Permissions
SST makes it easy to select the level of access you want to grant while attaching permissions to your application.
The Permissions
type is used in:
- The various
attachPermissions
style functions. For example,attachPermissions
in theFunction
construct. - The
attachPermissionsForAuthUsers
andattachPermissionsForUnauthUsers
in theCognito
construct.
Examples
Let's look at the various ways to attach permissions. Starting with the most permissive option.
Take a simple function.
const fun = new Function(stack, "Function", { handler: "src/lambda.main" });
Giving full permissions
fun.attachPermissions("*");
This allows the function admin access to all resources.
Access to a list of services
fun.attachPermissions(["s3", "dynamodb"]);
Specify a list of AWS resource types that this function has complete access to. Takes a list of strings.
Access to a list of actions
fun.attachPermissions(["s3:PutObject", "dynamodb:PutItem"]);
Specify a list of AWS IAM actions that this function has complete access to. Takes a list of strings.
Access to a list of SST constructs
import { Topic, Table } from "sst/constructs";
const topic = new topic(stack, "Topic");
const table = new Table(stack, "Table");
fun.bind([topic, table]);
To give access to SST constructs, bind them to the function. Read more about Resource Binding.
Access to a list of CDK constructs
import * as sns from "aws-cdk-lib/aws-sns";
import * as dynamodb from "aws-cdk-lib/aws-dynamodb";
const topic = new sns.Topic(stack, "Topic");
const table = new dynamodb.Table(stack, "Table");
fun.attachPermissions([topic, table]);
Specify which CDK constructs you want to give complete access to. Check out the list of supported constructs.
Access to a list of specific permissions in a construct
import * as sns from "aws-cdk-lib/aws-sns";
import * as dynamodb from "aws-cdk-lib/aws-dynamodb";
const topic = new sns.Topic(stack, "Topic");
const table = new dynamodb.Table(stack, "Table");
fun.attachPermissions([
[topic, "grantPublish"],
[table, "grantReadData"],
]);
Specify which permission in the construct you want to give access to. Specified as a tuple of construct and a grant permission function.
CDK constructs have methods of the format grantX that allow you to grant specific permissions. So in the example above, the grant functions are: Topic.grantPublish
and Table.grantReadData
. The attachPermissions
method, takes the construct and calls the grant permission function specified.
Unlike the previous option, this supports all the CDK constructs.
List of IAM policies
import * as iam from "aws-cdk-lib/aws-iam";
fun.attachPermissions([
new iam.PolicyStatement({
actions: ["s3:*"],
effect: iam.Effect.ALLOW,
resources: [
bucket.bucketArn + "/private/${cognito-identity.amazonaws.com:sub}/*",
],
}),
new iam.PolicyStatement({
actions: ["execute-api:Invoke"],
effect: iam.Effect.ALLOW,
resources: [`arn:aws:execute-api:${region}:${account}:${api.httpApiId}/*`],
}),
]);
The cdk.aws-iam.PolicyStatement
allows you to craft granular IAM policies that you can attach to the function.
Types
Below are the types and enums used to support permissions in SST.
Permissions
Type : "*" | Permission[]
Takes a *
or an array of Permission
.
On a high level, you can either give admin access to all the resources in your account or a specific list of services.
Permission
Type : string | cdk.IConstruct | [cdk.IConstruct, string] | cdk.aws-iam.PolicyStatement
Allows you to define the permission in a few different ways to control the level of access.
The name of the AWS resource as referenced in an IAM policy.
"s3"
"dynamodb"
...
A CDK construct. Check out the list of supported constructs.
new cdk.aws-sns.Topic(stack, "Topic")
new cdk.aws-dynamodb.Table(stack, "Table")
...
A CDK construct with their specific grant permission method. Many CDK constructs have a method of the format grantX that allows you to grant specific permissions. Pass in the consutrct and grant method as a tuple.
// const topic = new cdk.aws-sns.Topic(stack, "Topic");
// const table = new sst.Table(stack, "Table");
[topic, "grantPublish"]
[table, "grantReadData"]
Or, pass in a policy statement.
new cdk.aws-iam.PolicyStatement({
actions: ["s3:*"],
effect: cdk.aws-iam.Effect.ALLOW,
resources: [
bucket.bucketArn + "/private/${cognito-identity.amazonaws.com:sub}/*",
],
})
Supported Constructs
You can grant access to an CDK construct.
fun.attachPermissions([topic, table]);
Currently the following CDK constructs are supported.
- cdk.aws-sns.Topic
- cdk.aws-s3.Bucket
- cdk.aws-sqs.Queue
- cdk.aws-dynamodb.Table
- cdk.aws-kinesis.Stream
- cdk.aws-events.EventBus
- cdk.aws-rds.ServerlessCluster
- cdk.aws-kinesisfirehose-alpha.DeliveryStream
To add to this list, please open a new issue.