@lendi/serverless-simplify-default-exec-role-plugin
Advanced tools
serverless-simplify-default-exec-role-plugin
** This is a fork of serverless-simplify-default-exec-role-plugin by woebot
which in itself was a fork of serverless-simplify-default-exec-role-plugin by shelfio **
A quick solution for the IamRoleLambdaExecution error: Maximum policy size of 10240 bytes exceeded.
IamRoleLambdaExecution policy to reduce its size."logs:CreateLogStream", "logs:CreateLogGroup", and "logs:PutLogEvents" permissions into the same IAM statement.$ npm install --dev @lendi/serverless-simplify-default-exec-role-plugin
In your serverless.yml file:
plugins:
- "@lendi/serverless-simplify-default-exec-role-plugin"
logs: statementsBy default the Serverless framework adds something like the IAM statement below in order to allow write access to CloudWatch log groups that are part of the deployment stack. For stacks with a lot of lambda functions, this can cause the role to exceed the maximum allowed size of 10240 bytes. This plugin reduces the size of the generated lambda role by replacing the resource list with a single ARN to grants write access to all log groups that are part of the same region and account.
{
"Effect": "Allow",
"Action": ["logs:CreateLogStream", "logs:CreateLogGroup"],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/production-users-createUser:*",
},
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/production-users-updateUser:*",
},
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/production-users-deleteUser:*",
},
// ... and so on, for each lambda function that logs to cloudwatch
],
}
{
"Effect": "Allow",
"Action": ["logs:CreateLogStream", "logs:CreateLogGroup"],
"Resource": [
{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:*",
},
],
}
kinesis:* statementsNeeds more testing
When you attach a kinesis stream as an event source, it creates an IAM policy per kinesis stream
{
"Effect": "Allow",
"Action": [
"kinesis:GetRecords",
"kinesis:GetShardIterator",
"kinesis:DescribeStreamSummary",
"kinesis:ListShards"
],
"Resource": [
"arn:aws:kinesis:<region>:<account>:stream/<stream-name>"
]
},
...many depending on number of input events to lambdas
{
"Effect": "Allow",
"Action": [
"kinesis:GetRecords",
"kinesis:GetShardIterator",
"kinesis:DescribeStreamSummary",
"kinesis:ListShards"
],
"Resource": [
"arn:aws:kinesis:<region>:<account>:stream/<stream-name>"
]
},
{
"Effect": "Allow",
"Action": [
"kinesis:GetRecords",
"kinesis:GetShardIterator",
"kinesis:DescribeStreamSummary",
"kinesis:ListShards"
],
"Resource": [
"arn:aws:kinesis:<region>:<account>:stream/<stream-name>"
]
},
We have every intention of creating more tests to validate this plugin...
MIT ©
FAQs
serverless-simplify-default-exec-role-plugin
We found that @lendi/serverless-simplify-default-exec-role-plugin demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 82 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Experts push back on new claims about AI-driven ransomware, warning that hype and sponsored research are distorting how the threat is understood.
Security News
Ruby's creator Matz assumes control of RubyGems and Bundler repositories while former maintainers agree to step back and transfer all rights to end the dispute.
Research
/Security News
Socket researchers found 10 typosquatted npm packages that auto-run on install, show fake CAPTCHAs, fingerprint by IP, and deploy a credential stealer.