Here, we will create an IAM role in the SAM template and attach it to lambda functions.

How to create a generic role:

The type AWS::IAM::Role is used to define a role in SAM/cloud formation template, that typically contains IAM policies. An IAM policy can be AWS managed policy  AmazonSQSFullAccess or AmazonS3FullAccess , etc. or user-defined policies these are mostly for business-specific policies.

Resources:
  GenericLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaRole'
        - 'arn:aws:iam::aws:policy/AWSLambdaExecute'
        - 'arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess'
        - 'arn:aws:iam::aws:policy/AmazonSQSFullAccess'
        - 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
        - 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - 'lambda.amazonaws.com'
            Action:
              - 'sts:AssumeRole'
      Policies:
        - PolicyName: 'SecretsManagerParameterAccess'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - ssm:GetParam*
                  - ssm:DescribeParam*
                Resource:
                  - arn:aws:ssm:*:*:parameter/

The above policy having six AWS managed policies and one user-defined policy that SecretsManagerParameterAccess. Now it can be attached to any number of lambda functions. Let’s use this policy to the Lambda function.

We can add up to 10 policies per role, if it exceeds you may get the error like – Can not exceed quota for PoliciesPerRole: 10 in this case, you may need to contact AWS support to increase the quota.

Attach Policy to Lambda Function:

As we have seen in the earlier example, a lambda function can be attached with a role using Roleattribute.

Resources:
  SampleLambda:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: sample-lambda-function
      Description: sample-lambda- lambda
      Role: !GetAtt GenericLambdaRole.Arn
      Handler: src.handle

Complete Yaml file:

template.yaml
AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description: >
  Sample SAM Template

Resources:
  SampleLambda:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: sample-lambda-function
      Description: sample-lambda- lambda
      Role: !GetAtt GenericLambdaRole.Arn
      Handler: src.handle

  SampleLambda2:
    Type: AWS::Serverless::Function
    Properties:
      FunctionName: sample2-lambda-function
      Description: sample2-lambda- lambda
      Role: !GetAtt GenericLambdaRole.Arn
      Handler: src.handle2

  GenericLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaRole'
        - 'arn:aws:iam::aws:policy/AWSLambdaExecute'
        - 'arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess'
        - 'arn:aws:iam::aws:policy/AmazonSQSFullAccess'
        - 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
        - 'arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess'
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - 'lambda.amazonaws.com'
            Action:
              - 'sts:AssumeRole'
      Policies:
        - PolicyName: 'SecretsManagerParameterAccess'
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - ssm:GetParam*
                  - ssm:DescribeParam*
                  - kms:GetSecretValue
                  - kms:Decrypt
                Resource:
                  - arn:aws:ssm:*:*:parameter/*

Done!

References:

Happy Learning 🙂