scandium icon indicating copy to clipboard operation
scandium copied to clipboard

Published 20 hours ago • verified publisher icon LinusU

Document required IAM policy for deploying

Open LinusU opened this issue 5 years ago • 1 comments

This is what I used for setting this up via Terraform, we should add this somewhere in a nice format:


data "aws_iam_policy_document" "github_api_deploy" {
  statement {
    actions = [
      "lambda:InvokeFunction",
      "lambda:UpdateFunctionCode",
      "lambda:UpdateFunctionConfiguration",
    ]

    resources = [data.aws_lambda_function.api_test.arn]
  }

  // Everything below here is only needed when NOT specifying --no-api-gateway

  statement {
    actions   = ["lambda:AddPermission"]
    resources = ["${data.aws_lambda_function.api_test.arn}:*"]
  }

  // This is only needed when NOT specifying --rest-api-id=
  statement {
    actions   = ["apigateway:GET"]
    resources = ["arn:aws:apigateway:eu-west-1::/restapis"]
  }

  statement {
    actions   = ["apigateway:PUT"]
    resources = [data.aws_api_gateway_rest_api.api_test.arn]
  }

  statement {
    actions   = ["apigateway:POST"]
    resources = ["${data.aws_api_gateway_rest_api.api_test.arn}/deployments"]
  }
}

LinusU avatar Apr 08 '20 10:04 LinusU

Update for #69, this is what I'm using to work with API Gateway v2. Do note the extra PATCH, I haven't seen it documented, but without it POST-ing a new deployment will not cause it to go live.

data "aws_iam_policy_document" "github_api_deploy" {
  statement {
    actions   = ["lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration"]
    resources = [data.aws_lambda_function.api_test.arn]
  }

  statement {
    actions   = ["lambda:AddPermission", "lambda:InvokeFunction"]
    resources = ["${data.aws_lambda_function.api_test.arn}:*"]
  }

  // This is only needed when NOT specifying --http-api-id=
  statement {
    actions   = ["apigateway:GET"]
    resources = ["arn:aws:apigateway:eu-north-1::/apis"]
  }

  statement {
    actions   = ["apigateway:PUT"]
    resources = [data.aws_apigatewayv2_api.api_test.arn]
  }

  statement {
    actions   = ["apigateway:POST"]
    resources = ["${data.aws_apigatewayv2_api.api_test.arn}/deployments"]
  }

  // Without this the deployment will not go live
  statement {
    actions   = ["apigateway:PATCH"]
    resources = ["${data.aws_apigatewayv2_api.api_test.arn}/stages/$default"]
  }
}

LinusU avatar May 24 '21 13:05 LinusU