I am working on SAM template for publishing my Application in AWS Serverless repository.
But when I try to add policies for my lambda it shows me error:
Invalid Serverless Application Specification document. Number of errors found: 1. Errors: Resource with id [SyncPostDataFromSfLambda] is invalid. Only policy templates are supported in 'Policies' property.
Below is the example for my SAM template:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Transform": "AWS::Serverless-2016-10-31",
"Description": "Deployment",
"Resources": {
"SyncPostDataToSfLambda": {
"Type": "AWS::Serverless::Function",
"Properties": {
"Handler": "index.handler",
"FunctionName": "myLambdaFunction",
"CodeUri": "s3 URL",
"Runtime": "nodejs6.10",
"MemorySize": 512,
"Policies": [
"AmazonDynamoDBFullAccess"
],
"Events": {
"PostResource": {
"Type": "Api",
"Properties": {
"RestApiId": {
"Ref": "API"
},
"Path": "/apipath",
"Method": "post"
}
}
}
}
}
}
}
As of today (2018-10-09), SAM template already supports inline policy document.
Here is an example:-
Resources:
SomeFunction:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: nodejs8.10
Policies:
- Statement:
- Sid: SSMDescribeParametersPolicy
Effect: Allow
Action:
- ssm:DescribeParameters
Resource: '*'
- Sid: SSMGetParameterPolicy
Effect: Allow
Action:
- ssm:GetParameters
- ssm:GetParameter
Resource: '*'
References:
- AWS::Serverless::Function's Policies property on AWS SAM Specification
- Related issue on GitHub
Here's the full list of policy templates from the official repo example.
Transform: AWS::Serverless-2016-10-31
Resources:
MyFunction:
Type: 'AWS::Serverless::Function'
Properties:
CodeUri: src/
Handler: index.handler
Runtime: nodejs4.3
Policies:
- SQSPollerPolicy:
QueueName: name
- LambdaInvokePolicy:
FunctionName: name
- CloudWatchPutMetricPolicy: {}
- EC2DescribePolicy: {}
- DynamoDBCrudPolicy:
TableName: name
- DynamoDBReadPolicy:
TableName: name
- SESSendBouncePolicy:
IdentityName: name
- ElasticsearchHttpPostPolicy:
DomainName: name
- S3ReadPolicy:
BucketName: name
- S3CrudPolicy:
BucketName: name
- AMIDescribePolicy: {}
- CloudFormationDescribeStacksPolicy: {}
- RekognitionDetectOnlyPolicy: {}
- RekognitionNoDataAccessPolicy:
CollectionId: id
- RekognitionReadPolicy:
CollectionId: id
- RekognitionWriteOnlyAccessPolicy:
CollectionId: id
- RekognitionLabelsPolicy: {}
- SQSSendMessagePolicy:
QueueName: name
- SNSPublishMessagePolicy:
TopicName: name
- VPCAccessPolicy: {}
- DynamoDBStreamReadPolicy:
TableName: name
StreamName: name
- KinesisStreamReadPolicy:
StreamName: name
- SESCrudPolicy:
IdentityName: name
- SNSCrudPolicy:
TopicName: name
- KinesisCrudPolicy:
StreamName: name
- KMSDecryptPolicy:
KeyId: keyId
- SESBulkTemplatedCrudPolicy:
IdentityName: name
- SESEmailTemplateCrudPolicy: {}
- FilterLogEventsPolicy:
LogGroupName: name
- StepFunctionsExecutionPolicy:
StateMachineName: name
It seems, that currently only SAM Policy Templates can be used.
AWS maintains the authoritative information/overview of SAM Policy Templates here: https://docs.aws.amazon.com/serverlessrepo/latest/devguide/using-aws-sam.html
This document also states that, if you need further AWS Resources and/or Policy Templates, you should contact the AWS Support.
A short overview and example of how to use them can be found here: https://github.com/awslabs/serverless-application-model/blob/master/examples/2016-10-31/policy_templates/all_policy_templates.yaml
Here's the overview of currently supported SAM Policy Templates at the time of posting this answer:
- SQSPollerPolicy (provides sqs:DeleteMessage, sqs:ReceiveMessage)
- LambdaInvokePolicy (provides lambda:InvokeFunction)
- CloudWatchPutMetricPolicy (provides cloudwatch:PutMetricData)
- EC2DescribePolicy (provides ec2:DescribeRegions, ec2:DescribeInstances)
- DynamoDBCrudPolicy (provides dynamodb:GetItem, dynamodb:DeleteItem, dynamodb:PutItem, dynamodb:Scan, dynamodb:Query, dynamodb:UpdateItem, dynamodb:BatchWriteItem, dynamodb:BatchGetItem)
- DynamoDBReadPolicy (provides dynamodb:GetItem, dynamodb:Scan, dynamodb:Query, dynamodb:BatchGetItem)
- SESSendBouncePolicy (provides ses:SendBounce)
- ElasticsearchHttpPostPolicy (provides es:ESHttpPost)
- S3ReadPolicy (provides s3:GetObject, s3:ListBucket, s3:GetBucketLocation, s3:GetObjectVersion, s3:GetLifecycleConfiguration)
- S3CrudPolicy (provides s3:GetObject, s3:ListBucket, s3:GetBucketLocation, s3:GetObjectVersion, s3:PutObject, s3:GetLifecycleConfiguration, s3:PutLifecycleConfiguration)
- AMIDescribePolicy (provides ec2:DescribeImages)
- CloudFormationDescribeStacksPolicy (provides cloudformation:DescribeStacks)
- RekognitionNoDataAccessPolicy (provides rekognition:CompareFaces, rekognition:DetectFaces, rekognition:DetectLabels, rekognition:DetectModerationLabels)
- RekognitionReadPolicy (provides rekognition:ListCollections, rekognition:ListFaces, rekognition:SearchFaces, rekognition:SearchFacesByImage)
- RekognitionWriteOnlyAccessPolicy (provides rekognition:CreateCollection, rekognition:IndexFaces)
- SQSSendMessagePolicy (provides sqs:SendMessage*)
- SNSPublishMessagePolicy (provides sns:Publish)
- VPCAccessPolicy (provides ec2:CreateNetworkInterface, ec2:DeleteNetworkInterface, ec2:DescribeNetworkInterfaces, ec2:DetachNetworkInterface)
- DynamoDBStreamReadPolicy (provides dynamodb:DescribeStream, dynamodb:GetRecords, dynamodb:GetShardIterator, dynamodb:ListStreams)
- KinesisStreamReadPolicy (provides kinesis:ListStreams, kinesis:DescribeLimits)
- SESCrudPolicy (provides ses:GetIdentityVerificationAttributes, ses:SendEmail, ses:VerifyEmailIdentity)
- SNSCrudPolicy (provides sns:ListSubscriptionsByTopic, sns:CreateTopic, sns:SetTopicAttributes, sns:Subscribe, sns:Publish)
- KinesisCrudPolicy (provides kinesis:AddTagsToStream, kinesis:CreateStream, kinesis:DecreaseStreamRetentionPeriod, kinesis:DeleteStream, kinesis:DescribeStream, kinesis:GetShardIterator, kinesis:IncreaseStreamRetentionPeriod, kinesis:ListTagsForStream, kinesis:MergeShards, kinesis:PutRecord, kinesis:PutRecords, kinesis:SplitShard, kinesis:RemoveTagsFromStream)
- KMSDecryptPolicy (provides kms:Decrypt)
Almost any of those Policy Templates have to be configured. Please read the AWS documentation (links above) about how to configure these templates.