Comments (2)
I've went through the same process and can't agree more.
IAM is complex and IMO Serverless Framework does a poor job at pointing you in the right direction (or I'm not aware of it). They even recommend creating a user with Administrator Access
in there docs.
I'm not sure what's the best practise in this field right now but what I've done so far is generating a user with the least permissions I can come up with. And yes this is trial & error each time.
I also know you can make Cloudformation assume a role when deploying but that wouldn't help with your static files upload problem here.
I think the required permissions to use and deploy a construct could be documented but there would still be a missing piece in Serverless Framework.
It would be nice for serverless framework to have a command that looks at what would be deployed and generates the proper IAM permission document for deployment (and them sending an event so that Lift can hook into the process and add its own to the mix).
Hope that makes sense. Would love to hear thoughts on this.
from lift.
Yes, yes and yes.
We've discussed it several times internally at Serverless, and it's a tough problem to solve. No tools, as far as we know, has a magic solution for this.
One idea we may want to explore is:
- let each construct expose the permissions it requires
- then there would be a command that lets user export those permissions (useful for reviewing as well), even before deploying
- on deployment, it could even be great if Lift/Serverless Framework would check the permissions before deploying to anticipate any failure
But, as you can guess, this is a lot of work. I'm curious what you think about that approach, or if you have anything else in mind.
For those stumbling on this discussion feel free to add a 👍 to the issue: that helps us gauge interest and prioritize the roadmap.
from lift.
Related Issues (20)
- Ignore .DS_Store on s3 sync HOT 1
- Fails to automatically truncate and uniquify long generated names HOT 2
- Display Name Length Restriction in Queues
- Add possibility to replace CloudFront functions in static-website and single-page-app constructs
- "Constructs are not initialized" when using SQS Queue with `--aws-profile` serverless argument HOT 4
- Add the extension AWS::S3::BucketPolicy HOT 4
- Add support for creating IoT Topic Rules
- Bucket Policy Already Exists
- Custom Upload S3 for Origin server-side-website
- Python lambda function created inside a queue does not install requirements.txt file HOT 1
- Add posibility to modify origins in single-page-app HOT 3
- Specify Visibility Timeout for SQS other than 6 * function timeout HOT 2
- Define PriceClass for CloudFront distribution HOT 4
- Pass origin path in REST scenario HOT 1
- How to properly name my queue?
- Control how the CloudFront cache is invalidated HOT 4
- Allow extension to sns topic created for the alarm
- How to add complementary permissions for queue's worker ?
- Some command-names are incompatible with serverless-compose
- On remove of "single-page-app" and "static-website": S3 Bucket deletion is triggered, when the bucket is not yet empty HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lift.