Specifying Role and Log Groups?

Saeven · January 15, 2021, 5:11pm

I’d like to enforce functions writing to specific logs, as well, would like to ensure that a specific IAM role is being used. I can’t seem to find references on how these things can get specified, any tips?

I have to lock down the policies that serverless will use, giving admin access is not an option.

Here’s the error I am currently getting for lack of being able to do this:

Serverless: Checking Stack create progress...
CloudFormation - CREATE_IN_PROGRESS - AWS::CloudFormation::Stack - foo-bref-dev
CloudFormation - CREATE_IN_PROGRESS - AWS::Logs::LogGroup - Function1LogGroup
CloudFormation - CREATE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - CREATE_FAILED - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - CREATE_FAILED - AWS::Logs::LogGroup - Function1LogGroup

Thank you for your help.

Saeven · January 15, 2021, 5:50pm

Ok, have found how to specify roles. I needed to RTFM a lil deeper and use the Arn notation. If anyone runs into this, it’s here:

functions:
    foo:
        role: arn:aws:iam:12341234:role/YourRole

Now to figure log groups.

BryschG · January 21, 2021, 7:51am

for roles it is also useful to checkout the serverless plugin serverless-iam-roles-per-function, which allows you for each function to add its needed permissions and per default a role with default lambda execution permissions plus the once you specified are generated.
For the log groups, if you use the “name” property for each function then you get a log stream with /aws/lambda/ which works but i’m not sure if the path /aws/lambda is also changeable.

Here is a partial sample of a function’s yml file:

receiver:
       package:
         exclude:
           - ./**
        include:
           - ../lambdas/notification_data_receiver.py
           - ../../aws/**
           - ../schema/ldis-notification-schema.json
  handler: lambdas/notification_data_receiver.notify
  layers:
    - "${cf:ldis-layer-${self:provider.stage}.ReceiverDashdependenciesLambdaLayerQualifiedArn}"
  name: ${env:PROJECT_NAME}-notification-receiver-${self:provider.stage}
  events:
    - http:
        method: post
        path: /notify
        private: true
  timeout: 60
  iamRoleStatementsInherit: true
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - events:PutEvents
      Resource:
        - arn:aws:events:${self:provider.region}:${env:ACCOUNT_ID}:event-bus/${env:BUS_NAME}
    - Effect: "Allow"
      Action:
        - SNS:Publish
      Resource:
        -arn:aws:sns:${self:provider.region}:${env:ACCOUNT_ID}:${env:TOPIC_NAME}



``

Topic		Replies	Views
Per-function IAM permissions? Serverless Framework aws	3	1711	October 12, 2016
Policy creation works ... but does it? Serverless Framework aws	3	2142	December 15, 2016
Assign Role For Each Function with a role defined in aws account in Serverless Framework Serverless Framework	0	602	December 28, 2018
Don't create default lambdaRole when deploying serverless Serverless Framework aws , lambda , cloudformation , api-gateway	0	920	June 11, 2020
CreateLogGroup & PutLogEvents policies are getting too large Serverless Framework aws , cloudformation	2	1133	October 25, 2019

Specifying Role and Log Groups?

Related topics