I'm not sure how much is possible, but if we assume the policies generated by this tool would be used by CodeBuild to deploy a Serverless application, are there policy conditions that could be added to further restrict the policy?

Seems like there could be some improvements to support the schedule event type.

Given a serverless.yml config essentially like this:

service: myservice
frameworkVersion: "=1.45.1"

functions:
  myfunc:
    events:
      - schedule: rate(1 minute)

The events policies generated look like this:

    {
      "Effect": "Allow",
      "Action": [
        "events:Put*",
        "events:Remove*",
        "events:Delete*"
      ],
      "Resource": [
        "arn:aws:events:*:*:rule/myservice-*-us-east-1"
      ]
    },

But i found this error, on sls deploy:

• An error occurred: MyfuncEventsRuleSchedule1 - User: arn:aws:iam:::user/serverless-agent is not authorized to perform: events:DescribeRule on resource: arn:aws:events:us-east-1::rule/myservice-dev-MyfuncEventsRuleSchedule1-1VUFLZR5PHGXL (Service: AmazonCloudWatchEvents; Status Code: 400; Error Code: AccessDeniedException; ...

i changed that portion to the following, to resolve that (added events:DescribeRule and changed the resource value):

    {
      "Effect": "Allow",
      "Action": [
        "events:Put*",
        "events:Remove*",
        "events:Delete*",
        "events:DescribeRule"
      ],
      "Resource": [
        "arn:aws:events:*:*:rule/myservice-*"
      ]
    },

Thanks for writing this generator.

When deleting the stack the following error is logged:

ServerlessError: An error occurred while provisioning your stack: HelloLogGroup - User: {IAM User} is not authorized to perform: logs:DeleteLogGroup on resource: {Resource}.

Fairly trivial policy fix by adding logs:DeleteLogGroup.

I have a serverless service with a semi-long name. For illustration let's call it serverless-my-long-name.

When I deployed, the S3 bucket that was created was named something like serverless-my-long-name-serverlessdeploymentbuck-1234567890123. Note that the last two letters in bucket are missing. As a result, the generated IAM policy that included arn:aws:s3:::serverless-my-long-name*serverlessdeploymentbucket* didn't work. It looks like the max length for an S3 bucket name is 63 characters, so I guess the CloudFormation template is truncating the name to be able to add the random characters on the end.

After generating a policy with S3 enabled, I tried to deploy the hello-world example for Severless. Serverless said

An error occurred: ServerlessDeploymentBucketPolicy - API: s3:PutBucketPolicy Access Denied.

I had to manually edit the policy on the AWS console and allow it. It worked after.

By the way, I'm new to Serverless. The first time I ran the generator, I disabled S3 access since I plan not to use S3 for the Serverless function. It looks like Serverless needs it regardless to upload the files. I'm not sure if that should be a default option or not.

Thanks though for making this!

Not sure if it was just my use case but I had to add the following permissions to the generated policy to get this to work:

cloudformation:ValidateTemplate
apigateway:PATCH
ec2:DeleteNetworkInterface
ec2:DescribeNetworkInterfaces

Would it be possible to provide an account ID instead of using * in the ARNs?

When running serverless deploy using this IAM policy, if you're using AWS SSM (e.g. ${ssm:/your-variable/example~true}, serverless is unable to pull in the SSM variables.

This can be resolved by adding in the IAM permissions outlined in serverless/serverless#5781

I needed to add the following permissions to get "serverless deploy" to work:

• s3:PutEncryptionConfiguration
• s3:GetEncryptionConfiguration
• apigateway:PATCH

$ yo serverless-policy
/usr/lib/node_modules/generator-serverless-policy/generators/app/index.js:143
module.exports = class extends Generator {
^^^^^

SyntaxError: Block-scoped declarations (let, const, function, class) not yet supported outside strict mode
at exports.runInThisContext (vm.js:53:16)
at Module._compile (module.js:373:25)
at Object.Module._extensions..js (module.js:416:10)
at Module.load (module.js:343:32)
at Function.Module._load (module.js:300:12)
at Module.require (module.js:353:17)
at require (internal/module.js:12:17)
at Object.defineProperty.get [as serverless-policy:app] (/usr/lib/node_modules/yo/node_modules/yeoman-environment/lib/store.js:40:23)
at Store.get (/usr/lib/node_modules/yo/node_modules/yeoman-environment/lib/store.js:64:35)
at Environment.get (/usr/lib/node_modules/yo/node_modules/yeoman-environment/lib/environment.js:262:16)

The IAM generator adds an action of:
cloudformation:PreviewStackUpdate

This no longer exists and needs to probably be replaced.
It also flags an error as an "unrecognized action" within IAM.

Cheers

Hi,

Trying to lock down serverless deployment policy, is there any chance that IAM Full Access is not mandatory ? Even after the initial creation of the stack?

Hi!

Could you please update the version of the package, so the npm install includes last changes (like this one #9).