Comments (12)
This is actually an important feature, I have just run into a problem where the default role is getting a policy that is longer than what IAM supports and it is causing my deploy to fail even though this role serves no purpose in existing.
from serverless-iam-roles-per-function.
Just in case anyone needs to prevent the default role (IamRoleLambdaExecution) to be created by the serverless framework, I created this plugin which does exactly that.
When you run "sls deploy", before deploying the stack it will remove that role.
from serverless-iam-roles-per-function.
A workaround for this is to rename the default role to something shorter.
resources:
Resources:
IamRoleLambdaExecution:
Properties:
RoleName: "my-short-role-name"
The RoleName
gets merged into the IamRoleLambdaExecution
resource.
from serverless-iam-roles-per-function.
Is plugin creates a default role on top of provider.iamRoleStatements
? Because I have the same issue during the deploy - IamRoleLambdaExecution - <name>-dev-<region>-lambdaRole already exists
, but I want to keep provider.iamRoleStatements
. I am also using defaultInherit: true
.
Thanks
from serverless-iam-roles-per-function.
I'm having the exact same issue as @Gerharddc :/
from serverless-iam-roles-per-function.
I'm having the exact same issue as @Gerharddc
from serverless-iam-roles-per-function.
Just an FYI, the fact that the default role still gets created is problematic for us. We do not care about the fact it is created, but the naming convention will cause namespace collisions. For our use case, we use an additional custom command line parameter to control naming (eg "--myParameter bill" to set myParameter to bill, which then adds bill to resource names).
from serverless-iam-roles-per-function.
This would be an amazing feature to have, running into the same issue as @Gerharddc
from serverless-iam-roles-per-function.
Agree, this would be a great option to have as had same issue as @Gerharddc
Using custom role was not option as this plugin then does not work as it requires the default role (IamRoleLambdaExecution) to be there as it then builds on that for each function.
A work-around that might help and I am sure others can make this better, but you can create a basic plugin to adjust the template contents before it is deployed. Example below:
- Create sub folder
.serverless_plugins
in your project folder (same one as where your serverless.yml will be) and create a script in this sub folder - example -reset-role-plugin.js
Example reset-role-plugin.js (note the file name will be the name of plugin in serverless.yml)
'use strict'
class ResetDefaultExecutionRole {
constructor (serverless, options) {
this.hooks = {
'before:package:finalize': function () { resetDefaultExecRole(serverless) }
}
}
}
function resetDefaultExecRole (serverless) {
let resourceSection = serverless.service.provider.compiledCloudFormationTemplate.Resources
// build new policyStatement, customize this to requirements, example only
const policyStatements = [];
policyStatements[0] = {
Effect: 'Allow',
Action: ['logs:CreateLogStream', 'logs:CreateLogGroup', 'logs:PutLogEvents'],
Resource: [
{
'Fn::Sub': 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*:*:*'
},
],
};
for (let key in resourceSection) {
if (key === 'IamRoleLambdaExecution') {
// update the IamRoleLambdaExecution role policy statements
resourceSection[key].Properties.Policies[0].PolicyDocument.Statement = policyStatements
}
}
}
module.exports = ResetDefaultExecutionRole
- Add to your
serverless.yml
file:
...
...
plugins:
- serverless-iam-roles-per-function
- reset-role-plugin
...
...
- Test your CloudFormation template by running "sls package ......" which just creates the files in
.serverless
folder and you can then review the CloudFormation template there and look at the IamRoleLambdaExecution role.
from serverless-iam-roles-per-function.
For anybody interested in reducing the default IAM role size - check out https://github.com/shelfio/serverless-simplify-default-exec-role-plugin (kudos to @aelsnz)
from serverless-iam-roles-per-function.
Any update on this? We would really love this!
from serverless-iam-roles-per-function.
We have the same issue as Gerharddc.
It would be awesome to not use an extra plugin to delete the default role.
from serverless-iam-roles-per-function.
Related Issues (20)
- Global Role Name is not in expected format HOT 1
- Adding disableLogs: true to lambda config makes plugin throw an error HOT 3
- Allow tagging the IAM role
- Aws Lambda is not authorized to perform: SNS:Publish on resource: +358
- How can we acheive IAM path per function? HOT 2
- Is it possible to attach managed policy? HOT 3
- The plugin serverless-iam-roles-per-function isn't being recognized HOT 1
- Define iamGlobalPermissionsBoundary in the .yml?
- Typescript definitions? HOT 3
- Configuration error: at 'provider.iam.role.statements.1.Action.0': must be string HOT 1
- Conform to SLS v3 `iam` format? HOT 1
- Throws error when using 'disableLogs' on functions
- iamGlobalPermissionsBoundary is required, but not read HOT 1
- Deprecation warning: provider.iamRoleStatements" -> "provider.iam.role.statements HOT 5
- defaultInherit does not work HOT 4
- auto-generated role name too long, but managing manual role names too brittle HOT 2
- Role inheritance seems broken with provider.iam.role.statements HOT 2
- Overides iamManagedPolicies even with iamRoleStatementsInherit flag HOT 4
- Serverless Framework v3: integrating with the new design HOT 1
- Fine grained access control using leading keys in dynamo
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from serverless-iam-roles-per-function.