Professional Documents
Culture Documents
SVS341-R1 - An In-Depth Tour of AWS SAM
SVS341-R1 - An In-Depth Tour of AWS SAM
Alex Wood
Senior Software Development Engineer
Amazon Web Services
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Becoming a “sam init” power user
sam build
Actual permissions
IAM permissions
boundary
dynamodb:GetItem
logs:CreateLogGroup
cloudwatch:PutMetricData
logs:CreateLogStream
logs:PutLogEvents
Permissions boundary from AWS CodePipeline
• Pattern: Create a permissions boundary policy in your CI/CD toolchain
• Configure your CloudFormation role to only be allowed to create AWS
IAM roles that include this permissions boundary.
• Pass the permissions boundary managed policy ARN to your
application template.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Permissions boundary in action
TestPermissionsBoundary: def lambda_handler(event:, context:)
Type: AWS::IAM::ManagedPolicy # this uses GetItem
Properties: item = AppTable.find(hkey: "foo")
PolicyDocument: return {
Version: 2012-10-17 statusCode: 200,
Statement: body: item.body
- Effect: Allow }
Action: end
- dynamodb:GetItem
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: "*"
Permissions boundary in action
TestPermissionsBoundary: def lambda_handler(event:, context:)
Type: AWS::IAM::ManagedPolicy # this uses GetItem
Properties: item = AppTable.find(hkey: "foo")
PolicyDocument: return {
Version: 2012-10-17 statusCode: 200,
Statement: body: item.body
- Effect: Allow }
Action: end
- dynamodb:GetItem
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: "*"
Permissions boundary in action
TestPermissionsBoundary: def lambda_handler(event:, context:)
Type: AWS::IAM::ManagedPolicy # this uses Scan
Properties: item = AppTable.scan.first
PolicyDocument: return {
Version: 2012-10-17 statusCode: 200,
Statement: body: item.body
- Effect: Allow }
Action: end
- dynamodb:GetItem
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: "*"
Permissions boundary in action
TestPermissionsBoundary: def lambda_handler(event:, context:)
Type: AWS::IAM::ManagedPolicy # this uses Scan
Properties: item = AppTable.scan.first
PolicyDocument: return {
Version: 2012-10-17 statusCode: 200,
Statement: body: item.body
- Effect: Allow }
Action: end
- dynamodb:GetItem
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: "*"
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The challenge
• Local testing is useful for development but has inherent limitations
• Understanding how to fit remote testing into CI/CD
AWS SAM Local
• Uses Docker to simulate execution on AWS Lambda
• Several supported modes:
• sam local start-api (Create an endpoint that simulates your API Gateway endpoint)
• sam local start-lambda (Create an endpoint that simulates the Lambda API)
• sam local invoke (Single invocation)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
Alex Wood
Twitter: @alexwwood
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.