search

SeanRoy / lambda-maven-plugin

A maven plugin to facilitate lambda deployments as part of your maven build/dev process
Apache License 2.0
68 stars 25 forks source link

IAM Permissions #95

Open JamKage opened 6 years ago

JamKage commented 6 years ago

Thanks for the great plugin!

When setting up, I found that the permissions list in the README was missing quite a few permissions, causing errors when trying to deploy. Eventually I found that I needed the following much larger set of permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "lambda:InvokeFunction",
                "lambda:GetFunction",
                "lambda:ListAliases",
                "lambda:GetFunctionConfiguration",
                "lambda:UpdateAlias",
                "s3:PutObject",
                "s3:GetObject",
                "lambda:UpdateFunctionCode",
                "iam:PassRole",
                "lambda:AddPermission",
                "events:ListRuleNamesByTarget",
                "lambda:GetPolicy",
                "lambda:CreateAlias"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket>/*",
                "arn:aws:lambda:*:*:function:<functionName>",
                "arn:aws:iam::*:role/service-role/<role>",
                "arn:aws:events:*:*:rule/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "lambda:CreateFunction",
                "events:PutTargets",
                "s3:ListAllMyBuckets",
                "ec2:DescribeVpcs",
                "events:PutRule",
                "lambda:ListEventSourceMappings",
                "lambda:UpdateFunctionConfiguration",
                "sns:ListSubscriptions",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:CreateBucket",
            "Resource": "arn:aws:s3:::<bucket>"
        }
    ]
}

Is this to be expected or have I done something wrong? Is it just that the documentation needs updating?

Thanks!

SeanRoy commented 6 years ago

You haven't done anything wrong, the documentation needs to be updated.