0

In order to allow my developers to use the Serverless Framework to deploy new AWS Lambda functions, they have to be able to create roles. I'd like to give them permissions to create roles that can only do a limited number of things. For example s3:, dynamodb:, cloudfront:Update*

But I don't want them (RoleA) to be able to create roles (RoleB) that can do anything with EC2, IAM, etc. How might you limit this permission?

Bruno Bronosky
  • 4,529
  • 3
  • 26
  • 34

1 Answers1

0

I also had the same problem; the only solution I found was to create the role to be used with Lambdas before they actually made the deployment, and provide them the Role ARN to be passed to Serverless for the Lambda deployment.

In this way, they always used the same role(s) I gave them, and on the roles I attached custom policies with only the required permission for the Lambdas to work.

You only need to grant their user permission to list and attach roles if I remember correctly, instead of the CreateRole one.

Lorenz_DR
  • 28
  • 5
  • Thank you for this. This is the kind of solution I was going for but didn't know how to implement. I considered creating a single role that all developers would give their Lambdas initially and I would replace the role later with a custom limited one. I would much rather allow them to create a custom role but limit them to attaching a single policy which I would later replace. – Bruno Bronosky May 03 '19 at 08:57
  • Related to your statement "single role that all developers would give their Lambdas", this means having one single role being used from all functions which, depending on the function, may end granting more permissions than needed. The best practice would tell you to create one role for each Lamdba function, or at least differentiate between roles if they need different permissions policy-wise. Eg: if all your Lambdas only need to access one particular S3 bucket, then it may make sense to have only one role and one policy, otherwise it would go against the Least Privileged Access guideline – Lorenz_DR May 07 '19 at 09:28