Serverless-application-model: Adding AmazonDynamoDBFullAccess policy doesnt affect role created by SAM

No, this should work out of the box. Can you paste the entire Function resource?

it's pretty like initial one from CodeStar with permission added

AWSTemplateFormatVersion: 2010-09-09
Transform:
- AWS::Serverless-2016-10-31
- AWS::CodeStar

Parameters:
  ProjectId:
    Type: String
    Description: AWS CodeStar projectID used to associate new resources to team members

Resources:
  GetHelloWorld:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.get
      Runtime: nodejs4.3
      Policies: AmazonDynamoDBFullAccess
      Role:
        Fn::ImportValue:
          !Join ['-', [!Ref 'ProjectId', !Ref 'AWS::Region', 'LambdaTrustRole']]
      Events:
        GetEvent:
          Type: Api
          Properties:
            Path: /
            Method: get

@sanathkr I didnt change much after creating Codestar project for Lambda.
Just added policy to access DynamoDB.
DynamoDB and tables existed before project was started, however I dont think it can affect policy.

@sanathkr should I detect changes to policy in CloudFormation ChangeSet?

@quarryman This is because you are specifying both a Role and the Policies. If you look at the docs, specifically the description of Policies. It reads: "Names of AWS managed IAM policies or IAM policy documents or SAM Policy Templates that this function needs, which should be appended to the default role for this function. If the Role property is set, this property has no meaning." SAM does not edit any CloudFormation specific resources, we will only edit, mutate, or modify resources that SAM creates.

The two options here are

1. Manage the Role yourself through the Role you are attaching to the Serverless::Function.
2. Remove the Role and let SAM generate the Role for you.

Unless you have a very specific use case and need to attach your own Role, my recommendation is to allow SAM to generate the Role for you. This will allow SAM to append other policies to the role as well. For example, if you needed to configure a DLQ, SAM would append the correct scoped permissions to the Role for you, but only if you allow SAM to generate it.

@sanathkr I think we should fail on these cases going forward. I have seen this a couple times now and while it is documented, I do not think the experience is very clear.

@quarryman So I was unaware that you need to define a Role explicitly for CodeStar. Since you are using CodeStar, the only option is it manage the Role yourself. This is due to CodeStar not being able to create IAM Roles.

Marking this as a bug though. We should be failing if both Role and Policies are being used in the same template.

@jfuss thanx for your reply first of all.

Let me clarify the source of misunderstanding and possible point of docs improvement

Docs say

should be appended to the default role for this function

The Role CodeStar specifies by default can be easily considered 'default Role' as I neither defined it not added it to template as Lambda Execution Role. It just was there after initial project setup.
It looks much like default Role, especially when it's name is not explicitely defined in SAM

Given that fact, it's not clear what is Lambda default role if it's not one defined by Codestar.
I would expect others to consider Role created by CodeStar default one, which is by mistake.

And what is most important, why I can not use Lambda default Role that SAM will manage for me. if that's exactly what I want

@jfuss now as you posted your last comment I want to ask what prevents me from defining policies and letting SAM manage my lambda role when I come from CodeStar?

Maybe better question would be can I allow SAM to manage Lambda Role for me if I come from CodeStar?

@quarryman Because SAM only manages the Role it creates (which is referred to as the 'default Role'). You are specifying the Role explicitly, which means you must manage all the permissions. CodeStar does not allow IAM Role creation and will fail stack creation for this reason, so this is why you have to define a Role and manage all the permissions (this is the limitation on CodeStart itself).

SAM is not creating a Role, you are (or in this case CodeStar). If you specify a Role in the template, SAM will not manage it.

@jfuss If I remove Role from SAM template, will SAM create default role for me instead of one I removed?
So am I simply able to remove CodeStar created role and let SAM create one for me?

@quarryman You are using CodeStar, so you cannot remove the Role because CodeStar will fail to update the stack because you will be creating a Role then. Again, this is a limitation on CodeStar.

@jfuss I got it.
One question I am not sure about yet.
Is it ok to update Role created by CodeStar manually? Is there a chance CodeStar doesnt know anything about my updates to role and someday it will update Role to it's initial state as CodeStar is capable of managing it, not me?

@quarryman I would take a look at the documentation for CodeStar.

To my knowledge, CodeStar doesn't manage Roles and the only way to achieve what you want is by modifying to Role. So my guess is that you editing the Role is fine but again I would read up on CodeStar's documentation to see what they recommend doing for this.

@jfuss @sanathkr there seems to be the problem with updating Role created by CodeStar manually.
In CodeStar docs page it says:

you may want to change the IAM role that AWS CodeStar created. However, note that this is not supported. This is because AWS CodeStar may remove your IAM role changes whenever it performs regular update checks on the project.

Not it looks like if you are starting Lambda project with CodeStar, SAM can not update role automatically for you as you mentioned in this thread and CodeStar doesn't allow to update its roles manually as it might remove manual changes.

It seems I can not manage lambda execution role with SAM and can not do it manually, so what's the solution to this situation then?

I was having the same issue - I modified a default CodeStar project using Node/Lambda, but I could not get the Lambda function to access my DynamoDB table. I was able to fix the permission problem by adding the following line to the LambdaExecutionRole in the template.yml file.
- arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess

Below is this section of the template.yml file with the line above inserted. This fixed my permission problem and allowed my lambda function to access by DynamoDB table.

LambdaExecutionRole:
    Description: Creating service role in IAM for AWS Lambda
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub 'CodeStar-${ProjectId}-Execution${Stage}'
      AssumeRolePolicyDocument:
        Statement:
        - Effect: Allow
          Principal:
            Service: [lambda.amazonaws.com]
          Action: sts:AssumeRole
      Path: /
      ManagedPolicyArns:
        -  arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        -  arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
      PermissionsBoundary: !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/CodeStar_${ProjectId}_PermissionsBoundary'

If you're using CodeStar, you need to define your own role and give it the necessary permissions; this seems to be a limitation on CodeStar. Otherwise, you don't need to define your own role and SAM will create a role for you and add the permissions you specify in the Policies property.

We can't fix this for two reasons:

1. This would fail deployment on existing templates if we validated that, if a role is supplied to the Role property, nothing is given in the Policies property, and
2. The generated role might be used by some other service or resource other than the function itself.

@keetonian To be clear, can we still manage roles/policies in Sam, or must this be done manually?

Do I need to define new roles in my SAM template? Or do I need to define new roles in the console?

@djacques7188 you can define AWS::IAM::Role in the SAM template and add the arn to the AWS::Serverless::Function role property in SAM. In this case SAM will not create any additional permissions if Role property is defined.