We created the IAM policies and roles manually in the AWS Management Console. We will now look at how we can create these using the AWS CLI.
Here is a JSON policy, dynamo-readonly-user-visits.json, that we have created under the ./IAM/ directory:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": [
"arn:aws:dynamodb:eu-west-1:000000000000:
table/user-visits",
"arn:aws:dynamodb:eu-west-1:000000000000:
table/user-visits-sam"
]
}
]
}
To summarize the policy, it says that we have Query and Scan access to two DynamoDB tables called user-visits that we created manually or in Python, and user-visits-sam that we are going to create in this chapter using SAM.
Create a policy that allows the Lambda function to write the logs to CloudWatch logs. Create a lambda-cloud-write.json file with the following content:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
}
]
}
When creating an IAM role, you also need specify the type of IAM role it can assume. We have created an assume-role-lambda.json file, which is known as a trusted entity:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Having the preceding defined as JSON code allows us to version-control the security and permissions in AWS. In addition, if someone deleted them by mistake, we can simply recreate them in AWS.
We will now created a shell script called create-role.sh, under the ./bash folder, to create a Lambda IAM role and three IAM policies, and attach them to the IAM role:
#!/bin/sh #This Script creates a Lambda role and attaches the policies #import environment variables . ./common-variables.sh #Setup Lambda Role role_name=lambda-dynamo-data-api aws iam create-role --role-name ${role_name} --assume-role-policy-document file://../../IAM/assume-role-lambda.json --profile $profile || true sleep 1 #Add and attach DynamoDB Policy dynamo_policy=dynamo-readonly-user-visits aws iam create-policy --policy-name $dynamo_policy --policy-document file://../../IAM/$dynamo_policy.json --profile $profile || true role_policy_arn="arn:aws:iam::$aws_account_id:policy/$dynamo_policy" aws iam attach-role-policy --role-name "${role_name}" --policy-arn "${role_policy_arn}" --profile ${profile} || true #Add and attach cloudwatch_policy cloudwatch_policy=lambda-cloud-write aws iam create-policy --policy-name $cloudwatch_policy --policy-document file://../../IAM/$cloudwatch_policy.json --profile $profile || true role_policy_arn="arn:aws:iam::$aws_account_id:policy/$cloudwatch_policy" aws iam attach-role-policy --role-name "${role_name}" --policy-arn "${role_policy_arn}" --profile ${profile} || true
Execute the script using ./create-role.sh. It will create one IAM role and three IAM policies, and attach them to the IAM role. Notice that here code is idempotent on purpose, as policy changes need to be managed carefully as they could impact others.
Note that there is also the ability to create IAM roles in a SAM template, but using the AWS CLI means that the roles and policies can be reused rather than deleted when the serverless stack is deleted. This adds version control if you check them into the Git standard naming convention and helps the support team by centralizing the creation.