Its possible to create trust policy document with serverless?

marckaraujo · January 25, 2017, 12:37am

Ex:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ec2.amazonaws.com",
          "codedeploy.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

rowanu · January 25, 2017, 1:57am

Yep, the resources section takes CloudFormation which can create IAM Policies.

marckaraujo · January 25, 2017, 2:24am

@rowanu It is trust policy, not role or resource.

rowanu · January 25, 2017, 4:35am

It is a policy document, which can be defined in an IAM Policy resource.

Jari · January 25, 2017, 11:55am

Is it possible to add this policy document to default IAM role?

I have this in resources:

IotPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: "IoT"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Principal:
Service:
- iot.amazonaws.com
Action: "sts:AssumeRole"
Resource: "*"
Roles:
-
Ref: “IamRoleLambdaExecution”

And I got:

Serverless Error ---------------------------------------

 An error occurred while provisioning your stack: IotPolicy
 - Policy document should not specify a principal..

marckaraujo · January 25, 2017, 12:54pm

I have the same problem as @Jari. Plz someone provide a working sample.

rowanu · January 25, 2017, 9:25pm

Ah, my bad! I was sure I had done this with just in a policy before, but after reviewing my old code I can see that wasn’t the case - trust policies must be defined in the IAM Role.

To do this you must override the default function Role that all Serverless functions get.
Here’s what the Role resource should look like:

resources:
  Resources:
    IotRole:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Statement:
          - Effect: Allow
            Principal:
              Service:
                - iot.amazonaws.com
            Action:
            - sts:AssumeRole

You then use the Role in your function definition like this (taken from the docs):

functions:
  myFunction:
    role: IotRole

Obviously if you want your function to do other things (like log to CloudWatch, etc), then you will need to add additional statements - you won’t get any of the defaults you usually get with the built-in Serverless function Role.

marckaraujo · January 26, 2017, 5:22pm

@rowanu Thx for the example, couldnt test it yet because I am facing a deploy problem with serverless.

But I suggest to have it somewhere in Docs.

Thanks

sdomagala · February 3, 2020, 9:06am

This is now possible with custom resources: https://gist.github.com/sdomagala/a647a69f0dd87af545d7c45dfc7b0114

Topic		Replies	Views
AWS IAM role trust relationship policy Serverless Framework iam	0	928	January 6, 2020
How to add IAM Trust Relationship to default role Serverless Framework	1	2500	February 3, 2020
Create IAM Role Serverless Framework aws	2	6388	December 15, 2017
IAM Policy + Role for ElasticSearch Serverless Framework iam	0	1434	May 14, 2019
Policy creation works ... but does it? Serverless Framework aws	3	2119	December 15, 2016

Its possible to create trust policy document with serverless?

Related topics