npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

serverless-granular-iam

v2.1.0

Published

A Serverless plugin to define IAM Role statements as part of the function definition block [serverless-iam-roles-per-function temporary fork]

Downloads

10

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

huynguyen9898huynguyen9898yasmine.abdelkefiyasmine.abdelkefiwernerdwernerdantonia.balluaisantonia.balluaisyoussef.ezzahiyoussef.ezzahiemeline75emeline75ghazicoorpacademyghazicoorpacademysilousiloucoorpadmincoorpadminesa-coorpesa-coorpadriean.khisbeadriean.khisbeadamska27adamska27audric-coorpaudric-coorpdjamelsoualmidjamelsoualmistefanocoorpstefanocoorpemoranaemoranadfazagedfazage

Keywords

awslambdaaws lambdaserverlesspolicyroleiamcustompermissionssecurity

Readme

serverless-granular-iam [Serverless IAM Roles Per Function Plugin Fork]

serverless npm package Build Status Coverage Status Dependencies Status Downloads

A Serverless plugin to easily define IAM roles per function via the use of iamRoleStatements at the function definition block.

:rotating_light: This is a fork from functionalone/serverless-granular-iam This is meant to be temporary until iamManagedPolicies are supported with #19 landing.

Installation

npm install --save-dev serverless-granular-iam

Add the plugin to serverless.yml:

plugins:
  - serverless-granular-iam

Note: Node 6.10 or higher runtime required.

Usage

Define iamRoleStatements definitions at the function level:

functions:
  func1:
    handler: handler.get
    iamRoleStatementsName: my-custom-role-name #optional custom role name setting instead of the default generated one
    iamRoleStatements:
      - Effect: "Allow"
        Action:
          - dynamodb:GetItem
        Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/mytable"
    ...
  func2:
    handler: handler.put
    iamRoleStatements:
      - Effect: "Allow"
        Action:
          - dynamodb:PutItem
        Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/mytable"
    ...

The plugin will create a dedicated role for each function that has an iamRoleStatements definition. It will include the permissions for create and write to CloudWatch logs, stream events and if VPC is defined: AWSLambdaVPCAccessExecutionRole will be included (as is done when using iamRoleStatements at the provider level).

if iamRoleStatements are not defined at the function level default behavior is maintained and the function will receive the global iam role. It is possible to define an empty iamRoleStatements for a function and then the function will receive a dedicated role with only the permissions needed for CloudWatch and (if needed) stream events and VPC. Example of defining a function with empty iamRoleStatements and configured VPC. The function will receive a custom role with CloudWatch logs permissions and the policy AWSLambdaVPCAccessExecutionRole:

functions:
  func1:
    handler: handler.get
    iamRoleStatements: []
    vpc:
      securityGroupIds:
        - sg-xxxxxx
      subnetIds:
        - subnet-xxxx
        - subnet-xxxxx

By default, function level iamRoleStatements override the provider level definition. It is also possible to inherit the provider level definition by specifying the option iamRoleStatementsInherit: true:

provider:
  name: aws
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - xray:PutTelemetryRecords
        - xray:PutTraceSegments
      Resource: "*"
  ...
functions:
  func1:
    handler: handler.get
    iamRoleStatementsInherit: true
    iamRoleStatements:
      - Effect: "Allow"
        Action:
          - dynamodb:GetItem
        Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/mytable"

The generated role for func1 will contain both the statements defined at the provider level and the ones defined at the function level.

If you wish to change the default behavior to inherit instead of override it is possible to specify the following custom configuration:

custom:
  serverless-granular-iam:
    defaultInherit: true

Role Names

The plugin uses a naming convention for function roles which is similar to the naming convention used by the Serverless Framework. Function roles are named with the following convention:

<service-name>-<stage>-<function-name>-<region>-lambdaRole

AWS has a 64 character limit on role names. If the default naming exceeds 64 chars the plugin will remove the suffix: -lambdaRole to shorten the name. If it still exceeds 64 chars an error will be thrown containing a message of the form:

auto generated role name for function: ${functionName} is too long (over 64 chars).
Try setting a custom role name using the property: iamRoleStatementsName.

In this case you should set the role name using the property iamRoleStatementsName. For example:

functions:
  func1:
    handler: handler.get
    iamRoleStatementsName: my-custom-role-name
    iamRoleStatements:
      - Effect: "Allow"
        Action:
          - dynamodb:GetItem
        Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/mytable"
    ...

More Info

Introduction post: Serverless Framework: Defining Per-Function IAM Roles

Note: Serverless Framework provides support for defining custom IAM roles on a per function level through the use of the role property and creating CloudFormation resources, as documented here. This plugin doesn't support defining both the role property and iamRoleStatements at the function level.