From e16c874917c244247824c1ef0d20cd54933947a6 Mon Sep 17 00:00:00 2001 From: Alex Melnyk Date: Tue, 3 Nov 2020 15:02:17 +0100 Subject: [PATCH 1/2] docs: add minimal permission set for using layer --- docs/content/index.mdx | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/docs/content/index.mdx b/docs/content/index.mdx index 0c46af2958a..d67452d8e85 100644 --- a/docs/content/index.mdx +++ b/docs/content/index.mdx @@ -51,6 +51,41 @@ This will add a nested app stack with an output parameter `LayerVersionArn`, tha - !GetAtt AwsLambdaPowertoolsPythonLayer.Outputs.LayerVersionArn ``` +Here is the list of IAM permissions that you need to add to your deployment IAM role to use the layer, keep in mind to replace the placeholders: + +```yaml +Version: '2012-10-17' +Statement: + - Sid: CloudFormationTransform + Effect: Allow + Action: cloudformation:CreateChangeSet + Resource: + - arn:aws:cloudformation:us-east-1:aws:transform/Serverless-2016-10-31 + - Sid: GetCfnTemplate + Effect: Allow + Action: + - serverlessrepo:CreateCloudFormationTemplate + - serverlessrepo:GetCloudFormationTemplate + Resource: + - arn:aws:serverlessrepo:eu-west-1:057560766410:applications/aws-lambda-powertools-python-layer + - Sid: S3AccessLayer + Effect: Allow + Action: + - s3:GetObject + Resource: + - arn:aws:s3:::awsserverlessrepo-changesets-*/* + - Sid: GetLayerVersion + Effect: Allow + Action: + - lambda:PublishLayerVersion + - lambda:GetLayerVersion + Resource: + - arn:aws:lambda:YOUR_AWS_REGION:YOUR_AWS_ACCOUNT:layer:aws-lambda-powertools-python-layer* + +``` + +The region and the account id for `CloudFormationTransform` and `GetCfnTemplat` are fixed. + You can fetch the available versions via the API with: ```bash From 5dd28f0a79759fe502f1f06e9b2922dae327086a Mon Sep 17 00:00:00 2001 From: Alex Melnyk Date: Tue, 3 Nov 2020 15:58:33 +0100 Subject: [PATCH 2/2] added changes based on review --- docs/content/index.mdx | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/docs/content/index.mdx b/docs/content/index.mdx index d67452d8e85..6af7d601862 100644 --- a/docs/content/index.mdx +++ b/docs/content/index.mdx @@ -51,7 +51,7 @@ This will add a nested app stack with an output parameter `LayerVersionArn`, tha - !GetAtt AwsLambdaPowertoolsPythonLayer.Outputs.LayerVersionArn ``` -Here is the list of IAM permissions that you need to add to your deployment IAM role to use the layer, keep in mind to replace the placeholders: +Here is the list of IAM permissions that you need to add to your deployment IAM role to use the layer: ```yaml Version: '2012-10-17' @@ -67,12 +67,17 @@ Statement: - serverlessrepo:CreateCloudFormationTemplate - serverlessrepo:GetCloudFormationTemplate Resource: + # this is arn of the powertools SAR app - arn:aws:serverlessrepo:eu-west-1:057560766410:applications/aws-lambda-powertools-python-layer - Sid: S3AccessLayer Effect: Allow Action: - s3:GetObject Resource: + # AWS publishes to an external S3 bucket locked down to your account ID + # The below example is us publishing lambda powertools + # Bucket: awsserverlessrepo-changesets-plntc6bfnfj + # Key: *****/arn:aws:serverlessrepo:eu-west-1:057560766410:applications-aws-lambda-powertools-python-layer-versions-1.6.0/aeeccf50-****-****-****-********* - arn:aws:s3:::awsserverlessrepo-changesets-*/* - Sid: GetLayerVersion Effect: Allow @@ -80,10 +85,11 @@ Statement: - lambda:PublishLayerVersion - lambda:GetLayerVersion Resource: - - arn:aws:lambda:YOUR_AWS_REGION:YOUR_AWS_ACCOUNT:layer:aws-lambda-powertools-python-layer* - + - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccoundId}:layer:aws-lambda-powertools-python-layer* ``` +> Credits to [mwarkentin](https://github.com/mwarkentin) for providing the scoped down IAM permissions. + The region and the account id for `CloudFormationTransform` and `GetCfnTemplat` are fixed. You can fetch the available versions via the API with: