- Newest
- Most votes
- Most comments
Hello.
I don't think configuring an IAM role is necessary for "sam build".
I think the IAM role is required for resource deployment using "sam deploy".
https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/using-sam-cli-build.html
But still failing due lack of permissions on lambda and iam
There is any managed AWS policy that I can use to setup my IAM role?
Deployment with SAM requires permission to execute CloudFormation and permission to create AWS resources listed in template.yml.
So, I don't think there is an AWS managed policy that is just what You need.
If you can accept a policy with a wide range of privileges, why not set PowerUserAccess and iam:PassRole,iam:CreatePolicy,iam:CreateRole,iam:PutRolePolicy,iam:UpdateRole?
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/PowerUserAccess.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam-passrole-service.html
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementiam.html
Alternatively, I think a countermeasure would be to steadily test permissions using a policy simulator or the like.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- What's the difference between Lambda function execution role permissions and invocation permissions?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
Oppps sorry, i'm executing "sam deploy"
For "sam deploy", an IAM policy is required to create the resources listed in template.yml. I think it's best to use the FullAccess policy to create each resource or create a custom policy.