0

I have deployed an API Gateway via the Serverless Framework with a default IAM role (apis-gateway-dev-apiDefaultRole) that contains a set of permissions. Each lambda function is declared separately, and does not have an IAM role defined in serverless.yml.

If I understand correctly, Serverless now generates minimal lambda IAM roles to each lambda fn (eg app-apis-fn-dev-fn), assigns them minimal permissions to write logs, but then assumes permissions from the default role.

My lambda functions now throw AccessDenied errors:

[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::************:assumed-role/app-apis-fn-dev-region-lambdaRole/app-apis-fn-dev-fn is not authorized to perform: ssm:GetParameter ...

app-apis-fn-dev-region-lambdaRole is the minimal role autogenerated by Serverless. It doesn't have permissions. The permissions are in apis-gateway-dev-apiDefaultRole

This seems to imply to me that the lambda is not assuming the apiDefaultRole - is that correct? How do I troubleshoot this?

The worst bit is it worked fine before some fairly major changes I made earlier today, but the role definitions were one of the few parts that were not changed... I know I've broken it, please help me work out how!

Improve this question
0

1 Answer 1

Reset to default
0

You are right, Serverless Framework creates minimal roles for each Lambda.

You should simply extend them with additional permissions that are needed to all Lambdas:

provider:
  name: aws
  iam:
    role:
      statements: # permissions for all of your functions can be set here
        - Effect: Allow
          Action:
            - ssm:GetParameter
          Resource: <param arn goes here>

Source: https://www.serverless.com/framework/docs/providers/aws/guide/functions#permissions

It's not a perfect solution, because it will be applied to all functions, so if you want to have the least privilege applied to each function, you can use this plugin: https://www.npmjs.com/package/serverless-iam-roles-per-function

functions:
  func1:
    handler: handler.get
    iamRoleStatements:
      - Effect: Allow        
        Action:
          - ssm:GetParameter    
        Resource: <param arn goes here>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.