Multiple IAM policies?


I have a small python application that is distributed to several users. Right now we manage a lot of configuration options via hard coded values in our GitHub repository. This works, as long as everyone that is running the script pulls the most recent version of code from GitHub. It’s…cumbersome, but has worked while we were small. We’re not as small any more and this architecture is getting difficult to maintain.

The new plan is to migrate our configuration to dynamodb and have the distributed scripts pull from here to get the latest configuration. An advantage is that we can completely eliminate the git pull step that some users had trouble remembering.

However, we’re running into a bit of a problem in figuring out the design for how to do this. We’d like to use the Python RESTApi with dynamodb example to accomplish this. The problem is, we don’t want everyone to be able to write/update/delete configuration options. That is currently managed via GitHub where only select members of the community have permission in GitHub to merge changes into the repository. We do want everyone to be able to get configuration options though.

It looks like roles are set in serverless.yml, but this looks to be a single role where everyone connecting to the API would be able to do everything.

Is there a way to have two different credentials? We’d like to have the readonly credentials embedded with the script on GitHub. By default, anyone running could pull the latest configuration and run the script as expected. The second set we envision having in local OS environment variables, and if these are set those would be used to do the update/create/delete options. I’m open to other ideas if OS variables aren’t appropriate.

How can I set this type of architecture up so that everyone gets the default readonly options but selected instances of the same script can use the write functions if they have permission?


You can create Custom IAM roles. As per docs, you can create custom IAM roles

  • for all functions
  • for each function