aws-sam-cli icon indicating copy to clipboard operation
aws-sam-cli copied to clipboard

Published 20 hours ago verified publisher icon aws

Execute functions with roles specified in template

Open tobiasfeil opened this issue 5 years ago • 3 comments

I have a function that sends an email with ses, and I specified in the template, among others:

Resources:
  EmailFunction:
    Type: AWS::Serverless::Function
    Properties:
      Policies:
        - CloudWatchFullAccess
        - AmazonSESFullAccess

Remotely, this works, as an implicit role is created with the specified policies attached. But locally, it tries to execute as the user specified in ~/.aws/config, and fails, as I haven't attached SES policies to this user. It would feel more consistent to me if it used the same role locally and remotely, is this possible?

tobiasfeil avatar Apr 25 '20 08:04 tobiasfeil

This is definitely a known feature request, but it isn't possible through local at this time.

awood45 avatar May 04 '20 22:05 awood45

I think it's possible by using the assume role API.

SAM could use the existing credentials (AWS_PROFILE, --profile, AWS_ACCESS_KEY_ID) to call the sts assume-role API with the configured Policies as PolicyArns and Policy and using the returned session credentials for the Lambda invocation.

timoschilling avatar May 05 '20 13:05 timoschilling

This would be really cool. Especially if it was the default behavior. Then you would only have to specify the policies in the template and not in 2 different places

tobiasfeil avatar May 05 '20 13:05 tobiasfeil

This is an old issue, but I got some thoughts around it:

The problem with this feature is that to actually assume the role and invoke the function, the role to be assumed needs to have an extra trust policy, and it doesn't "just work" out-of-the-box.

For adding that policy, there are two options:

  1. Customers need to add this to their SAM templates through the AssumeRolePolicyDocument field. Customers would have to add two policies: one to authorize Lambda (to not lose normal Lambda invokes, which is currently added by SAM by default) and two, for themselves to assume the role for local test.
  2. A change has to be made in the SAM transform, to receive some sort of extra parameter that adds this Trust policy behind the scenes to do this kind of testing. Normally it's not a good practice to have Lambda roles that can also be assumed by normal users in your account, so it's not something that's likely to come by default.

This is still something that can eventually be done, but it includes more moving parts than just SAM CLI.

valerena avatar Feb 17 '23 00:02 valerena

And (I'm not sure if SAM Accelerate may help with this one, but) the other problem I see is that it's not always easy to find the name of the corresponding role in IAM that was deployed from your template. First, you need to know the stack name (because you can create multiple stacks with the same template). Second, I don't think the name of the role can be guessed from the template only. It does have the format <stack-name>-<logical-id>- but it normally ends with a hash that's generated by CloudFormation, so it's not just a consistent name that can be calculated. (should users need to add the role name as a parameter to this sam local invoke-with-role operation? That's an option, but again, it's just something that's not completely straightforward)

I guess it's possible to make a call to CloudFormation with the stack name and logical id to get the physical id too.

valerena avatar Feb 17 '23 00:02 valerena