How attach managed policy to service-wide default role?


#1

I have deployed the following however when I check in the AWS console the managed policy AmazonSESFullAccess is not attached. I have found examples that can do this on the function level but I am interested in doing it at the service level. Is this possible? Is this a bad idea?

provider:
  name: aws
  runtime: nodejs6.10
  stage: staging
  region: us-east-1
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "ec2:CreateNetworkInterface"
        - "ec2:DescribeNetworkInterfaces"
        - "ec2:DetachNetworkInterface"
        - "ec2:DeleteNetworkInterface"
      Resource: "*"
  
  managedPolicyArns:
    - arn:aws:iam::aws:policy/AmazonSESFullAccess

#2

Normally you give your Lambda access to specific resources. This limits damage caused if there is a problem.

The only examples I’ve see using managed policies also used custom roles that you need to setup in the resources section.


#3

A quick search of the code doesn’t show me a way to set managed policy ARNs at a service or function level.

You would have to use your own custom roles/add to the auto-generated roles in order to get this to work (the exception is AWSLambdaVPCAccessExecutionRole which is added to your function when VPC configuration is provided to your function).

This sounds like it would be useful functionality, so might be worth a feature request.