Using List of IAM Policy Document Objects as AWS::Serverless::Function Policies

Question

According to the documentation for AWS::Serverless::Function in the Serverless Application Model, it is possible to specify a list of IAM Policy Document Objects (PDO) for the Policies property of a Resource.

However, the AWS Toolkit for Visual Studio is flagging a syntax error when I try to define an IAM PDO:

Here is a full example of my Resources section:

"Resources": { "Example" : { "Type" : "AWS::Serverless::Function", "Properties": { "Handler": "Example::Example.Controllers.ExampleController::ExampleAction", "Runtime": "dotnetcore2.0", "CodeUri": "", "MemorySize": 256, "Timeout": 30, "Policies": [{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "*", "Resource": "*" } }], "Events": { "PutResource": { "Type": "Api", "Properties": { "Path": "/{id}", "Method": "GET" } } } } } }

Is there something I'm getting wrong, or is there an issue with either SAM or the AWS Toolkit syntax validation?

Have you attempted to deploy this despite Visual Studio's objections? If it works, then it's a bug in whatever code inspector VS is using. Also, have you tried to make "Statements" value a list of objects instead of a single object? Long shot, but easy to try. — Himal, Jul 11 '18 at 00:12
@Himal Hmmm... I tried this when I posted the issue and the deployment failed because of a syntax validation. Yesterday I updated the AWS Toolkit and now it works. So it seems you're right - there is a bug with the code inspector. Not sure where to report it though! — Chris Paton, Jul 11 '18 at 10:55

score 1 · Answer 1 · answered Jul 13 '18 at 06:35

I think the issue is in your syntax is that it should be a statement array, because there can be multiple policies as below,

"Statement":[ 
              {
                "Effect": "Allow",
                "Action": "*",
                "Resource": "*"
              }
            ]

example of having multiple policies will be as below,

"Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "dynamodb:Query"
              ],
              "Resource": "arn:aws:dynamodb:${region}:*:table/${project}-songs-${dev}/*/*"
            },
            {
              "Effect": "Allow",
              "Action": [
                "dynamodb:GetItem"                  ],
              "Resource": "arn:aws:dynamodb:${region}:*:table/${project}-users-${dev}"
            },

         ]

score 1 · Accepted Answer · answered Jul 19 '18 at 20:55

1

I just updated the VS CloudFormation schema. The problem should go away the next time you restart Visual Studio.

answered Jul 19 '18 at 20:55

Norm Johanson

2,964
14
13

score 0 · Answer 3 · answered Jul 19 '18 at 12:00

0

It seems the problem is caused by syntax parsing issues in Visual Studio and the AWS Toolkit. I raised an issue on GitHub and you can track it here: https://github.com/aws/aws-sdk-net/issues/1001

answered Jul 19 '18 at 12:00

Chris Paton

5,113
4
41
52

And for future reference https://github.com/aws/aws-sdk-net/issues is the right place to report issues like this. I'll notice those question sooner. – Norm Johanson Jul 19 '18 at 22:34

Using List of IAM Policy Document Objects as AWS::Serverless::Function Policies

3 Answers3