aws-sam-cli
aws-sam-cli copied to clipboard
aws
Pick up the IAM Role from Template
Newish to all this, but my cloudformation templates typically build the roles for the lambda to execute under. The roles don't exist outside of this scope. Trying to use the sam local invoke, unfortunately it doesn't seem to reach out to that role. The steps therefore to test locally now seem more involved / cumbersome. What advise would anyone have in this regard? I would have thought its a common pattern to support and probably too much to ask / out of scope?
Having said that, I suppose if it were actually picking up my aws credentials instead of the IAM role of the server I'm running on I wouldn't have an issue!? Not sure what's going on now, and why its using the server IAM profile.
SAM Local runs under whatever AWS credentials are local on your system. So, if your dev team wants to utilize SAM Local, and your app accesses deployed AWS resources (such as a shared DynamoDB Table, SSM Parameter Store, KMS keys, or SNS Topics, etc), then each of your developers needs to have their local machine setup with an AWS access key that has access to all of those deployed resources.
Alternatively, you can mock many of those services using tools like dynamodb-local. The setup for this is complicated, but it is doable.
This will surely evolve over time. With the current state of the SAM tooling, it seems important for each developer to have access to a shared dev environment in a dev AWS account.
Yes, I kind of realised once posting, that actually my aws credentials would sufficiently provide access to all the resources the lambda required, however, the error message in the console from sam, shows that sam local is running using the IAM role give to the instance. Do I need to do anything to get my credentials over to the docker container or something? Not sure why its not picking them up. They are 'default'. I can see a benefit of picking up the IAM role from the template in that it would add more breadth to the testing, but I can see that as a nice to have, not an early doors feature.
The thing about IAM Roles, is that SAM Local doesn't create any IAM Roles. If you're running SAM Local without first deploying via SAM (cloudformation package command), then those IAM Roles don't exist yet.
sam local is running using the IAM role give to the instance
Are you running SAM Local on an EC2 instance?
I know it doesn't, im just suggesting that would also be a nice to have to test the security of your lambda.
My immediate issues seems to be that, while my aws credentials would allow me to access any number of resources, when I run SAM local (on an ec2 instance), it gets permission error, and the error message sent to the console clearly indicates its trying to acccess resources using the IAM role of the ec2 instance, and not my credentials, which I have set up for aws cli also on the instance.
I'd also like to find a trivial way to test all of my lambdas with their roles locally.
I currently have dev/staging/prod accounts setup and can quickly deploy to dev via aws cloudformation package/deploy... and then invoke with a test event, so maybe that's simple enough to work out policies and such right on the lambda instance.
In my lambda function code, I have an API call for sts - Assume Role.
When I run the lambda function locally, it uses AWS credentials which are configured locally.
My lambda function invocation fails , with an error - AccessDenied: User:
+1 as a feature request.
Would be nice for local invoke to use the IAM role assigned to the Lambda function to the template to more accurately test permissions/policies locally.
This request is better covered by Accelerate (sam sync) docs, which was recently launched. This is due to the need to deploy your Role in order for it to be use-able.
Closing this as addressed with Accelerate. Even though Accelerate is cloud based testing, this is better solved with that then local.
