Managed IAM Policies Jets Events

For Jets Events, you can control the IAM policies associated with your Lambda functions even more finely. Here are the ways and their precedence:

  1. Function-specific IAM policy: highest precedence. Applies for the distinct Lambda function.
  2. Class-wide IAM policy: Applies for all Lambda functions for the class.
  3. Application-wide IAM policy: lowest precedence. Applies for all Lambda functions of the Jets application.

Controller vs Events IAM Policies

Jets handles all controller requests with a single Lambda function. You can only define IAM policies for all controllers in config/jets/deploy.rb.

For events, you have the ability to control IAM Policies at the ApplicationEvent or at individual Lambda function level because Jets always deploys an distinct Lambda functions for each event method.

Function specific Managed IAM policy

app/events/cool_event.rb

class CoolEvent < ApplicationEvent
  managed_iam_policy "AmazonEC2ReadOnlyAccess"
  rate "10 hours"
  def handle
    puts "Do something with event #{JSON.dump(event)}"
  end
end

Class-wide Managed IAM policy

app/events/cool_event.rb

class CoolEvent < ApplicationEvent
  class_managed_iam_policy(
    "IAMReadOnlyAccess",
    "service-role/AWSConfigRulesExecutionRole"
  )
  rate "10 hours"
  def handle
    puts "Do something with event #{JSON.dump(event)}"
  end
end

Application-Wide Managed IAM policy

config/jets/deploy.rb

Jets.deploy.configure do |config|
  config.lambda.iam.managed_policy = %w[
    AWSCloudTrailReadOnlyAccess
    IAMReadOnlyAccess
  ]
end

Managed IAM Policies Inheritance

Managed IAM policies defined at lower levels of precedence inherit and include the policies from the higher levels of precedence. This is done so you do not have to duplicate your IAM policies when you only need to add a simple additional permission. For example, if you’ve configured the application-wide Managed IAM policy to look something like this:

config/jets/deploy.rb

Jets.deploy.configure do |config|
  config.lambda.iam.managed_policy = %w[IAMReadOnlyAccess]
end

When you add a function specific IAM policy to a method:

class CoolEvent < ApplicationEvent
  managed_iam_policy "AmazonEC2ReadOnlyAccess"
  def handle
    puts "Do something with event #{JSON.dump(event)}"
  end
end

The resulting policy for the method will look something like this:

ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
- arn:aws:iam::aws:policy/IAMReadOnlyAccess

So the Managed IAM policies are additive.

IAM DSL Multiple Calls

When you call class_iam_policy multiple times, it appends permissions for that specific function. Example:

class_iam_policy("AmazonS3ReadOnlyAccesss3")
class_iam_policy("CloudFrontReadOnlyAccess")

The same as:

class_iam_policy("AmazonS3ReadOnlyAccess", "CloudFrontReadOnlyAccess")

In this section: