Feature Request: Add PermissionsBoundary as option for SAM-created role

[cervantek]

The CloudFormation team just released a batch of updates. One is for CloudFormation to support specifying a Permissions Boundary for the AWS::IAM::Role type.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html

SAM creates an AWS::IAM::Role resource for a Serverless::Function in either in these situations:
a) no Role/Permission properties are specified (this is a basic role with limited privs)
b) when a list of Permissions are specified (these can be IAM Policies or in-line policy statements)

The point of Permissions Boundaries are to help delegate IAM role creation to developers while ensuring the roles they create cannot exceed a set of boundaries defined by the "real" IAM administrators of an account.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

I highly recommend supporting a new property for Serverless::Function called PermissionsBoundary that is passed along to the AWS::IAM::Role that SAM creates in the above situations.

This is a particular good match for SAM because of the intention behind both features.

• SAM is geared at developers and helps to offload some IAM complexity from them.
• Permissions Boundaries are an IAM feature that was designed to get more developers involved in IAM maintenance/development.

This new property would be completely optional and would thus not be a breaking change. It would need no new default. If one is not specified, then the corresponding property on the generated AWS::IAM::Role should also not be specified.

[brettstack]

This is a great suggestion. It should be a relatively simple implementation if someone wants to give it a go. I think it's just a couple of lines for the implementation, then a docs update and tests:

https://github.com/awslabs/serverless-application-model/blob/master/samtranslator/model/lambda_.py#L8

https://github.com/awslabs/serverless-application-model/blob/cbd4d9ad40a71b838f1e72b3b960689f30890bf9/samtranslator/model/sam_resources.py#L168

https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md

[cervantek]

@brettstack When implemented, would it be alright if it could be specified in Serverless::Function or in the Globals\Function section? It would seem to me to be a common use case where all Lambdas in and app would share a permissions boundary, even if they did each have their own role.

[keetonian]

Yes, I think adding it to the Globals section of Serverless::Function would be a great idea.

[jasonmk]

I took a swing at it. It doesn't include the Globals part yet, but at least it seems to work for individual functions. I'm not as familiar with the Globals part of the code, but if it's straight forward, I'll try to make that change as well.

[brettstack]

Nicely done. I'll comment over on the PR with details on Globals.

[brettstack]

Merged into develop. This will go out in a future release. Thanks @jasonmk 👏

[jasonmk]

Glad I could help! I look forward to being able to use it. Cheers.

[jasonmk]

Just realized that I forgot to add PermissionsBoundary to the list of supported globals in the docs. Do you want a new pull request for that or is it easier to just add it?

[jlhood]

@jasonmk Go ahead and do a new PR. Thanks!