Per-function IAM permissions?

I’m looking to restrict each of my functions to only the IAM permissions it needs, simply as a matter of organization / security practice. It looks like the default way of assigning IAM permissions to Lambda functions assigns them to all.

I’m trying to find it documented somewhere, but I can’t find anything showing exactly what options I’m allowed to specify for a function in my serverless.yml. I’ve tried passing in “iamRoleStatements” and “role”, but they seem to just get ignored when I redeploy.

Can I define a separate role for it as a custom resource and then set the function to use the role? That’s how I’d do it with native CloudFormation, but I’m having trouble finding the best way to do it here.

There’s an outstanding PR for this functionality in-progress right now.

You could definitely do this in CloudFormation (under the resources section of your serverless.yml) too, if you can’t wait. You’d need to use Serverless Variables to generate your function names on the fly in order to make it work.

1 Like

Can you make an example on how to do this with variables?

We will merge the PR @rowanu mentioned soon, so it will be in the next release of Serverless (and hit master soon before that). Definitely very important feature and extended Security Controls in general are a SUPER important next step in Serverless. More info to come next week on our blog.