AMAZON and serverless(3)IAM Managing Permissions with Serverless-优快云博客

本文链接：https://blog.youkuaiyun.com/magic_dreamer/article/details/84919224

本文介绍了使用Serverless框架进行部署时如何管理AWS IAM权限，包括IAM用户、角色及权限的基本概念，以及如何为Lambda函数配置必要的IAM权限，确保其能够访问特定资源如DynamoDB表。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

AMAZON and serverless(3)IAM Managing Permissions with Serverless

IAM- AWS Identity and Access Management
Basic IAM Concepts
Users, roles, permissions

IAM User
User Name/Password, Access KeyID/Secret Access Key will identify a user to AWS to access certain resources.

IAM role
IAM Roles can be assign to an IAM user who needs them.
IAM roles could also be assumed by another AWS service, EC2 instance or a Lambda function.

IAM Permission
Permission contains three elements: Effect, Action, Resource
Effect - Allow, Deny
Action - s3:GetObject serviceName: Action, or ec2: *
Resource - ARN

Sample Policy
{
“Version”: “2012-10-17”,
“Statement”: {
“Effect”: “Allow”,
“Action”: [
“dynamodb:Query”,
“dynamodb:Scan”,
“dynamodb:GetItem”,
“dynamodb:PutItem”,
“dynamodb:UpdateItem”,
“dynamodb:DeleteItem"
],
“Resource”: “arn:aws:dynamodb:us-west-1:111111111:table/my-new-table"
}
}

IAM entities with the Serverless Framework
IAM user will use the Framework to deploy the Serverless service
IAM role used by a Lambda function when it’s executed.

For deployment with Serverless, your user needs these permissions:
1 Create an S3 bucket for your function deployments
2 Upload your function zip files to that S3 bucket
3 Submit a CloudFormation template
4 Create the log groups for your Lambda functions
5 Create a REST API in API Gateway
6 In that case, Create a DynamoDB table (Optional to other Lambda)

I am admin user in my company. So I just ignore this parts.

For Lambda Functions
In serverless.yml, we can directly add these permissions.
provider:
iamRoleStatements:
- Effect: “Allow”
Action:
- dynamodb:Query
- dynamodb:Scan
- dynamodb:GetItem
Resource: “arn:aws:dynamodb:us-west-2:111111xxxx:table/my-new-table"

Fn::GetAtt can get the ARN:
resources:
Resources:
MyDynamoTable:

provider:
iamRoleStatements:
- Effect: “Allow”
Action:
- dynamodb:Query
- dynamodb:Scan
Resource:
Fn::GetAtt:
- MyDynamoTable
- Arn
Or

service:
name: meeting-services

plugins:
- serverless-webpack

custom:
region: ${opt:reqion, 'us-west-1'}
stage: ${opt:stage, 'int'}
acknowledgeTopic: ${self:custom.name}-acknowledge
crudTopic: ${self:custom.name}-crud

provider:
name: aws
runtime: nodejs6.10
region: ${self:custom.region}
timeout: ${self:custom.lambdaTimeout} # The default is 6 seconds. Note: API Gateway current maximum is 30 seconds
environment:
DYNAMODB_TABLE: ${self:custom.meetingsDbName}
LAMBDA_TIMEOUT: ${self:custom.lambdaTimeout}
MEETINGS_ACKNOLEDGE_SNS: { "Fn::Join" : ["", ["arn:aws:sns:${self:custom.region}:", { "Ref" : "AWS::AccountId" }, ":${self:custom.acknowledgeTopic}" ] ] }
MEETINGS_CURD_SNS: { "Fn::Join" : ["", ["arn:aws:sns:${self:custom.region}:", { "Ref" : "AWS::AccountId" }, ":${self:custom.crudTopic}" ] ] }
iamRoleStatements:
- Effect: Allow
Action:
- sns:Publish
Resource: ${self:provider.environment.MEETINGS_CURD_SNS}

You can search and find your Lambda Roles, similar to this meeting-name-stage-us-west-1-lambdaRole

We can deploy like this
> sls deploy --stage int

In the Lambda Function Page, we can easily see the Amazon CloudWatch Logs which I think it is default. The other is Amazon SNS.

References:
https://serverless.com/blog/abcs-of-iam-permissions/
https://serverless-stack.com/chapters/customize-the-serverless-iam-policy.html