You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi!
I've been trying to resolve this for a couple of days now and not even with the help of nice users from slack I've been able to solve it ^^' (I'm so noob at AWS!) (check slack thread if interested)
The issue that I have is that I've a simple project using the cloud API with lambda and is working fine. The project just needs cloud.API and dynamodb.table, like the counter example that I've replicated here to do some tests. It has allowed me to get really far without a deep knowledge of infrastructure which is really nice.
But I can't deploy this into a company AWS account because by default cloud.API gives full access permissions to the lambdas. Ideally the roles and policies should be as strict as possible only giving access to the lambda to what it actually needs.
Thanks to the user Tirke in Slack I've been able to use cloud-aws:computeIAMRolePolicyARNs config key to specify a specific policy. The issue is that it's cumberstome to setup that in the managment console because you need to get first Pulumi IDs and it has to be done manually.
Given that pulumi is not smart enough (yet?) to give only the permissions that it needs, I was thinking on creating the roles with the IAM pulumi api and give them to the cloud.API. That would be good workaround but cloud.API doesn't have any public methods to do that.
As per Tirke recommendation I've tried to go one level down and use directly serverless.apigateway.API because that has public ways of setting up the roles. I still haven't figure out how to do it, I'm having some issues with the roles and the functions, but I'm not sure I can spend more time on this for now.
I just wanted to raise this to know if something to simplyfiy this is in the roadmap :D. Really loving the work you've been doing guys! Thanks.
The text was updated successfully, but these errors were encountered:
@alexito4 Sorry for the long delay getting back to you. Yup. This is definitely something we're looking into improving. Do you still need help with this right now? Or have you been able to find an approach that works for you currently?
Hi!
I've been trying to resolve this for a couple of days now and not even with the help of nice users from slack I've been able to solve it ^^' (I'm so noob at AWS!) (check slack thread if interested)
The issue that I have is that I've a simple project using the cloud API with lambda and is working fine. The project just needs cloud.API and dynamodb.table, like the counter example that I've replicated here to do some tests. It has allowed me to get really far without a deep knowledge of infrastructure which is really nice.
But I can't deploy this into a company AWS account because by default cloud.API gives full access permissions to the lambdas. Ideally the roles and policies should be as strict as possible only giving access to the lambda to what it actually needs.
Thanks to the user Tirke in Slack I've been able to use
cloud-aws:computeIAMRolePolicyARNs
config key to specify a specific policy. The issue is that it's cumberstome to setup that in the managment console because you need to get first Pulumi IDs and it has to be done manually.Given that pulumi is not smart enough (yet?) to give only the permissions that it needs, I was thinking on creating the roles with the IAM pulumi api and give them to the cloud.API. That would be good workaround but cloud.API doesn't have any public methods to do that.
As per Tirke recommendation I've tried to go one level down and use directly
serverless.apigateway.API
because that has public ways of setting up the roles. I still haven't figure out how to do it, I'm having some issues with the roles and the functions, but I'm not sure I can spend more time on this for now.I just wanted to raise this to know if something to simplyfiy this is in the roadmap :D. Really loving the work you've been doing guys! Thanks.
The text was updated successfully, but these errors were encountered: