serverless-dynamodb-autoscaling icon indicating copy to clipboard operation
serverless-dynamodb-autoscaling copied to clipboard

Published 20 hours ago verified publisher icon sbstjn

Create one scaling dedicated IAM role per project (not table)

Open medikoo opened this issue 8 years ago • 10 comments

Currently, project creates scaling role per table, which inconveniently increases resources count of CloudFormation stack, e.g. with larger number of tables it's more likely to reach 200 resources limit which is not shiftable.

As it's scalable targets that states which roles they're going to use, the ScalingRole can safely be configured as one global resource, it's also how it's exampled in AWS CloudFormation documentation

medikoo avatar Oct 11 '17 07:10 medikoo

Good point 👍

sbstjn avatar Oct 11 '17 08:10 sbstjn

It would also be useful to allow use of a role defined outside the stack.

mithun avatar Oct 13 '17 17:10 mithun

I addressed this in plain JS version of this module at https://github.com/medikoo/serverless-plugin-dynamodb-autoscaling (still role name remains fixed at this point)

medikoo avatar Oct 16 '17 13:10 medikoo

@sbstjn - Just had a very quick check of the source. Wouldn't changing this line fix it?

(Unless there is a reason to have an option to either have 1 role or multiple roles?)

  public role(): string {
    return clean(this.build(TEXT.ROLE))
  }

to

  public role(): string {
    return TEXT.ROLE
  }

ro-savage avatar Oct 17 '17 11:10 ro-savage

This only works if you update/create the role to have permission for every table. I try to have the role permissions as restricted as possible and to avoid resources: * whenever possible. Therefore a new role is created for every table with only permissions for that one specific table.

sbstjn avatar Oct 17 '17 12:10 sbstjn

Basically those two approaches are very different regarding (un-)restricted access:

  • https://github.com/medikoo/serverless-plugin-dynamodb-autoscaling/blob/master/lib/scaling-role-resource.json#L39
  • https://github.com/sbstjn/serverless-dynamodb-autoscaling/blob/master/src/aws/role.ts#L62-L66

sbstjn avatar Oct 17 '17 12:10 sbstjn

Yep, I had a play and could see it wasn't going to be so simple unfortunately.

I have little knowledge of CloudFormation. But could you create a single role that has access only to the tables that have been added to the capacities config?

e.g. loop through all the tables, build a list, and give that list of resources to the role.

Thanks for the great work btw, I spent a while trying to get the config working manually, gave up and this just worked in seconds!

ro-savage avatar Oct 17 '17 12:10 ro-savage

serverless-plugin-dynamodb-autoscaling now reuses existing project's IAM role (so no single IAM role resource is created).

Project's IAM role provides lambdas with access to dynamo tables, and range of access is decided by owner of a project. Same range of access is automatically provided to autoscaling resources.

medikoo avatar Oct 19 '17 10:10 medikoo

Thank you @medikoo ... just switched to your plugin, looks great & I like your configuration approach. There were so many roles being created across all of my dynamoDb's & stages that I couldn't assign the proper roles to the Cognito identity pool, the list was so long! Your work really helped us, thanks again.

cdichiara avatar Mar 07 '18 23:03 cdichiara

In my case, I haven't permission to create roles and I just can't use the plugin. Is there any way to workaroung on it by using this plugin ? Weird: it worked before on same acoount and user :/

jefersonlemos avatar Mar 23 '21 19:03 jefersonlemos