IAM Policy + Role for ElasticSearch

iam
#1

Howdy,

After creating my ES cluster with serverless i needed to manually go and modify the ES cluster to add the following policy in order to actually be able to use it.

Since I’d like to keep all of my structure, especially this structure, in my serverless.yml. I’m hoping it’s possible to add the policy to my serverless.yml

How would i go about achieving this? Here’s the policy (redacted naturally):

 {
   "Version": "2012-10-17",
   "Statement": [
     {
       "Effect": "Allow",
       "Principal": {
         "AWS": "*"
       },
       "Action": "es:*",
       "Resource": "arn:aws:es:us-west-2:MyID:domain/myservice/*",
       "Condition": {
         "IpAddress": {
           "aws:SourceIp": "MyIP"
         }
       }
     },
     {
       "Effect": "Allow",
       "Principal": {
         "AWS": "arn:aws:sts::MyID:assumed-role/mrservice-dev-us-west-2-lambdaRole/mrservice-dev-updateSearch"
       },
       "Action": "es:*",
       "Resource": "arn:aws:es:us-west-2:MyID:domain/mrservice/*"
     }
   ]

When i add the following policy doc to the default serverless IAM role it doesn’t like it (could be my formatting?).

I tried creating an AWS::IAM::Policy but it wants to reference the “Name” of the role it’s associated with which apparently the default serverless IAM role doesn’t emit?

Going to keep hitting my head against the wall on this, but I was hoping maybe i’m just "doing it wrong"™ and someone here would be able to point me in the right direction quickly.

Thanks.