Not able to add policies in SAM template

2020-07-08 08:24发布

问题:

I am working on SAM template for publishing my Application in AWS Serverless repository. But when I try to add policies for my lambda it shows me error: Invalid Serverless Application Specification document. Number of errors found: 1. Errors: Resource with id [SyncPostDataFromSfLambda] is invalid. Only policy templates are supported in 'Policies' property.

Below is the example for my SAM template:

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Transform": "AWS::Serverless-2016-10-31",
    "Description": "Deployment",
    "Resources": {
        "SyncPostDataToSfLambda": {
            "Type": "AWS::Serverless::Function",
            "Properties": {
                "Handler": "index.handler",
                "FunctionName": "myLambdaFunction",
                "CodeUri": "s3 URL",
                "Runtime": "nodejs6.10",
                "MemorySize": 512,
                "Policies": [
                    "AmazonDynamoDBFullAccess"
                ],
                "Events": {
                    "PostResource": {
                        "Type": "Api",
                        "Properties": {
                            "RestApiId": {
                                "Ref": "API"
                            },
                            "Path": "/apipath",
                            "Method": "post"
                        }
                    }
                }
            }
        }
    }
}

回答1:

As of today (2018-10-09), SAM template already supports inline policy document.

Here is an example:-

Resources:
  SomeFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: index.handler
      Runtime: nodejs8.10
      Policies:
      - Statement:
        - Sid: SSMDescribeParametersPolicy
          Effect: Allow
          Action:
          - ssm:DescribeParameters
          Resource: '*'
        - Sid: SSMGetParameterPolicy
          Effect: Allow
          Action:
          - ssm:GetParameters
          - ssm:GetParameter
          Resource: '*'

References:

  1. AWS::Serverless::Function's Policies property on AWS SAM Specification
  2. Related issue on GitHub


回答2:

Here's the full list of policy templates from the official repo example.


Transform: AWS::Serverless-2016-10-31
Resources:
  MyFunction:
    Type: 'AWS::Serverless::Function'
    Properties:
      CodeUri: src/
      Handler: index.handler
      Runtime: nodejs4.3
      Policies:

        - SQSPollerPolicy:
            QueueName: name

        - LambdaInvokePolicy:
            FunctionName: name

        - CloudWatchPutMetricPolicy: {}

        - EC2DescribePolicy: {}

        - DynamoDBCrudPolicy:
            TableName: name

        - DynamoDBReadPolicy:
            TableName: name

        - SESSendBouncePolicy:
            IdentityName: name

        - ElasticsearchHttpPostPolicy:
            DomainName: name

        - S3ReadPolicy:
            BucketName: name

        - S3CrudPolicy:
            BucketName: name

        - AMIDescribePolicy: {}

        - CloudFormationDescribeStacksPolicy: {}

        - RekognitionDetectOnlyPolicy: {}

        - RekognitionNoDataAccessPolicy:
            CollectionId: id

        - RekognitionReadPolicy:
            CollectionId: id

        - RekognitionWriteOnlyAccessPolicy:
            CollectionId: id

        - RekognitionLabelsPolicy: {}

        - SQSSendMessagePolicy:
            QueueName: name

        - SNSPublishMessagePolicy:
            TopicName: name

        - VPCAccessPolicy: {}

        - DynamoDBStreamReadPolicy:
            TableName: name
            StreamName: name

        - KinesisStreamReadPolicy:
            StreamName: name

        - SESCrudPolicy:
            IdentityName: name

        - SNSCrudPolicy:
            TopicName: name

        - KinesisCrudPolicy:
            StreamName: name

        - KMSDecryptPolicy:
            KeyId: keyId

        - SESBulkTemplatedCrudPolicy:
            IdentityName: name

        - SESEmailTemplateCrudPolicy: {}

        - FilterLogEventsPolicy:
            LogGroupName: name

        - StepFunctionsExecutionPolicy:
            StateMachineName: name



回答3:

It seems, that currently only SAM Policy Templates can be used.

AWS maintains the authoritative information/overview of SAM Policy Templates here: https://docs.aws.amazon.com/serverlessrepo/latest/devguide/using-aws-sam.html

This document also states that, if you need further AWS Resources and/or Policy Templates, you should contact the AWS Support.

A short overview and example of how to use them can be found here: https://github.com/awslabs/serverless-application-model/blob/master/examples/2016-10-31/policy_templates/all_policy_templates.yaml

Here's the overview of currently supported SAM Policy Templates at the time of posting this answer:

  • SQSPollerPolicy (provides sqs:DeleteMessage, sqs:ReceiveMessage)
  • LambdaInvokePolicy (provides lambda:InvokeFunction)
  • CloudWatchPutMetricPolicy (provides cloudwatch:PutMetricData)
  • EC2DescribePolicy (provides ec2:DescribeRegions, ec2:DescribeInstances)
  • DynamoDBCrudPolicy (provides dynamodb:GetItem, dynamodb:DeleteItem, dynamodb:PutItem, dynamodb:Scan, dynamodb:Query, dynamodb:UpdateItem, dynamodb:BatchWriteItem, dynamodb:BatchGetItem)
  • DynamoDBReadPolicy (provides dynamodb:GetItem, dynamodb:Scan, dynamodb:Query, dynamodb:BatchGetItem)
  • SESSendBouncePolicy (provides ses:SendBounce)
  • ElasticsearchHttpPostPolicy (provides es:ESHttpPost)
  • S3ReadPolicy (provides s3:GetObject, s3:ListBucket, s3:GetBucketLocation, s3:GetObjectVersion, s3:GetLifecycleConfiguration)
  • S3CrudPolicy (provides s3:GetObject, s3:ListBucket, s3:GetBucketLocation, s3:GetObjectVersion, s3:PutObject, s3:GetLifecycleConfiguration, s3:PutLifecycleConfiguration)
  • AMIDescribePolicy (provides ec2:DescribeImages)
  • CloudFormationDescribeStacksPolicy (provides cloudformation:DescribeStacks)
  • RekognitionNoDataAccessPolicy (provides rekognition:CompareFaces, rekognition:DetectFaces, rekognition:DetectLabels, rekognition:DetectModerationLabels)
  • RekognitionReadPolicy (provides rekognition:ListCollections, rekognition:ListFaces, rekognition:SearchFaces, rekognition:SearchFacesByImage)
  • RekognitionWriteOnlyAccessPolicy (provides rekognition:CreateCollection, rekognition:IndexFaces)
  • SQSSendMessagePolicy (provides sqs:SendMessage*)
  • SNSPublishMessagePolicy (provides sns:Publish)
  • VPCAccessPolicy (provides ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface)
  • DynamoDBStreamReadPolicy (provides dynamodb:DescribeStream, dynamodb:GetRecords, dynamodb:GetShardIterator, dynamodb:ListStreams)
  • KinesisStreamReadPolicy (provides kinesis:ListStreams, kinesis:DescribeLimits)
  • SESCrudPolicy (provides ses:GetIdentityVerificationAttributes, ses:SendEmail, ses:VerifyEmailIdentity)
  • SNSCrudPolicy (provides sns:ListSubscriptionsByTopic, sns:CreateTopic, sns:SetTopicAttributes, sns:Subscribe, sns:Publish)
  • KinesisCrudPolicy (provides kinesis:AddTagsToStream, kinesis:CreateStream, kinesis:DecreaseStreamRetentionPeriod, kinesis:DeleteStream, kinesis:DescribeStream, kinesis:GetShardIterator, kinesis:IncreaseStreamRetentionPeriod, kinesis:ListTagsForStream, kinesis:MergeShards, kinesis:PutRecord, kinesis:PutRecords, kinesis:SplitShard, kinesis:RemoveTagsFromStream)
  • KMSDecryptPolicy (provides kms:Decrypt)

Almost any of those Policy Templates have to be configured. Please read the AWS documentation (links above) about how to configure these templates.