IAM Managed Policies
Managed IAM policies are prebaked IAM policies managed by AWS. This is nice because when AWS releases new features with new API methods, AWS will update the IAM policy accordingly and we don’t have to update the policy ourselves. Managed polices are simple to use with Jets.
Managed IAM Policies Example
Here’s an example.
config/jets/deploy.rb
Jets.deploy.configure do |config|
config.lambda.iam.managed_policy = ["AmazonS3FullAccess", "AmazonSNSFullAccess"]
end
The Managed IAM Policies shorthand above ultimately get expanded and included into the CloudFormation templates and associated with the Lambda Functions. It ulimately, looks something like this:
IamRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
- arn:aws:iam::aws:policy/AmazonSNSFullAccess
More details on what a raw IAM Policies can be found at:
- AWS Managed Policies for Job Functions
- AWS IAM Policies and Permissions docs
- CloudFormation IAM Policy reference docs
App Lambda Function vs User Deploy IAM Policies
The IAM Policies docs on this page refer to the IAM policy associated with your Lambda Execution Role. These permissions control what AWS resources your Lambda functions have access to. This differs from the IAM Role required to deploy. If you are looking for the minimal IAM Policy to deploy a Jets application for your IAM user, check out Minimal Deploy IAM Policy.