glicht
commented
5 years ago Thanks for reporting this. Still didn't get a chance to dig deeper into this, but from what you describe it sounds like a missing feature.
On Thu, Oct 18, 2018, 9:09 AM John Paul Herold notifications@github.com wrote:
Similar to how the managed VPC execution policy is added to a function's role if running in a VPC, a kms:Decrypt statement should be added automatically to the function specific policy if awsKmsKeyArn is set.
Tested this both when awsKmsKeyArn was set within function blocks as well as parent service block. In both cases kms:Decrypt was not added. To compare, I did see the additional kms statement in the default lambda role created by serverless. To get around this, I enabled inheritance, and added the necessary statement under the provider block. Let me know if you need any more info, thank you for the work on this plugin!
Running serverless 1.30.0 and serverless-iam-roles-per-function 1.0.4
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/functionalone/serverless-iam-roles-per-function/issues/12, or mute the thread https://github.com/notifications/unsubscribe-auth/ABVMVfzRcjz5HkQtxTecmXkGdDP1uPicks5umBsCgaJpZM4XsusX .
Similar to how the managed VPC execution policy is added to a function's role if running in a VPC, a
kms:Decryptstatement should be added automatically to the function specific policy ifawsKmsKeyArnis set.Tested this both when
awsKmsKeyArnwas set within function blocks as well as parent service block. In both caseskms:Decryptwas not added. To compare, I did see the additional kms statement in the default lambda role created by serverless. To get around this, I enabled inheritance, and added the necessary statement under the provider block. Let me know if you need any more info, thank you for the work on this plugin!Running serverless
1.30.0and serverless-iam-roles-per-function1.0.4