I have the following AWS SAM file (showing extract) for a lambda function. The problem is that I'm trying to specify multiple policies and this does not work, I get an error
Resources:
Get:
Type: AWS::Serverless::Function
Properties:
FunctionName: fnStores
Handler: handler.get
Runtime: nodejs6.10
Policies:
-AmazonDynamoDBReadOnlyAccess
-AmazonS3ReadOnlyAccess
This is the error I get
"ARN -AmazonDynamoDBReadOnlyAccess -AmazonS3ReadOnlyAccess is not valid.
On a side note, is it possible to create a custom policy that combines the above two and then use that? If so please provide an example.
The YAML list isn't valid. Need a space between - and the Policy names
Try
Resources:
Get:
Type: AWS::Serverless::Function
Properties:
FunctionName: fnStores
Handler: handler.get
Runtime: nodejs6.10
Policies:
- AmazonDynamoDBReadOnlyAccess
- AmazonS3ReadOnlyAccess
Related
After reading S3WritePolicy documentation, it's not clear if it allows multiple buckets.
I'm currently doing this:
SampleLambdaFunction:
Type: AWS::Serverless::Function
Properties:
Policies:
- S3WritePolicy:
BucketName: bucket-1
but if I wanted to include multiple buckets, i.e.:
SampleLambdaFunction:
Type: AWS::Serverless::Function
Properties:
Policies:
- S3WritePolicy:
BucketName:
- bucket-1
- bucket-2
would this be allowed?
Does S3WritePolicy allow multiple buckets in AWS SAM template?
Yes.
would this be allowed?
No, but the below would be allowed.
This is because it's a SAM policy template & is essentially generating a policy for a single bucket. You can however use it as many times as needed.
SampleLambdaFunction:
Type: AWS::Serverless::Function
Properties:
Policies:
- S3WritePolicy:
BucketName:
- bucket-1
- S3WritePolicy:
BucketName:
- bucket-2
I am building a fairly big REST API with AWS Lambda. Language is node.js. There are over 200 functions and few more to come. What EACH of these functions do is connect with a RDS database, get data or save data.
I am deploying this with aws sam tool. Below is the template.yaml. Please note I am posting just one method because from the outer look all methods looks the same except the endpoints they are pointing.
WSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: >
xxx-restapi
Sample SAM Template for xxx-restapi
# More info about Globals: https://github.com/awslabs/serverless-application-model/blob/master/docs/globals.rst
Globals:
Function:
Timeout: 3
VpcConfig:
SecurityGroupIds:
- sg-041f2459dcd921e8e
SubnetIds:
- subnet-038xxx2d
- subnet-c4dxxxcb
- subnet-af5xxxc8
Resources:
GetAllAccountingTypesFunction:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: xxx-restapi/
Handler: source/accounting-types/accountingtypes-getall.getallaccountingtypes
Runtime: nodejs14.x
Events:
GetAllAccountingTypesAPIEvent:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Properties:
Path: /accountingtypes/getall
Method: get
GetAccountingTypeByIDFunction:
Type: AWS::Serverless::Function # More info about Function Resource: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction
Properties:
CodeUri: xxx-restapi/
Handler: source/accounting-types/accountingtypes-byid.getbyid
Runtime: nodejs14.x
Events:
GetAllAccountingTypesAPIEvent:
Type: Api # More info about API Event Source: https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#api
Properties:
Path: /accountingtypes/getbyid
Method: get
LambdaRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: root
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- ec2:DescribeNetworkInterfaces
- ec2:CreateNetworkInterface
- ec2:DeleteNetworkInterface
- ec2:DescribeInstances
- ec2:AttachNetworkInterface
Resource: '*'
Outputs:
# ServerlessRestApi is an implicit API created out of Events key under Serverless::Function
# Find out more about other implicit resources you can reference within SAM
# https://github.com/awslabs/serverless-application-model/blob/master/docs/internals/generated_resources.rst#api
HelloWorldApi:
Description: "API Gateway endpoint URL for Prod stage for functions"
Value: !Sub "https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/"
All of my methods are fine, they work as expected. However when I try to deploy, this get stuck at CREATE_IN_PROGRESS. But, if I reduce the number of functions and try, it works.
I examined the aws cloud trail logs, found something like below.
ErrorCode: Client.RequestLimitExceeded
Resources: [{"resourceType":"AWS::EC2::SecurityGroup","resourceName":"sg-041f245xxxxd921e8e"},{"resourceType":"AWS::EC2::Subnet","resourceName":"subnet-af5xxxc8"}]
and
ErrorCode: Client.DryRunOperation
Resources: [{"resourceType":"AWS::EC2::SecurityGroup","resourceName":"sg-041f2459xxxx1e8e"},{"resourceType":"AWS::EC2::Subnet","resourceName":"subnet-axxxx3c8"}]
There are multiple events like above. How can I fix this?
CloudFormation is probably creating too many functions at once, hence you're hitting a throttling limit. You could probably classify this as a bug in CloudFormation, so I think you should for sure report this to AWS or the CloudFormation team.
That being said, a possible workaround could be to deploy in steps. Adding some Lambda functions with each update. This is going to be a very cumbersome thing to do, but I don't see another way.
You could always make this process easier by using nested stacks (which you can then uncomment one by one). Maybe you could even circumvent the entire throttling limit with it, depending on how CloudFormation deals with that. But I'm not sure about this.
If you're managing so many resources in a single stack, you're also in danger of hitting other CloudFormation limits (especially since SAM abstracts multiple resources behind a single type). So using nested stacks could also prevent you from hitting those limits in the (near) future.
I'm trying to provide my Lambda function with the S3FullAccessPolicy policy. Note the target bucket is not configured within the template.yaml - it already exists. Considering the syntax examples from this documentation I have three options:
1.AWS managed policy named:
Policies:
- S3FullAccessPolicy
2.AWS SAM policy template (SQSPollerPolicy) defined:
Policies:
- S3FullAccessPolicy:
BucketName: abc-bucket-name
3.Or an inline policy document:
Policies:
- Statement:
...
In trying #1 I get an error that says it seems to suggest I need to provide an arn. If this is the case where would I provide it? The error:
1 validation error detected: Value 'S3FullAccessPolicy' at 'policyArn' failed to satisfy constraint:
Member must have length greater than or equal to 20
For #2 I provide the bucket name but it says that the policy is 'invalid'. I've tried adding quotes and replacing the name with an arn - but no luck.
And #3 - I can find the code for the policy here but that's in yaml so I wonder if that's even what I'm supposed to be using.
What am I missing here? I'm open to using any one of these options but right now I'm 0/3.
The full Lambda function:
testFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: lambda/testFunction/
Handler: app.lambda_handler
Runtime: python3.8
Timeout: 900
Policies:
- S3FullAccessPolicy
I used below template without any issues.
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
HelloWorldFunction:
Type: AWS::Serverless::Function
Properties:
CodeUri: ./hello_world/
Handler: app.lambda_handler
Runtime: python3.8
Tracing: Active
Policies:
- S3FullAccessPolicy:
BucketName: existingbucketname # bucket name without arn
Ran it using below command and it deployed successfully.
sam deploy --stack-name sample-stack --s3-bucket bucket-to-deploy --capabilities CAPABILITY_IAM
After deploying a Lambda through SAM, I was getting a 403 inside the Lambda when attempting to download from S3. I checked the Lambda's Role in IAM Management Console, and I saw that the Role only had AWSLambdaBasicExecutionRole. However, it should also have the policies from the SAM template for S3 read/write.
Here is a snippet from my SAM template (with some things renamed):
MyFunction:
Type: AWS::Serverless::Function
Properties:
PackageType: Image
Metadata:
DockerTag: my-tag
DockerContext: ./src/stuff
Dockerfile: Dockerfile
Policies:
- Version: '2012-10-17'
- S3ReadPolicy:
BucketName: !Ref MyBucket
- S3WritePolicy:
BucketName: !Ref MyBucket
Shouldn't the S3ReadPolicy and S3WritePolicy be a part of the Lambda's Role?
Is there something I'm missing?
I know I could manually add the policies needed, but obviously I want as much as possible to be happening automatically via SAM.
Other details: I'm not sure if it matters, but for the sake of additional context, the Lambda is part of a Step Function state machine. I'm using the boto3 library for making the request to download from S3. I get a {'Code': '403', 'Message': 'Forbidden'} error from boto3.
(answering my own question). The issue was the Policies section needed to be under Properties.
MyFunction:
Type: AWS::Serverless::Function
Properties:
PackageType: Image
Policies:
- Version: '2012-10-17'
- S3ReadPolicy:
BucketName: !Ref MyBucket
- S3WritePolicy:
BucketName: !Ref MyBucket
Metadata:
DockerTag: my-tag
DockerContext: ./src/stuff
Dockerfile: Dockerfile
I currently have 2 lambda functions, and I'm trying to make a CI/CD process to them. So I have trying with 2 approaches:
two separate steps on my CI. I have tried to make CloudFormation package and then deploy each lambda, with each of those having their own SAM template and template. but the result is that the only one that will remain on the stack is the last one deployed. i understand that deploy is an smart way that AWS CLI create to do not use create/update stack actions. but it keeps overwriting between them (yes they have different resource name).
having a single sam template and one step in a single repo: I also attempt this in a single repo having both lambdas and a single sam file, but I have duplicate code on my lambdas the difference is that each of them have different set up for which handler to be used.
My goal is to have 2 lambdas in a single stack.
im going to answer my own question because I notice on the sam template was the key.
initially i was doing the sam template like this:
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: An AWS Serverless Specification template describing your function.
Resources:
certainty:
Type: 'AWS::Serverless::Function'
Properties:
Handler: ./myfunc/index.handler
Runtime: nodejs8.10
CodeUri: .
Description: >-
here goes
my description
MemorySize: 128
Timeout: 20
Role: 'arn:aws:iam::116738426468:role/rolename'
Events:
Schedule1:
Type: Schedule
Properties:
Schedule: rate(1 day)
certaintyauxiliar:
Type: 'AWS::Serverless::Function'
Properties:
Handler: my-other-func/index.handler
Runtime: nodejs8.10
CodeUri: .
Description: >-
blabla
blabla.
MemorySize: 1152
Timeout: 300
Role: 'arn:aws:iam::116738426468:role/roleanme'
Events:
Api1:
Type: Api
Properties:
Path: /show-all
Method: POST
what was causing here a "duplicate of the code" was that the lambdas code uri was indicating that should grab all the stuff in the folder that cotained both repos. and telling to go deeper in directories to find the the handler.
so I changed the code uri and the handler and now the lambdas are grabbing just what should be in each lambda. now my sam template looks like this:
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: An AWS Serverless Specification template describing your function.
Resources:
certainty:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: ./my-func
Description: >-
here goes
my description
MemorySize: 128
Timeout: 20
Role: 'arn:aws:iam::116738426468:role/roleName'
Events:
Schedule1:
Type: Schedule
Properties:
Schedule: rate(1 day)
certaintyauxiliar:
Type: 'AWS::Serverless::Function'
Properties:
Handler: index.handler
Runtime: nodejs8.10
CodeUri: ./my-other-func
Description: >-
bla bla
bla bla
MemorySize: 1152
Timeout: 300
Role: 'arn:aws:iam::116738426468:role/rolename'
Events:
Api1:
Type: Api
Properties:
Path: /path
Method: POST
sorry, now i can see that at the question I was not providing enough info, but i answer to my own question hoping I can help some as lost as I was. Serverless is a nice approach but it does have quiet a learning curves.
Regards, Daniel