|
| 1 | +Policy Templates |
| 2 | +================ |
| 3 | + |
| 4 | +When you define a Serverless Function, SAM automatically creates the IAM Role required to run the function. Let's say |
| 5 | +your function needs to access couple of DynamoDB tables, you need to give your function explicit permissions to access |
| 6 | +the tables. You can do this by adding AWS Managed Policies to Serverless Function resource definition in your SAM |
| 7 | +template. |
| 8 | + |
| 9 | +For Example: |
| 10 | + |
| 11 | +.. code:: yaml |
| 12 | +
|
| 13 | + MyFunction: |
| 14 | + Type: AWS::Serverless::Function |
| 15 | + Properties: |
| 16 | + ... |
| 17 | + Policies: |
| 18 | + # Give DynamoDB Full Access to your Lambda Function |
| 19 | + - AmazonDynamoDBFullAccess |
| 20 | + ... |
| 21 | +
|
| 22 | + MyTable: |
| 23 | + Type: AWS::Serverless::SimpleTable |
| 24 | +
|
| 25 | +
|
| 26 | +Behind the scenes, ``AmazonDynamoDBFullAccess`` will give your function access to **all** DynamoDB APIs against **all** |
| 27 | +DynamoDB tables in **all** regions. This is excessively permissive when all that your function does is Read & Write |
| 28 | +values from the ``MyTable`` created in the stack. |
| 29 | + |
| 30 | +SAM provides a tighter and more secure version of AWS Managed Policies called **Policy Templates**. This are a set of |
| 31 | +readily availbale policies that can be scoped to a specific resource in the same region where your stack exists. |
| 32 | +Let's modify the above example to use a policy template called ``DynamoDBCrudPolicy``: |
| 33 | + |
| 34 | +.. code:: yaml |
| 35 | +
|
| 36 | + MyFunction: |
| 37 | + Type: AWS::Serverless::Function |
| 38 | + Properties: |
| 39 | + ... |
| 40 | + Policies: |
| 41 | +
|
| 42 | + # Give just CRUD permissions to one table |
| 43 | + - DynamoDBCrudPolicy: |
| 44 | + TableName: !Ref MyTable |
| 45 | +
|
| 46 | + ... |
| 47 | +
|
| 48 | + MyTable: |
| 49 | + Type: AWS::Serverless::SimpleTable |
| 50 | +
|
| 51 | +
|
| 52 | +How to Use |
| 53 | +---------- |
| 54 | + |
| 55 | +Policy Templates are specified in ``Policies`` property of AWS::Serverless::Function resource. You can mix policy |
| 56 | +templates with AWS Managed Policies, custom managed policies or inline policy statements. Behind the scenes |
| 57 | +SAM will expand the policy template to a inline policy statement based on the definition listed in |
| 58 | +`policy_templates.json`_ file. |
| 59 | + |
| 60 | +Every policy template requires zero or more parameters, which are the resource that this policy is scoped to. |
| 61 | +Your template will fail to deploy if the value for a required parameter is not specified. You can consult the |
| 62 | +`policy_templates.json`_ file for name of the policy templates, parameter names as well as the actual policy statement |
| 63 | +it represents. |
| 64 | + |
| 65 | +If you want a quick reference of all policies, checkout the `all_policy_templates.yaml`_ SAM template in examples |
| 66 | +folder. |
| 67 | + |
| 68 | + NOTE: If a policy template does not require a parameter, you should still specify the value to be an empty dictionary |
| 69 | + like this: |
| 70 | + |
| 71 | + .. code: yaml |
| 72 | +
|
| 73 | + Policies: |
| 74 | + - CloudWatchPutMetricPolicy: {} |
| 75 | +
|
| 76 | +.. _policy_templates.json: policy_templates_data/policy_templates.json |
| 77 | +.. _all_policy_templates.yaml: ../examples/2016-10-31/policy_templates/all_policy_templates.yaml |
0 commit comments