Serverless-application-model: Possible to attach customer-managed policies?

Created on 28 Jan 2017 · 12Comments · Source: aws/serverless-application-model

Hi @sanathkr,

The spec says that Policies can be a string | List of string equal to Names of AWS managed IAM policies. Are there any plans to enable reuse of existing customer-managed policies in SAM templates?

Thanks

EDIT: Please ignore my earlier use case for this regarding separation of concerns. It looks like that's better addressed by Approvals in CodePipeline. I'm keeping this question open now just out of curiosity.

Source

dinvlad

Most helpful comment

Sure. Based on @sanathkr's response above, I expected the following to work (but it doesn't):

Resources:
  MyManagedPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: MyManagedPolicy
      PolicyDocument: 
        Version: 2012-10-17
        Statement: 
          - Effect: Allow
            Action: s3:*
            Resource: 
              - Fn::Sub: "${MyS3Bucket.Arn}"

  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: <<handler>>
      Runtime: <<runtime>>
      Policies: 
      - AWSLambdaExecute
      - Fn::Sub: "${MyManagedPolicy.Arn}"

I expected the IAM role generated by SAM for MyFunction to have both of the above managed policies attached to it (i.e. AWSLambdaExecute and MyManagedPolicy), but the role only has AWSLambdaExecute attached. What's even more confusing is that SAM processes the template without emitting an error, so I thought it succeeded...only to go in later to the IAM console and find that MyManagedPolicy wasn't attached to the role.

seanmcro on 21 Nov 2017

👍12

All 12 comments

You can set Policies to be your IAM Managed Policy ARN. It will work even if the ARN points to a custom managed policy. I guess this needs an example and clarification in the spec

sanathkr on 30 Jan 2017

Thanks, in my tests these policies did not work! I.e. I created them in another template and passed their names as parameters to a SAM template, then referenced these parameters in 'Policies'. The roles created by SAM appear to ignore these, and only attach AWSLambdaBasicExecutionRole and no inline policies, which is why I'm interested if that is supported.

dinvlad on 30 Jan 2017

@dinvlad would you mind sharing the template you're trying to work on?

I've just locally modified and re-run the encryption proxy example adding a custom IAM policy and it worked just fine for me -- IAM Role sample below:

    EncryptionServiceIAMRole:
        Type: "AWS::IAM::Role"
        Properties:
            Path: "/"
            ManagedPolicyArns:
                - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
                - "arn:aws:iam::<account_number>:policy/PHD-FullAccess-WideOrg" # customer managed policy
            AssumeRolePolicyDocument:
              Version: "2012-10-17"
              Statement:
                -
                  Sid: "AllowLambdaServiceToAssumeRole"
                  Effect: "Allow"
                  Action: 
                    - "sts:AssumeRole"
                  Principal:
                    Service: 
                      - "lambda.amazonaws.com"

After deployment, I ran the following command to confirm that policy got attached to this Role:

$ aws iam list-attached-role-policies --role-name "encryption-proxy-IAM-EncryptionServiceIAMRole-1UN7Z5T13JN9C"

{
    "AttachedPolicies": [
        {
            "PolicyName": "AWSLambdaBasicExecutionRole",
            "PolicyArn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
        },
        {
            "PolicyName": "PHD-FullAccess-WideOrg",
            "PolicyArn": "arn:aws:iam::<account_number>:policy/PHD-FullAccess-WideOrg"
        }
    ]
}

heitorlessa on 1 Feb 2017

Hi @heitorlessa,

The example above is different, because it's passing a role instead of a policy. I was more interested in passing the policies directly, like so (though irl using a separate template to export policy names):

Resources:
  CustomerManagedPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyName: CustomerManagedPolicy
      PolicyDocument: 
        Version: 2012-10-17
        Statement: 
          - Effect: Allow
            Action: ec2.describeInstances
            Resource: '*'

  CustomerFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: handler.index
      Runtime: nodejs4.3
      Policies: CustomerManagedPolicy

Hope that makes sense.

Best

dinvlad on 1 Feb 2017

👍8

Hi,

I have a problem which seems related.

I have a first stack which contains an AWS::SNS::Topic and an AWS::IAM::ManagedPolicy.
This stack exports the ARN of both resources.

Resources:
    Topic:
        Type: AWS::SNS::Topic
    Policy:
        Type: AWS::IAM::ManagedPolicy
        Properties:
            PolicyDocument:
                Version: 2012-10-17
                Statement:
                    - Effect: Allow
                      Action: sns:Publish
                      Resource: !Ref Topic
Outputs:
    TopicARN:
        Value: !Ref Topic
        Export:
            Name: TopicARN
    PolicyARN:
        Value: !Ref Policy
        Export:
            Name: TopicPolicyARN

And the second stack contains an AWS::Serverless::Function.

Resources:
    Function:
        Type: AWS::Serverless::Function
        Properties:
            Runtime: python2.7
            CodeUri: lambda.zip
            Handler: lambda.handler
            Policies: !ImportValue TopicPolicyARN

When I deploy this stack, no error, but the policy is not appended to the default created role.
But if I manually put an ARN, it works.

ctison on 1 Feb 2017

+1, that's how I was trying to do it in a real scenario. Though shouldn't it be policy Name instead of ARN (according to the spec)?

dinvlad on 2 Feb 2017

@dinvlad You can use the custom policy name in here. IAM wants managed policy's ARN. SAM tries to convert AWS managed policy names to ARNs, but it doesn't know about your custom policies. When #22 is fixed, you can do something like Policies: !GetAtt YourManagedPolicy.Arn.

@chtison Again, due to #22 !ImportValue will not work.

Sorry for the problems. We are working on getting #22 done which will unblock a lot of usecases. Hang on tight until then :-)

sanathkr on 2 Feb 2017

Got it, sounds good, thanks! Closing in favor of #22

dinvlad on 3 Feb 2017

Now that #22 is completed, is this issue still valid? I've tried using !Sub MyManagedPolicy.Arn and !Sub MyManagedPolicy.ManagedPolicyName and neither seems to be working. The stack creation succeeds, but the generated lambda role doesn't have MyManagedPolicy attached.

seanmcro on 20 Nov 2017

@seanmcro I am not understanding what you are asking.

Can you add snippets of your template?

jfuss on 21 Nov 2017

👍2

Sure. Based on @sanathkr's response above, I expected the following to work (but it doesn't):

Resources:
  MyManagedPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: MyManagedPolicy
      PolicyDocument: 
        Version: 2012-10-17
        Statement: 
          - Effect: Allow
            Action: s3:*
            Resource: 
              - Fn::Sub: "${MyS3Bucket.Arn}"

  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: <<handler>>
      Runtime: <<runtime>>
      Policies: 
      - AWSLambdaExecute
      - Fn::Sub: "${MyManagedPolicy.Arn}"

seanmcro on 21 Nov 2017

👍12

following template works for me:

Resources:
  MyManagedPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: MyManagedPolicy
      PolicyDocument: 
        Version: 2012-10-17
        Statement: 
          - Effect: Allow
            Action: s3:*
            Resource: *

  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: <<handler>>
      Runtime: <<runtime>>
      Policies: 
        - AWSLambdaExecute
        - !Ref MyManagedPolicy