serverless-iam-roles-per-function icon indicating copy to clipboard operation
serverless-iam-roles-per-function copied to clipboard

Published 20 hours ago verified publisher icon functionalone

defaultInherit does not work

Open BartusZak opened this issue 3 years ago • 4 comments 

service: multibook-service-${self:custom.clientName}

package:
  individually: true # Create an optimized package for our functions
  include:
    - "../libs/**" # Adds shared extensions
    
plugins:
  - serverless-dynamodb-local # Development
  - serverless-offline # Development
  - serverless-iam-roles-per-function # Define IAM roles per function
  - serverless-deployment-bucket # Create and configure the custom Serverless deployment bucket.
  
custom: ${file(../serverless.common.yml):custom}

provider: 
  name: aws
  lambdaHashingVersion: 20201221
  runtime: nodejs14.x
  stage: ${self:custom.stage}
  region: ${self:custom.region}
  profile: ${self:custom.stages.${self:provider.stage}.profile}
  # Deployment Bucket Configuration shared across stacks
  # Does not work when importing from serverless.common.yml
  deploymentBucket:
    name: ${self:custom.artifactsBucketName}
    serverSideEncryption: AES256
    tags: # Tags that will be added to each of the deployment resources
      CLIENT_NAME: ${self:custom.clientName}
  stackTags: # Optional CF stack tags
    CLIENT_NAME: ${self:custom.clientName}
  tracing:
    apiGateway: true
    lambda: true

  environment:
    MULTIBOOKS_DYNAMODB_TABLE: ${self:custom.dynamodbTables.MULTIBOOKS_DYNAMODB_TABLE}
    USERS_DYNAMODB_TABLE: ${self:custom.dynamodbTables.USERS_DYNAMODB_TABLE}
    RELEASES_DYNAMODB_TABLE: ${self:custom.dynamodbTables.RELEASES_DYNAMODB_TABLE}

  iamRoleStatements:
      - ${file(../serverless.common.yml):lambdaPolicyXRay}
      - Effect: Allow
        Action:
          - dynamodb:Query
        Resource: !Sub "arn:aws:dynamodb:${self:provider.region}:${AWS::AccountId}:table/${self:provider.environment.MULTIBOOKS_DYNAMODB_TABLE}/index/*"
  
  functions:
    currentUserList:
      handler: handlers/currentUser/list.handler
      # iamRoleStatementsInherit: true <-- i still have to explicitly declare it to make it inherit
      iamRoleStatements:
        - Effect: "Allow"
          Action:
            - dynamodb:GetItem
          Resource:
            - !Sub "arn:aws:dynamodb:${self:provider.region}:${AWS::AccountId}:table/${self:provider.environment.USERS_DYNAMODB_TABLE}"
            - !Sub "arn:aws:dynamodb:${self:provider.region}:${AWS::AccountId}:table/${self:provider.environment.RELEASES_DYNAMODB_TABLE}"


custom:
  serverless-iam-roles-per-function: # Not working
    defaultInherit: true

    "serverless-iam-roles-per-function": "^3.1.0",

serverless --version
Framework Core: 2.25.2
Plugin: 4.4.3
SDK: 2.3.2
Components: 3.7.0

Edit:

  • Added missing provider and more details to serverless.yml
  • Added serverless framework and plugin version

BartusZak avatar Mar 11 '21 13:03 BartusZak

@BartusZak Please make sure that the default iamRoleStatements stored under provider in configuration tree like that:

custom: ${file(../serverless.common.yml):custom}

provider: # <-- difference is here
  iamRoleStatements:
      - ${file(../serverless.common.yml):lambdaPolicyXRay}
      - Effect: Allow
        Action:
          - dynamodb:Query
        Resource: !Sub "arn:aws:dynamodb:${self:provider.region}:${AWS::AccountId}:table/${self:provider.environment.MULTIBOOKS_DYNAMODB_TABLE}/index/*"

functions:
  currentUserList:
    handler: handlers/currentUser/list.handler
    # iamRoleStatementsInherit: true <-- i still have to explicitly declare it to make it inherit
    iamRoleStatements:
      - Effect: "Allow"
        Action:
          - dynamodb:GetItem
        Resource:
          - !Sub "arn:aws:dynamodb:${self:provider.region}:${AWS::AccountId}:table/${self:provider.environment.USERS_DYNAMODB_TABLE}"
          - !Sub "arn:aws:dynamodb:${self:provider.region}:${AWS::AccountId}:table/${self:provider.environment.RELEASES_DYNAMODB_TABLE}"

Enase avatar Mar 11 '21 14:03 Enase

@Enase thanks for comment. Missing provider is not the problem here.

Originally it's there. I just have cut too much and forgot to include it in my comment. :D

I edited the first comment.

Any other bets? :)

BartusZak avatar Mar 11 '21 14:03 BartusZak

@BartusZak could you please do the following:

  1. open plugin source file in your project. Path sample /node_modules/serverless-iam-roles-per-function/dist/lib/index.js
  2. Go to string #317 - node_modules/serverless-iam-roles-per-function/dist/lib/index.js:317
  3. Add console logs like below
        const isInherit = functionObject.iamRoleStatementsInherit
            || (this.defaultInherit && functionObject.iamRoleStatementsInherit !== false);
        console.log('Default inherit state:', this.defaultInherit);
        console.log('Function inherit state:', functionObject.iamRoleStatementsInherit);
  1. Run sls package and try to find out why your isInherit value is false.

Enase avatar Mar 11 '21 18:03 Enase

@BartusZak any updates?

Enase avatar Mar 19 '21 00:03 Enase