Its possible to create trust policy document with serverless?

Its possible to create trust policy document with serverless?

Ex:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ec2.amazonaws.com",
          "codedeploy.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Yep, the resources section takes CloudFormation which can create IAM Policies.

@rowanu It is trust policy, not role or resource.

It is a policy document, which can be defined in an IAM Policy resource.

Is it possible to add this policy document to default IAM role?

I have this in resources:

IotPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: "IoT"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- iot.amazonaws.com
Action: "sts:AssumeRole"
Resource: "*"
Roles:
-
Ref: “IamRoleLambdaExecution”

And I got:

Serverless Error ---------------------------------------

 An error occurred while provisioning your stack: IotPolicy
 - Policy document should not specify a principal..

I have the same problem as @Jari. Plz someone provide a working sample.

Ah, my bad! I was sure I had done this with just in a policy before, but after reviewing my old code I can see that wasn’t the case - trust policies must be defined in the IAM Role.

To do this you must override the default function Role that all Serverless functions get.
Here’s what the Role resource should look like:

resources:
  Resources:
    IotRole:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Statement:
          - Effect: Allow
            Principal:
              Service:
                - iot.amazonaws.com
            Action:
            - sts:AssumeRole

You then use the Role in your function definition like this (taken from the docs):

functions:
  myFunction:
    role: IotRole

Obviously if you want your function to do other things (like log to CloudWatch, etc), then you will need to add additional statements - you won’t get any of the defaults you usually get with the built-in Serverless function Role.

2 Likes

@rowanu Thx for the example, couldnt test it yet because I am facing a deploy problem with serverless.

But I suggest to have it somewhere in Docs.

Thanks

This is now possible with custom resources: https://gist.github.com/sdomagala/a647a69f0dd87af545d7c45dfc7b0114