search

dimkir / aws-multitenant-architecture-quickstart

Serverless port for AWS Multi Tenant Architecture Concept (check website)
https://www.slideshare.net/AmazonWebServices/deconstructing-saas-a-deep-dive-into-building-multitenant-solutions-on-aws-arc407-reinvent-2017
0 stars 0 forks source link

Lambda execution role #21

Open dimkir opened 6 years ago

dimkir commented 6 years ago

Which permissions should lambda have?

We noticed here that default lambda execution role permissions disallow lambda to execute what's necesssary.

Solution Simple - Run as Admin

Probably as simplest solution we simply add AdminPolicy to the lambda execution role and this way it will operate at elevated permissions.

Later on, maybe we can narrow down permissions and find at which permissions we need to run.

dimkir commented 6 years ago

So we take role:

"Role": "arn:aws:iam::403288089139:role/lmx-main-executor",

And we add AdminPolicy on it

image

dimkir commented 6 years ago

Removed AdministratorAccess and added custom policy (original from QuickStart without ECS section):

image

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:Query",
                "dynamodb:PutItem",
                "dynamodb:DescribeTable",
                "dynamodb:DeleteTable",
                "dynamodb:GetItem",
                "dynamodb:CreateTable",
                "dynamodb:Scan"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "DYNAMODB"
        },
        {
            "Action": [
                "iam:AttachRolePolicy",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:CreateRole",
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:PassRole"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "IAM"
        },
        {
            "Action": [
                "cognito-identity:CreateIdentityPool",
                "cognito-identity:DeleteIdentityPool",
                "cognito-identity:DeleteIdentities",
                "cognito-identity:DescribeIdentity",
                "cognito-identity:DescribeIdentityPool",
                "cognito-identity:GetIdentityPoolRoles",
                "cognito-identity:GetOpenIdTokenForDeveloperIdentity",
                "cognito-identity:ListIdentities",
                "cognito-identity:ListIdentityPools",
                "cognito-identity:LookupDeveloperIdentity",
                "cognito-identity:MergeDeveloperIdentities",
                "cognito-identity:SetIdentityPoolRoles",
                "cognito-identity:UnlinkDeveloperIdentity",
                "cognito-identity:UpdateIdentityPool"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "CognitoIdentity"
        },
        {
            "Action": [
                "cognito-idp:CreateUserPool",
                "cognito-idp:CreateUserPoolClient",
                "cognito-idp:AdminCreateUser",
                "cognito-idp:AdminDeleteUser",
                "cognito-idp:DeleteUserPool",
                "cognito-idp:AdminGetUser"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "CognitoUP"
        },
        {
            "Action": [
                "apigateway:GET",
                "apigateway:HEAD",
                "apigateway:OPTIONS"
            ],
            "Resource": [
                "arn:aws:apigateway:us-east-1::/clientcertificates/*",
                "arn:aws:apigateway:us-east-1::/domainnames/*",
                "arn:aws:apigateway:us-east-1::/apikeys/*"
            ],
            "Effect": "Allow",
            "Sid": "APIGatewayKeysCertificates"
        }
    ]
}