Serverless: iamRoleStatement property not being used when function invoked by dynamodb stream

Created on 16 Oct 2017  路  1Comment  路  Source: serverless/serverless

This is a Bug Report

What went wrong?

Adding an additional permission ("dynamodb:UpdateItem") in the iamRoleStatement property of the serverless.yml does not get respected. Only the stream-related permissions are added.

What did you expect should have happened?

Should be able to add whatever dynamodb permissions I want when deploying a function which is invoked by a dynamodb stream

What was the config you used?

service: calculate-match-score

provider:
  name: aws
  runtime: python3.6
  stage: dev
  region: eu-west-1
  iamRoleStatement:
    - Effect: Allow
      Action:
        - "dynamodb:DescribeStream"
        - "dynamodb:GetRecords"
        - "dynamodb:GetShardIterator"
        - "dynamodb:ListStreams"
        - "dynamodb:UpdateItem"
      Resource: "arn:aws:dynamodb:${opt:region, self:provider.region}:*:table/${self:provider.environment.DYNAMODB_MATCH_SCORES_TABLE_NAME}"

  environment:
    DYNAMODB_MATCH_SCORES_TABLE_NAME: match-scores-${opt:stage, self:provider.stage}

functions:
  calculate-match-score:
    handler: handler.calculateMatchScore
    events:
      - stream: <redacted stream arn>
    tags:
      process: match-scores

What stacktrace or error message from your provider did you see?

N/A

Additional Data

The resulting Role policy which is given to the lambda function:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "logs:CreateLogStream"
            ],
            "Resource": [
                <redacted arn>
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "logs:PutLogEvents"
            ],
            "Resource": [
                <redacted arn>
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "dynamodb:GetRecords",
                "dynamodb:GetShardIterator",
                "dynamodb:DescribeStream",
                "dynamodb:ListStreams"
            ],
            "Resource": [
                <redacted arn>
            ],
            "Effect": "Allow"
        }
    ]
}

The additional expected permissions which I would like which are missing:

       {
            "Action": [
                "dynamodb:UpdateItem"
            ],
            "Resource": [
                <redacted arn>
            ],
            "Effect": "Allow"
        }

  • Serverless Framework Version you're using:
    1.23.0

  • Operating System:
    Ubuntu 16.04

  • Stack Trace:

  • Provider Error messages:

help wanted question
Source
picture cdimitroulas

Most helpful comment

nevermind... turns out it was a simple typo. I had written iamRoleStatement (singular) instead of iamRoleStatements (plural)

...doh!

picture cdimitroulas on 16 Oct 2017
👍2 😄1

>All comments

nevermind... turns out it was a simple typo. I had written iamRoleStatement (singular) instead of iamRoleStatements (plural)

...doh!

cdimitroulas picture cdimitroulas on 16 Oct 2017
👍2 😄1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

brianneisler picture brianneisler  路  3Comments
rdehnhardt picture rdehnhardt  路  3Comments
gandhi-jay picture gandhi-jay  路  3Comments
BarakChamo picture BarakChamo  路  3Comments
bradgreens picture bradgreens  路  3Comments