Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Overides iamManagedPolicies even with iamRoleStatementsInherit flag #86

Open
arvurb opened this issue Jul 1, 2021 · 4 comments
Open

Overides iamManagedPolicies even with iamRoleStatementsInherit flag #86

arvurb opened this issue Jul 1, 2021 · 4 comments

Comments

@arvurb
Copy link

arvurb commented Jul 1, 2021

Im trying to enable Lambda Insights. Insights needs CloudWatchLambdaInsightsExecutionRolePolicy, but it gets overridden even with iamRoleStatementsInherit flag. defaultInherit does not work as well.

....
provider: {
    name: 'aws',
    runtime: 'nodejs12.x',
    region: 'eu-west-2',
    iamManagedPolicies: ["arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"],
  },
  functions: {
    getSessions: {
      handler: 'build/getSessions.handler',
      timeout: 15,
      package: {
        include: ['build/getSessions*'],
      },
      events: [
        {
          httpApi: {
            method: 'get',
            path: '/sessions',
            authorizer: {
              name: 'customAuthorizer'
            },
          },
        },
      ],
      iamRoleStatementsInherit: true,
      iamRoleStatements: [
        {
          Effect: 'Allow',
          Action: ['ssm:GetParameters*'],
          Resource: {
            "Fn::Sub":'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${self:custom.stage}/*'
          }
        },
        {
          Effect: 'Allow',
          Action: ['kms:Decrypt'],
          Resource: {
            "Fn::Sub":'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/CMK'
          }
        },
      ],

      layers: [
        `arn:aws:lambda:eu-west-2:580247275435:layer:LambdaInsightsExtension:14`
      ]
    },
@Enase
Copy link
Collaborator

Enase commented Jul 1, 2021
edited
Loading

@arvurb Looks like you try to use deprecated serverless.yml notation that might not be supported.

see: https://www.serverless.com/framework/docs/deprecations#grouping-iam-settings-under-provideriam

@arvurb
Copy link
Author

arvurb commented Jul 2, 2021

@Enase Thanks! I changed policy settings as advised and still get the same behavior.

...
provider: {
    name: 'aws',
    runtime: 'nodejs12.x',
    region: 'eu-west-2',
    iam: {
      role: {
        managedPolicies: ["arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"]
      }
    }

I can confirm that managedPolicies are defined correctly because I can see it in AWS when I remove iamRoleStatements from my code. When I put it back again, I can only see what was defined in iamRoleStatements. Adding inherit flags did not work.

@Enase Enase mentioned this issue Jul 2, 2021
Open
@Enase
Copy link
Collaborator

Enase commented Jul 2, 2021

@arvurb It'a a bug, you can create a patch from this code block or wait for PR.

@stephenbawks
Copy link

Ran into this issue myself this morning. Using the managed policies in the provider.iam block does not inherit down to the function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Enase @arvurb @stephenbawks