Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Migrated] Improve README.md instructions for using custom IAM policy via attach_policy #837

Closed
jneves opened this issue Feb 20, 2021 · 3 comments
Closed

[Migrated] Improve README.md instructions for using custom IAM policy via attach_policy #837

jneves opened this issue Feb 20, 2021 · 3 comments
Labels
auto-closed [Bot] Closed, details in comments no-activity [Bot] Closing soon if no new activity

Comments

@jneves
Copy link
Contributor

jneves commented Feb 20, 2021

Originally from: Miserlou/Zappa#2079 by jdmwood

The README at https://github.com/Miserlou/Zappa#custom-aws-iam-roles-and-policies-for-execution talks about using manage_roles: false to manually set a role for custom permissions.

This along with Miserlou/Zappa#244 led me down a rabbit hole.

However, if all you want to do is restrict the permissions of the Lambda itself, it seems that the partially documented attach_policy is a much better option because this keeps the policy managed by Zappa (no need for manual steps).

Might be worth adding this as an option to the "IAM Roles and polices" section because surely this will solve 95% of requirements for users?

E.g. here is my settings.json:

{
    "build": {
        "app_function": "webapp.app",
        "aws_region": "eu-west-1",
        "profile_name": "test",
        "project_name": "deploy",
        "runtime": "python3.7",
        "s3_bucket": "xxxx-zappa-test",
        "attach_policy": "aws_attach_policy.json"
    }
}

And my aws_attach_policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:*"
      ],
      "Resource": "arn:aws:logs:eu-west-1:*:log-group:/aws/lambda/deploy-build:*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "lambda:InvokeFunction"
      ],
      "Resource": [
        "arn:aws:lambda:eu-west-1:*:function:deploy-build"
      ]
    }
  ]
}

(In my case I didn't need much permissions, but you get the idea).
@souravjamwal77
Copy link
Collaborator

Hi @jneves are there any updates on this?

@jneves jneves mentioned this issue Aug 18, 2022
Closed
2 tasks
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 3, 2024

Hi there! Unfortunately, this Issue has not seen any activity for at least 90 days. If the Issue is still relevant to the latest version of Zappa, please comment within the next 10 days if you wish to keep it open. Otherwise, it will be automatically closed.

@github-actions github-actions bot added the no-activity [Bot] Closing soon if no new activity label Apr 3, 2024
@github-actions GitHub Actions
Copy link

Hi there! Unfortunately, this Issue was automatically closed as it had not seen any activity in at least 100 days. If the Issue is still relevant to the latest version of Zappa, please open a new Issue.

@github-actions github-actions bot added the auto-closed [Bot] Closed, details in comments label Apr 13, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Apr 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-closed [Bot] Closed, details in comments no-activity [Bot] Closing soon if no new activity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jneves @souravjamwal77