update, please share it here

Here's our current (working, but too powerful) IAM policy (in HCL but should be readable to anyone familiar with IAM policy structure):

statement {
    actions = [
      "cloudformation:CreateChangeSet",
    ]

    # Previously "arn:aws:cloudformation:us-east-1:aws:transform/Serverless-2016-10-31"
    resources = [
      "*",
    ]

    effect = "Allow"
    sid    = "CloudformationCreateChangeset"
  }

  statement {
    actions = [
      "serverlessrepo:CreateCloudFormationTemplate",
      "serverlessrepo:GetCloudFormationTemplate",
    ]

    # "*" ?
    resources = [
      "arn:aws:serverlessrepo:eu-west-1:057560766410:applications/aws-lambda-powertools-python-layer",
    ]

    effect = "Allow"
    sid    = "GetCfnTemplate"
  }

  statement {
    actions = [
      "lambda:PublishLayerVersion",
    ]

    resources = [
      "*",
    ]

    effect = "Allow"
    sid    = "PublishLayers"
  }

  statement {
    actions = [
      "s3:GetObject",
    ]

    resources = [
      "arn:aws:s3:::*",
    ]

    effect = "Allow"
    sid    = "GetS3LambdaLayers"
  }
@mwarkentin mwarkentin added the documentation Improvements or additions to documentation label Nov 2, 2020
@heitorlessa
Copy link
Contributor

Thanks for raising it @mwarkentin!

@am29d could you help Michael when you get a chance?

As it uses SAR for deployment it definitely needs more permissions than if it were a plain Lambda Layer ARN.

@mwarkentin
Copy link
Author

Here's what we've got so far with more targetted wildcards, still working on the CreateChangeset bit:

  statement {
    actions = [
      "cloudformation:CreateChangeSet",
    ]

    resources = [
      "arn:aws:cloudformation:us-east-1:aws:transform/Serverless-2016-10-31",
    ]

    effect = "Allow"
    sid    = "CloudformationCreateChangeset"
  }

  statement {
    actions = [
      "serverlessrepo:CreateCloudFormationTemplate",
      "serverlessrepo:GetCloudFormationTemplate",
    ]

    # Hardcoded reference from 
    # https://serverlessrepo.aws.amazon.com/applications/eu-west-1/057560766410/aws-lambda-powertools-python-layer
    resources = [
      "arn:aws:serverlessrepo:eu-west-1:057560766410:applications/aws-lambda-powertools-python-layer",
    ]

    effect = "Allow"
    sid    = "GetCfnTemplate"
  }

  statement {
    actions = [
      "lambda:PublishLayerVersion",
    ]

    resources = [
      "arn:aws:lambda:us-east-1:${local.account_id}:layer:aws-lambda-powertools-python-layer",
    ]

    effect = "Allow"
    sid    = "PublishLayers"
  }

  statement {
    actions = [
      "s3:GetObject",
    ]

    # AWS publishes to an external S3 bucket locked down to our account ID
    # The below example is us publishing lambda powertools
    # Bucket: awsserverlessrepo-changesets-plntc6bfnfj
    # Key: *****/arn:aws:serverlessrepo:eu-west-1:057560766410:applications-aws-lambda-powertools-python-layer-versions-1.6.0/aeeccf50-****-****-****-*********
    resources = [
      "arn:aws:s3:::awsserverlessrepo-changesets-*/*",
    ]

    effect = "Allow"
    sid    = "GetS3LambdaLayers"
  }

@mwarkentin
Copy link
Author

Looks like that works, so I think that's enough for us to remove any wide open wildcards. Would still be nice to have this documented for the lambda install. Feel free to take what we've got here and modify it for the docs if it helps!

@am29d
Copy link
Contributor

am29d commented Nov 3, 2020

Hi @mwarkentin, thank you for raising the issue. This is definitely something that needs to be documented and will save a lot of IAM pipeline debugging time for all of us. I will test your proposal and add it to the docs. Thank you.

@am29d am29d mentioned this issue Nov 3, 2020
Merged
6 tasks
@am29d
Copy link
Contributor

am29d commented Nov 3, 2020

@mwarkentin I have checked your permissions and added them to the docs, with a small change to replace the region within the resource statement of the PublishLayers sid. Thanks a lot for this contribution!

@mwarkentin
Copy link
Author

Awesome, thanks!

@heitorlessa heitorlessa added the pending-release Fix or implementation already in dev waiting to be released label Nov 3, 2020
@mwarkentin
Copy link
Author

Fixed in #204

@heitorlessa heitorlessa removed the pending-release Fix or implementation already in dev waiting to be released label Jan 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@am29d am29d

Labels
documentation Improvements or additions to documentation
Projects
Powertools for AWS Lambda (Python)
Status: Triage
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mwarkentin @am29d @heitorlessa