Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Setup IAM roles in Cloud API #557

Closed
alexito4 opened this issue Aug 17, 2018 · 1 comment
Closed

Setup IAM roles in Cloud API #557

alexito4 opened this issue Aug 17, 2018 · 1 comment
Assignees
Labels
kind/enhancement Improvements or new features resolution/wont-fix This issue won't be fixed
Milestone

Comments

@alexito4
Copy link

Hi!
I've been trying to resolve this for a couple of days now and not even with the help of nice users from slack I've been able to solve it ^^' (I'm so noob at AWS!) (check slack thread if interested)

The issue that I have is that I've a simple project using the cloud API with lambda and is working fine. The project just needs cloud.API and dynamodb.table, like the counter example that I've replicated here to do some tests. It has allowed me to get really far without a deep knowledge of infrastructure which is really nice.

But I can't deploy this into a company AWS account because by default cloud.API gives full access permissions to the lambdas. Ideally the roles and policies should be as strict as possible only giving access to the lambda to what it actually needs.

Thanks to the user Tirke in Slack I've been able to use cloud-aws:computeIAMRolePolicyARNs config key to specify a specific policy. The issue is that it's cumberstome to setup that in the managment console because you need to get first Pulumi IDs and it has to be done manually.

Given that pulumi is not smart enough (yet?) to give only the permissions that it needs, I was thinking on creating the roles with the IAM pulumi api and give them to the cloud.API. That would be good workaround but cloud.API doesn't have any public methods to do that.

As per Tirke recommendation I've tried to go one level down and use directly serverless.apigateway.API because that has public ways of setting up the roles. I still haven't figure out how to do it, I'm having some issues with the roles and the functions, but I'm not sure I can spend more time on this for now.

I just wanted to raise this to know if something to simplyfiy this is in the roadmap :D. Really loving the work you've been doing guys! Thanks.

@joeduffy joeduffy added this to the 0.19 milestone Oct 30, 2018
@CyrusNajmabadi
Copy link
Contributor

@alexito4 Sorry for the long delay getting back to you. Yup. This is definitely something we're looking into improving. Do you still need help with this right now? Or have you been able to find an approach that works for you currently?

@lukehoban lukehoban modified the milestones: 0.19, 0.20 Nov 16, 2018
@lukehoban lukehoban modified the milestones: 0.20, 0.21 Dec 9, 2018
@lukehoban lukehoban removed this from the 0.21 milestone Jan 28, 2019
@CyrusNajmabadi CyrusNajmabadi removed their assignment Jan 8, 2020
@lukehoban lukehoban added the kind/enhancement Improvements or new features label Jul 24, 2023
@mjeffryes mjeffryes added the resolution/wont-fix This issue won't be fixed label Jun 28, 2024
@mjeffryes mjeffryes self-assigned this Jun 28, 2024
@mjeffryes mjeffryes added this to the 0.107 milestone Jul 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement Improvements or new features resolution/wont-fix This issue won't be fixed
Projects
None yet
Development

No branches or pull requests

5 participants