How it works iamRoleStatements configuration section?

Serverless Framework
1

I’m trying to assign permissions on dynamodb service to the lambda execution role that serverless creates when deploying but I don’t know how it works. The documentation https://serverless.com/framework/docs/providers/aws/iam/ is still very confusing. It would be nice to include a complete example.

I’ve tried several configurations but none works because serverless frameworks only creates its default policy and none of my settings are deployed (and I receive no errors at all)
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Action”: [
“logs:CreateLogGroup”,
“logs:CreateLogStream”,
“logs:PutLogEvents”
],
“Resource”: “arn:aws:logs:eu-central-1::”,
“Effect”: “Allow”
}
]
}

2

For example, if you have this in your serverless.yml:

provider:
  name: aws
  runtime: nodejs4.3
  profile: someprofilename
  iamRoleStatements:
    $ref: ./iamRoleStatements.json

Your iamRoleStatements.json would be formatted with [ ... ] at the top-level, e.g.:

[
  {
    "Effect": "Allow",
    "Action": [
      "lambda:InvokeFunction"
    ],
    "Resource": "*"
  },
  {
    "Effect": "Allow",
    "Action": [
      "dynamodb:*"
    ],
    "Resource": "*"
  },
  {
    "Effect": "Allow",
    "Action": [
      "s3:*"
    ],
    "Resource": "*"
  }
]

with the statements you need. You only need to include the part after "Statement": in your original post. It would be nice if the CLI complained about this when you get it wrong. :wink:

3

EDIT

Its works, my error was to place iamRoleStatements line inside the custom section.
Thank you very much @ianserlin :slight_smile:

Working version of serverless.yml file:
provider:
name: aws
runtime: nodejs4.3
iamRoleStatements:
$ref: ./iamRoleStatements.json

# you can overwrite defaults here
stage: dev
region: eu-central-1

custom:
    versionPath: v1
    usersPath: users
    cors: true

Hi @ianserlin,
I’ve tried it but it seems it does not work. The custom iamRole settings are not set in the lambda execution role that serverless creates.
I’m pasting my serverless.yaml file. Maybe I’m missing something…

service: serverless-user-service

provider:
  name: aws
  runtime: nodejs4.3
  iamRoleStatements:
    $ref: ./iamRoleStatements.json

# you can overwrite defaults here
stage: dev
region: eu-central-1

custom:
    versionPath: v1
    usersPath: users
    cors: true
package:
  include:
    - config
    - lib
    - functions
  exclude:
    - tmp
    - .git
  #artifact: service_package.zip

functions:

  test:
    handler: functions/users_handler.test 
    events:
        - http:
            path: ${self:custom.versionPath}/${self:custom.usersPath}/{user_id}/test/
            method: post
            cors: ${self:custom.cors}

On amazon web console I can see that the policy “dev-serverless-user-service-lambda” has not included the custom params for the IAM Role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:eu-central-1:*:*",
            "Effect": "Allow"
        }
    ]
}
4

Can you try running serverless deploy --noDeploy and inspect the CF template files that are created in the .serverless folder? The statements should be included there, if they aren’t there might be an issue with indention?

5

Hi @flomotlik,

My issue was solved (i edited my post some days ago).
As you said it was an indentation error (oops!)
Thank you!

1 Like
6

We need to add more validation for that in the future

7

Serverless link doesn’t work anymore.