Skip to content

feat: add AssumeRolePolicyDocument to AWS::Serverless::Function #1311

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Dec 20, 2019
Merged

feat: add AssumeRolePolicyDocument to AWS::Serverless::Function #1311

merged 4 commits into from
Dec 20, 2019

Conversation

timoschilling
Copy link
Contributor

@timoschilling timoschilling commented Dec 9, 2019
edited
Loading

Issue #, if available:
To use a AWS::Serverless::Function as lambda@edge you need to add an explicit policy to allow CloudFront to execute the function.

Description of changes:
With this change you can define a AssumeRolePolicyDocument on the SAM created role.

Before:

  Function:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs8.10
      Timeout: 30
      AutoPublishAlias: true
      Role: !GetAtt Role.Arn

  Role:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
                - edgelambda.amazonaws.com
            Action: sts:AssumeRole
      Path: /
      Policies:
        - PolicyName: InvokeLambda
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: s3:*
                Resource: ...

After:

  Function:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs8.10
      Timeout: 30
      AutoPublishAlias: true
      Policy:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action: s3:*
            Resource: ...
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
                - edgelambda.amazonaws.com
            Action: sts:AssumeRole

Description of how you validated changes:

Checklist:

  • Write/update tests
  • make pr passes
  • Update documentation
  • Verify transformed template deploys and application functions as expected
  • Add/update example to examples/2016-10-31

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@timoschilling timoschilling force-pushed the add-assume_role_policy_document-property branch 2 times, most recently from d0502af to 6716486 Compare December 9, 2019 23:50
@timoschilling timoschilling changed the title add AssumeRolePolicyDocument to AWS::Serverless::Function feat: add AssumeRolePolicyDocument to AWS::Serverless::Function Dec 9, 2019
@ShreyaGangishetty ShreyaGangishetty self-requested a review December 10, 2019 18:05
@ShreyaGangishetty ShreyaGangishetty self-assigned this Dec 10, 2019
@codecov-io
Copy link

codecov-io commented Dec 10, 2019
edited
Loading

Codecov Report

Merging #1311 into develop will decrease coverage by 0.02%.
The diff coverage is 100%.

Impacted file tree graph

@@             Coverage Diff             @@
##           develop    #1311      +/-   ##
===========================================
- Coverage    94.44%   94.41%   -0.03%     
===========================================
  Files           78       78              
  Lines         4353     4388      +35     
  Branches       860      871      +11     
===========================================
+ Hits          4111     4143      +32     
- Misses         115      116       +1     
- Partials       127      129       +2
Impacted Files Coverage Δ
samtranslator/plugins/globals/globals.py 99.05% <ø> (ø) ⬆️
samtranslator/model/sam_resources.py 95.12% <100%> (+0.02%) ⬆️
samtranslator/model/api/api_generator.py 95.13% <0%> (-0.09%) ⬇️
samtranslator/model/eventsources/push.py 90.53% <0%> (-0.04%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a062026...d7f8589. Read the comment docs.

@timoschilling timoschilling force-pushed the add-assume_role_policy_document-property branch from c230d8c to ddd533e Compare December 10, 2019 22:36
@timoschilling timoschilling force-pushed the add-assume_role_policy_document-property branch from ddd533e to a3743f4 Compare December 10, 2019 22:38
praneetap
praneetap reviewed Dec 13, 2019
View reviewed changes
@timoschilling
Copy link
Contributor Author

@praneetap @ShreyaGangishetty any updates on this PR?

@ShreyaGangishetty
Copy link

@timoschilling Thank you for your contribution! This PR looks good to me

@ShreyaGangishetty ShreyaGangishetty merged commit ebd10d3 into aws:develop Dec 20, 2019
@timoschilling timoschilling deleted the add-assume_role_policy_document-property branch December 20, 2019 00:43
@ShreyaGangishetty ShreyaGangishetty mentioned this pull request Dec 30, 2019
Closed
@jplock
Copy link

jplock commented Jan 22, 2020

With this change, does the Lambda@Edge function still have access to write to CloudWatch logs, which previously was part of arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole?

@jplock
Copy link

jplock commented Jan 22, 2020
edited
Loading

Is AssumeRolePolicyDocument supported in Globals? Based on the code changes, it looks like it should, but when trying to publish I'm getting:

Publish Failed
Error: Invalid Serverless Application Specification document. Number of errors found: 1. Errors: 'Globals' section is invalid. 'AssumeRolePolicyDocument' is not a supported property of 'Function'. Must be one of the following values - ['Handler', 'Runtime', 'CodeUri', 'DeadLetterQueue', 'Description', 'MemorySize', 'Timeout', 'VpcConfig', 'Environment', 'Tags', 'Tracing', 'KmsKeyArn', 'AutoPublishAlias', 'Layers', 'DeploymentPreference', 'PermissionsBoundary', 'ReservedConcurrentExecutions', 'ProvisionedConcurrencyConfig']
Please follow the instructions in https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-template-publishing-applications.html

This was referenced Jan 22, 2020
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
2 more reviewers

@praneetap praneetap praneetap approved these changes

@ShreyaGangishetty ShreyaGangishetty ShreyaGangishetty approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@ShreyaGangishetty ShreyaGangishetty

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@timoschilling @codecov-io @ShreyaGangishetty @jplock @praneetap