AWS SAM template share same policy in multiple functions

Question

I saw this answer but it does not work for me. AWS SAM Multiple Functions with same Inline Policy

when I run sam local start-api it show 'Globals', "'Policies' is not a supported property of 'Function'

this is my sample code

Globals:
  Function:
    Runtime: nodejs14.x
    MemorySize: 128    
    Timeout: 100
    Policies:
      - Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'dynamodb:GetItem'
              - 'dynamodb:PutItem'
              - 'dynamodb:Scan'
              - 'dynamodb:Query'
              - 'dynamodb:DeleteItem'
              - 'dynamodb:Update*'
            Resource: 'arn:aws:dynamodb:us-xxxx-1:xxxxxxx:table/xxxxxxxx'

is there any way to declare global policy

You can create an `AWS::IAM::Policy` resource, however listing custom policy resources by reference under a `Function`'s `Policies` section is currently unsupported, and neither does the `Globals` object support listing policies for a function: https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-specification-template-anatomy-globals.html#sam-specification-template-anatomy-globals-supported-resources-and-properties — webninja, Sep 11 '21 at 11:32
If you create a custom `AWS::IAM::Role` you can link it to custom `AWS::IAM::Policy` resources under the `Roles:` property, and then attach that `Role` to each function: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#aws-resource-iam-policy--examples--_Policy_with_specified_role. — webninja, Sep 11 '21 at 11:34

score 0 · Answer 1 · answered May 13 '22 at 16:26

According to AWS SAM Globals documentation, Policies is not currently supported in the Globals > Function section.

However, you can define a role like

CommonFunctionsRole:
  Type: AWS::IAM::Role
  Properties:
    Path: /
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Action:
            - 'dynamodb:GetItem'
            - 'dynamodb:PutItem'
            - 'dynamodb:Scan'
            - 'dynamodb:Query'
            - 'dynamodb:DeleteItem'
            - 'dynamodb:Update*'
          Resource: 'arn:aws:dynamodb:us-xxxx-1:xxxxxxx:table/xxxxxxxx'

And reference it inside all your functions like:

Resources:
  MyFunction:
    Type: AWS::Serverless::Function
    Properties:
      Role: !Ref CommonFunctionsRole

I haven't tested this, but you'll get the idea

AWS SAM template share same policy in multiple functions

1 Answers1