Serverless and AWS IAM
I want to write down my recent experience with serverless framework and AWS IAM. Like others, the infrastructure I work on uses terraform. I have atlantis and terraform setup, so other developers don’t need expansive privilege to provision infrastructure on AWS. The actual deployment is done via atlantis using an IAM role. The terraform apply only happens when the pull request is reviewed and approved and atlantis is responsible running terraform apply.
Recently, we want to use serverless framework to manage lambda deployment on AWS, and we run into an insufficient IAM permissions. Developers today uses IAM role that are generously provisioned (we can definitely do better to narrow it further). In particular the insufficient permission has to do with the ability to create IAM roles. Let’s double click here.
Serverless framework creates an IAM role for each “service” which can include lambdas. So, the execution IAM session needs create role permission. However, it’s rare we want any developer to create a new IAM role outside terraform. A role typically includes what permission is allowed, and we really want a review process to make sure grants are not overly provisioned.
Now the goal is to allow a deployment process that allows our CI/CD tool to use a machine user credentials to invoke the serverless framework deployment. A separate machine user is preferred because serverless framework uses a lot of AWS services. We have to be careful that IAM policy document has size limits.
Reading through documentation provided by the serverless framework, it provides a gist as minimal starting point. A closer examination is needed — the resource value is “*”, that means the “minimal” policy can affect many other resources that are managed in terraform.
We want to use some type of namespace (in IAM case, prefix-matching) to restrict the IAM permission to only the serverless framework managed resources. I have provided the following examples if you are looking to minimize the IAM policy used for serverless deployment. One note to make is I haven’t figured out how to minimize API Gateway resources due to arn are not human readable as they are api-id based and I have not figured out the tagging syntax currently used by serverless framework. Another additional task is to restrict the IAM policy only usable within the VPC.
- A (hopefully) minimum AWS IAM policy for serverless framework (github.com)
- A (hopefully) minimum AWS IAM policy for serverless framework (terraform version) (github.com)
I want to use this opportunity to start a conversation for those that are using serverless framework in production to learn from each other the best security and operating practice.