Using different IAM roles depending on stage

endymion · December 10, 2016, 5:40pm

Hi,
My serverless deployments use this statement for configuring the IAM Role permissions:

iamRoleStatements:
$ref: ./iamRoleStatements.json

The json file contains these permissions:

[
  {
    "Effect": "Allow",
    "Action": [
      "dynamodb:BatchGetItem",
      "dynamodb:BatchWriteItem",
      "dynamodb:DeleteItem",
      "dynamodb:GetItem",
      "dynamodb:GetRecords",
      "dynamodb:GetShardIterator",
      "dynamodb:PutItem",
      "dynamodb:Query",
      "dynamodb:Scan",
      "dynamodb:UpdateItem"
    ],
    "Resource": "arn:aws:dynamodb:*:222222222222:*"
  },
  {
    "Effect": "Allow",
    "Action": [
        "cognito-identity:GetOpenIdTokenForDeveloperIdentity",
        "cognito-identity:LookupDeveloperIdentity",
        "cognito-identity:MergeDeveloperIdentities",
        "cognito-identity:UnlinkDeveloperIdentity"
      ],
      "Resource": "arn:aws:cognito-identity:eu-central-1:222222222222:*"
  },
  {
    "Effect": "Allow",
    "Action": [
        "ec2:CreateNetworkInterface",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DeleteNetworkInterface"
    ],
    "Resource": "*"
  }
]

Currently we are using eu-central-1 as development environment but we will use another zone for production.

Basically I need to configure the cognito resource like this:
dev stage: “Resource”: “arn:aws:cognito-identity:eu-central-1:222222222222:"
prod stage: “Resource”: "arn:aws:cognito-identity:eu-west-1:222222222222:”

How can I achieve this?

Thank you in advance

rowanu · December 11, 2016, 7:05pm

You could make the Resource (or just the region part of it) a variable. I can’t recall off the top of my head if you can put Serverless Variables in an external file that you load - you can definitely do it by moving your policy in to your serverless.yml and doing something like ${env:${opt:stage}_resource}.

buggy · December 12, 2016, 12:23am

You can use Serverless variable inside external files (the YAML files at least). I’ve done it using external YAML files to define environment variables. I’d convert it to a YAML file then use ${self:provider.region} inside your definition.

This is un-tested but should work.

"Resource": "arn:aws:cognito-identity:${self:provider.region}:222222222222:*"

tobyhede · December 12, 2016, 11:10pm

Same solution here. Variables interpolated into the resource names.

Topic		Replies	Views
How it works iamRoleStatements configuration section? Serverless Framework aws	6	24859	November 19, 2019
Generated policy is missing certain IAM permissions Serverless Framework	2	939	November 12, 2017
iamRoleStatements for multiple DynamoDB tables Serverless Framework iam , dynamodb	1	5615	October 19, 2021
Configuring Serverless.yml with multiple iamRoleStatements Serverless Framework aws	1	7381	February 21, 2019
IAM role (resource) for accessing cognito group info Serverless Framework aws , lambda	2	2750	May 8, 2018

Using different IAM roles depending on stage

Related topics