serverless-iam-roles-per-function

What is serverless-iam-roles-per-function?

The serverless-iam-roles-per-function npm package allows you to define custom IAM roles for each function in your Serverless Framework project. This provides fine-grained access control and enhances security by ensuring that each function only has the permissions it needs.

What are serverless-iam-roles-per-function's main functionalities?

Define IAM Role for a Single Function

This feature allows you to define a custom IAM role for a specific function. In this example, the 'hello' function is granted permissions to put and update items in a DynamoDB table.

{
  "service": "my-service",
  "provider": {
    "name": "aws",
    "runtime": "nodejs14.x"
  },
  "functions": {
    "hello": {
      "handler": "handler.hello",
      "iamRoleStatements": [
        {
          "Effect": "Allow",
          "Action": [
            "dynamodb:PutItem",
            "dynamodb:UpdateItem"
          ],
          "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/my-table"
        }
      ]
    }
  }
}

Define IAM Role for Multiple Functions

This feature allows you to define custom IAM roles for multiple functions within the same service. In this example, the 'hello' function has permissions for DynamoDB, while the 'goodbye' function has permissions for S3.

{
  "service": "my-service",
  "provider": {
    "name": "aws",
    "runtime": "nodejs14.x"
  },
  "functions": {
    "hello": {
      "handler": "handler.hello",
      "iamRoleStatements": [
        {
          "Effect": "Allow",
          "Action": [
            "dynamodb:PutItem",
            "dynamodb:UpdateItem"
          ],
          "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/my-table"
        }
      ]
    },
    "goodbye": {
      "handler": "handler.goodbye",
      "iamRoleStatements": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:PutObject",
            "s3:GetObject"
          ],
          "Resource": "arn:aws:s3:::my-bucket/*"
        }
      ]
    }
  }
}

Use Managed Policies

This feature allows you to attach AWS managed policies to the IAM role of a function. In this example, the 'hello' function is granted full access to DynamoDB through the AmazonDynamoDBFullAccess managed policy.

{
  "service": "my-service",
  "provider": {
    "name": "aws",
    "runtime": "nodejs14.x"
  },
  "functions": {
    "hello": {
      "handler": "handler.hello",
      "iamRoleStatements": [
        {
          "Effect": "Allow",
          "Action": [
            "dynamodb:PutItem",
            "dynamodb:UpdateItem"
          ],
          "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/my-table"
        }
      ],
      "iamManagedPolicies": [
        "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"
      ]
    }
  }
}

Other packages similar to serverless-iam-roles-per-function

serverless-plugin-aws-alerts

The serverless-plugin-aws-alerts package allows you to create CloudWatch alarms for your Serverless functions. While it focuses on monitoring and alerting rather than IAM roles, it complements serverless-iam-roles-per-function by enhancing the observability of your functions.

serverless-plugin-tracing

The serverless-plugin-tracing package enables AWS X-Ray tracing for your Serverless functions. While it does not manage IAM roles, it provides valuable insights into the performance and execution of your functions, which can be useful for debugging and optimization.

README

Serverless IAM Roles Per Function Plugin

A Serverless plugin to easily define IAM roles per function via the use of iamRoleStatements at the function definition block.

Installation

npm install --save-dev serverless-iam-roles-per-function

Or if you want to try out the next upcoming version:

npm install --save-dev serverless-iam-roles-per-function@next

Add the plugin to serverless.yml:

plugins:
  - serverless-iam-roles-per-function

Note: Node 6.10 or higher runtime required.

Usage

Define iamRoleStatements definitions at the function level:

functions:
  func1:
    handler: handler.get
    iamRoleStatementsName: my-custom-role-name #optional custom role name setting instead of the default generated one
    iamRoleStatements:
      - Effect: "Allow"        
        Action:
          - dynamodb:GetItem        
        Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/mytable"
    ...
  func2:
    handler: handler.put    
    iamRoleStatements:
      - Effect: "Allow"        
        Action:
          - dynamodb:PutItem        
        Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/mytable"
    ...

The plugin will create a dedicated role for each function that has an iamRoleStatements definition. It will include the permissions for create and write to CloudWatch logs, stream events and if VPC is defined: AWSLambdaVPCAccessExecutionRole will be included (as is done when using iamRoleStatements at the provider level).

if iamRoleStatements are not defined at the function level default behavior is maintained and the function will receive the global iam role. It is possible to define an empty iamRoleStatements for a function and then the function will receive a dedicated role with only the permissions needed for CloudWatch and (if needed) stream events and VPC. Example of defining a function with empty iamRoleStatements and configured VPC. The function will receive a custom role with CloudWatch logs permissions and the policy AWSLambdaVPCAccessExecutionRole:

functions:
  func1:
    handler: handler.get    
    iamRoleStatements: []
    vpc:
      securityGroupIds:
        - sg-xxxxxx
      subnetIds:
        - subnet-xxxx
        - subnet-xxxxx

By default, function level iamRoleStatements override the provider level definition. It is also possible to inherit the provider level definition by specifying the option iamRoleStatementsInherit: true:

provider:
  name: aws
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - xray:PutTelemetryRecords
        - xray:PutTraceSegments
      Resource: "*"
  ...
functions:
  func1:
    handler: handler.get
    iamRoleStatementsInherit: true
    iamRoleStatements:
      - Effect: "Allow"        
        Action:
          - dynamodb:GetItem        
        Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/mytable"

The generated role for func1 will contain both the statements defined at the provider level and the ones defined at the function level.

If you wish to change the default behavior to inherit instead of override it is possible to specify the following custom configuration:

custom:
  serverless-iam-roles-per-function:
    defaultInherit: true

Role Names

The plugin uses a naming convention for function roles which is similar to the naming convention used by the Serverless Framework. Function roles are named with the following convention:

<service-name>-<stage>-<function-name>-<region>-lambdaRole

AWS has a 64 character limit on role names. If the default naming exceeds 64 chars the plugin will remove the suffix: -lambdaRole to shorten the name. If it still exceeds 64 chars an error will be thrown containing a message of the form:

auto generated role name for function: ${functionName} is too long (over 64 chars).
Try setting a custom role name using the property: iamRoleStatementsName.

In this case you should set the role name using the property iamRoleStatementsName. For example:

functions:
  func1:
    handler: handler.get
    iamRoleStatementsName: my-custom-role-name 
    iamRoleStatements:
      - Effect: "Allow"        
        Action:
          - dynamodb:GetItem        
        Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/mytable"
    ...

Contributing

Contributions are welcome and appreciated.

• Before opening a PR it is best to first open an issue. Describe in the issue what you want you plan to implement/fix. Based on the feedback in the issue, you should be able to plan how to implement your PR.
• Once ready, open a PR to contribute your code.
• To help updating the CHANGELOG.md file, we use standard-version. Make sure to use conventional commit messages as specified at: https://www.conventionalcommits.org/en/v1.0.0/.
• Update the release notes at CHANGELOG.md and bump the version by running:

  npm run release 
  

• Examine the CHANGELOG.md and update if still required.
• Don't forget to commit the files modified by npm run release (we have the auto-commit option disabled by default).
• Once the PR is approved and merged into master, travis-ci will automatically tag the version you created and deploy to npmjs under the next tag. You will see your version deployed at: https://www.npmjs.com/package/serverless-iam-roles-per-function?activeTab=versions.
• Test your deployed version by installing with the next tag. For example:

  npm install --save-dev serverless-iam-roles-per-function@next
  

More Info

Introduction post: Serverless Framework: Defining Per-Function IAM Roles

Note: Serverless Framework provides support for defining custom IAM roles on a per function level through the use of the role property and creating CloudFormation resources, as documented here. This plugin doesn't support defining both the role property and iamRoleStatements at the function level.