Document required permissions AWS IAM role for Functionbeat #11787

kvch · 2019-04-12T15:25:59Z

Before #11779 it was not possible to configure custom roles for a function. Instead a custom policy was created with a default role for Functionbeat.

kvch · 2019-07-03T07:53:25Z

Minimal required permissions by type:

Cloudwatch

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResources",
                "cloudformation:GetTemplate",
                "cloudformation:UpdateStack",
                "cloudformation:ValidateTemplate"
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "lambda:AddPermission",
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration",
                "lambda:PutFunctionConcurrency",
                "lambda:RemovePermission",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration",
                "logs:CreateLogGroup",
                "logs:DeleteLogGroup",
                "logs:DeleteSubscriptionFilter",
                "logs:DescribeLogGroups",
                "logs:PutSubscriptionFilter",
                "s3:CreateBucket",
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
            ],
            "Resource": "*"
        }
    ]
}

SQS and Kinesis

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResources",
                "cloudformation:GetTemplate",
                "cloudformation:UpdateStack",
                "cloudformation:ValidateTemplate"
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "lambda:AddPermission",
                "lambda:CreateFunction",
                "lambda:CreateEventSourceMapping",
                "lambda:DeleteFunction",
                "lambda:DeleteEventSourceMapping",
                "lambda:GetEventSourceMapping",
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration",
                "lambda:PutFunctionConcurrency",
                "lambda:RemovePermission",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration",
                "s3:CreateBucket",
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
            ],
            "Resource": "*"
        }
    ]
}

dedemorton · 2019-08-07T20:57:33Z

I'm working on getting this tested and into the published docs. In the mean time, however, note that CloudWatch example shown earlier has syntax errors. The correct syntax is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResources",
                "cloudformation:GetTemplate",
                "cloudformation:UpdateStack",
                "cloudformation:ValidateTemplate",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "lambda:AddPermission",
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration",
                "lambda:PutFunctionConcurrency",
                "lambda:RemovePermission",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration",
                "logs:CreateLogGroup",
                "logs:DeleteLogGroup",
                "logs:DeleteSubscriptionFilter",
                "logs:DescribeLogGroups",
                "logs:PutSubscriptionFilter",
                "s3:CreateBucket",
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "*"
        }
    ]
}

dedemorton · 2019-08-08T16:08:45Z

The sqs/kinesis example shown earlier is missing a couple of privileges (when tested on sqs):

            "logs:DescribeLogGroups",
            "logs:CreateLogGroup",

Plus the example has a couple syntax errors. The correct policy is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStackResources",
                "cloudformation:GetTemplate",
                "cloudformation:UpdateStack",
                "cloudformation:ValidateTemplate",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "lambda:AddPermission",
                "lambda:CreateFunction",
                "lambda:CreateEventSourceMapping",
                "lambda:DeleteFunction",
                "lambda:DeleteEventSourceMapping",
                "lambda:GetEventSourceMapping",
                "lambda:GetFunction",
                "lambda:GetFunctionConfiguration",
                "lambda:PutFunctionConcurrency",
                "lambda:RemovePermission",
                "lambda:UpdateFunctionCode",
                "lambda:UpdateFunctionConfiguration",
                "logs:DescribeLogGroups",
                "logs:CreateLogGroup",
                "s3:CreateBucket",
                "s3:DeleteObject",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "*"
        }
    ]
}

dedemorton · 2019-08-23T18:26:23Z

Closed by #13206

kvch added docs Functionbeat labels Apr 12, 2019

kvch mentioned this issue Apr 12, 2019

New options to configure roles and VPC #11779

Merged

dedemorton self-assigned this Jul 30, 2019

dedemorton mentioned this issue Aug 8, 2019

[DOCS] Document AIM permissions required for Functionbeat #13206

Merged

dedemorton closed this as completed Aug 23, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Document required permissions AWS IAM role for Functionbeat #11787

Document required permissions AWS IAM role for Functionbeat #11787

kvch commented Apr 12, 2019 •

edited

kvch commented Jul 3, 2019

dedemorton commented Aug 7, 2019

dedemorton commented Aug 8, 2019

dedemorton commented Aug 23, 2019

Document required permissions AWS IAM role for Functionbeat #11787

Document required permissions AWS IAM role for Functionbeat #11787

Comments

kvch commented Apr 12, 2019 • edited

kvch commented Jul 3, 2019

Cloudwatch

SQS and Kinesis

dedemorton commented Aug 7, 2019

dedemorton commented Aug 8, 2019

dedemorton commented Aug 23, 2019

kvch commented Apr 12, 2019 •

edited