sbstjn
commented
6 years ago Good point 👍
Open medikoo opened 6 years ago
sbstjn
commented
6 years ago Good point 👍
mithun
commented
6 years ago It would also be useful to allow use of a role defined outside the stack.
medikoo
commented
6 years ago I addressed this in plain JS version of this module at https://github.com/medikoo/serverless-plugin-dynamodb-autoscaling (still role name remains fixed at this point)
ro-savage
commented
6 years ago @sbstjn - Just had a very quick check of the source. Wouldn't changing this line fix it?
(Unless there is a reason to have an option to either have 1 role or multiple roles?)
public role(): string {
return clean(this.build(TEXT.ROLE))
}to
public role(): string {
return TEXT.ROLE
}This only works if you update/create the role to have permission for every table. I try to have the role permissions as restricted as possible and to avoid resources: * whenever possible. Therefore a new role is created for every table with only permissions for that one specific table.
sbstjn
commented
6 years ago Basically those two approaches are very different regarding (un-)restricted access:
ro-savage
commented
6 years ago Yep, I had a play and could see it wasn't going to be so simple unfortunately.
I have little knowledge of CloudFormation. But could you create a single role that has access only to the tables that have been added to the capacities config?
e.g. loop through all the tables, build a list, and give that list of resources to the role.
Thanks for the great work btw, I spent a while trying to get the config working manually, gave up and this just worked in seconds!
medikoo
commented
6 years ago serverless-plugin-dynamodb-autoscaling now reuses existing project's IAM role (so no single IAM role resource is created).
Project's IAM role provides lambdas with access to dynamo tables, and range of access is decided by owner of a project. Same range of access is automatically provided to autoscaling resources.
cdichiara
commented
6 years ago Thank you @medikoo ... just switched to your plugin, looks great & I like your configuration approach. There were so many roles being created across all of my dynamoDb's & stages that I couldn't assign the proper roles to the Cognito identity pool, the list was so long! Your work really helped us, thanks again.
jefersonlemos
commented
3 years ago In my case, I haven't permission to create roles and I just can't use the plugin. Is there any way to workaroung on it by using this plugin ? Weird: it worked before on same acoount and user :/
Currently, project creates scaling role per table, which inconveniently increases resources count of CloudFormation stack, e.g. with larger number of tables it's more likely to reach 200 resources limit which is not shiftable.
As it's scalable targets that states which roles they're going to use, the
ScalingRolecan safely be configured as one global resource, it's also how it's exampled in AWS CloudFormation documentation