Iam RoleΒΆ

Workshop apps hosted inside our environment are protected via managed policy. If you are going through this in your own environment, please use following service role for lambdas.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
provider:
  # Lambda function's IAM Role
  iamRoleStatements:
    - Effect: Allow
      Action:
        # Allow lambda to create network interface in vpc
        - ec2:CreateNetworkInterface
        - ec2:DeleteNetworkInterface
        - ec2:DescribeNetworkInterfaces
        # Allow lambda to write logs
        - logs:CreateLogGroup
        - logs:CreateLogStream
        - logs:PutLogEvents
      Resource:
        - "*"
    - Effect: Allow
      Sid: AllowDynamoDBAccess
      Action:
        - dynamodb:Query
        - dynamodb:Scan
        - dynamodb:GetItem
        - dynamodb:PutItem
        - dynamodb:UpdateItem
        - dynamodb:DeleteItem
        - dynamodb:DescribeTable
      Resource: "arn:aws:dynamodb:${opt:region, self:provider.region}:*:table/${self:provider.environment.DYNAMODB_TABLE}"

Remove the section provider.iamManagedPolicies from our original serverless.yaml and insert iamRoleStatements section from above.