Here, we will create an IAM role in the SAM template and attach it to lambda functions.
How to create a generic role:
The type AWS::IAM::Role
is used to define a role in SAM/cloud formation template, that typically contains IAM policies. An IAM policy can be AWS managed policy AmazonSQSFullAccess
or AmazonS3FullAccess
, etc. or user-defined policies these are mostly for business-specific policies.
Resources:
GenericLambdaRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaRole'
- 'arn:aws:iam::aws:policy/AWSLambdaExecute'
- 'arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess'
- 'arn:aws:iam::aws:policy/AmazonSQSFullAccess'
- 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
- 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- 'lambda.amazonaws.com'
Action:
- 'sts:AssumeRole'
Policies:
- PolicyName: 'SecretsManagerParameterAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ssm:GetParam*
- ssm:DescribeParam*
Resource:
- arn:aws:ssm:*:*:parameter/
The above policy having six AWS managed policies and one user-defined policy that SecretsManagerParameterAccess. Now it can be attached to any number of lambda functions. Let’s use this policy to the Lambda function.
We can add up to 10 policies per role, if it exceeds you may get the error like –
Can not exceed quota for PoliciesPerRole: 10
in this case, you may need to contact AWS support to increase the quota.Attach Policy to Lambda Function:
As we have seen in the earlier example, a lambda function can be attached with a role using Role
attribute.
Resources:
SampleLambda:
Type: AWS::Serverless::Function
Properties:
FunctionName: sample-lambda-function
Description: sample-lambda- lambda
Role: !GetAtt GenericLambdaRole.Arn
Handler: src.handle
Complete Yaml file:
template.yaml
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
Sample SAM Template
Resources:
SampleLambda:
Type: AWS::Serverless::Function
Properties:
FunctionName: sample-lambda-function
Description: sample-lambda- lambda
Role: !GetAtt GenericLambdaRole.Arn
Handler: src.handle
SampleLambda2:
Type: AWS::Serverless::Function
Properties:
FunctionName: sample2-lambda-function
Description: sample2-lambda- lambda
Role: !GetAtt GenericLambdaRole.Arn
Handler: src.handle2
GenericLambdaRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaRole'
- 'arn:aws:iam::aws:policy/AWSLambdaExecute'
- 'arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess'
- 'arn:aws:iam::aws:policy/AmazonSQSFullAccess'
- 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
- 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- 'lambda.amazonaws.com'
Action:
- 'sts:AssumeRole'
Policies:
- PolicyName: 'SecretsManagerParameterAccess'
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- ssm:GetParam*
- ssm:DescribeParam*
- kms:GetSecretValue
- kms:Decrypt
Resource:
- arn:aws:ssm:*:*:parameter/*
Done!
References:
Happy Learning 🙂