User permissions - Githubissues

assertible / lambda-cloudwatch-slack

Send AWS CloudWatch notifications to a Slack channel using Lambda

https://assertible.com/blog/npm-package-lambda-cloudwatch-slack

MIT License

482 stars 249 forks source link

User permissions #54

Closed 23ewrdtf closed 4 years ago

23ewrdtf commented 4 years ago

What are the exact permissions needed for npm run deploy to work? A User with AdministratorAccess has too much access.

When I run npm run deploy with below permission I get:

User: arn:aws:iam::xxxxxxxx:user/xxxxxxxx is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxxxxxxx:role/xxxxxxxx

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunction",
                "lambda:CreateFunction"
            ],
            "Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME"
        }
    ]
}

23ewrdtf commented 4 years ago

I think I figured this out.

Create a policy with below JSON

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunction",
                "lambda:CreateFunction",
                "lambda:InvokeFunction",
                "lambda:UpdateAlias",
                "lambda:CreateAlias",
                "lambda:GetFunctionConfiguration",
                "lambda:AddPermission",
                "lambda:UpdateFunctionCode"
            ],
            "Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole",
                "iam:ListRoles"
            ],
            "Resource": "arn:aws:iam::ACCOUNT_ID:role/ROLE_CREATED_IN_NEXT_POINT"
        }
    ]
}

Create a role and attach above policy and AWSLambdaBasicExecutionRole policy.
Create a new user and attach above policy to it.

KingBain commented 3 years ago

This is what worked for me

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunction",
                "lambda:CreateFunction",
                "lambda:InvokeFunction",
                "lambda:UpdateAlias",
                "lambda:CreateAlias",
                "lambda:GetFunctionConfiguration",
                "lambda:AddPermission",
        "lambda:ListEventSourceMappings",
                "lambda:UpdateFunctionCode"
            ],
            "Resource": "arn:aws:lambda:REGION:ACCOUNT_ID:function:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:PassRole",
                "iam:ListRoles"
            ],
            "Resource": "arn:aws:iam::ACCOUNT_ID:role/ROLE_CREATED_IN_TUTORIAL"
        }
    ]
}