Skip to main content

Permissions

caution

This is the SST v0.x Constructs doc. SST v1 is now released. If you are using v1, see the v1 Constructs doc. If you are looking to upgrade to v1, check out the migration steps.

SST makes it easy to select the level of access you want to grant while attaching permissions to your application.

The Permissions type is used in:

  1. The various attachPermissions style functions. For example, attachPermissions in the Function construct.
  2. The attachPermissionsForAuthUsers and attachPermissionsForUnauthUsers in the Auth construct.

Examples

Let's look at the various ways to attach permissions. Starting with the most permissive option.

Take a simple function.

const fun = new Function(this, "Function", { handler: "src/lambda.main" });

Giving full permissions

fun.attachPermissions(PermissionType.ALL);

This allows the function admin access to all resources.

Access to a list of services

fun.attachPermissions(["s3", "dynamodb"]);

Specify a list of AWS resource types that this function has complete access to. Takes a list of strings.

Access to a list of actions

fun.attachPermissions(["s3:PutObject", "dynamodb:PutItem"]);

Specify a list of AWS IAM actions that this function has complete access to. Takes a list of strings.

Access to a list of constructs

import * as sns from "aws-cdk-lib/aws-sns";

const topic = new sns.Topic(this, "Topic");
const table = new Table(this, "Table");

fun.attachPermissions([topic, table]);

Specify which SST or CDK constructs you want to give complete access to. Check out the list of supported constructs.

Access to a list of specific permissions in a construct

import * as dynamodb from "aws-cdk-lib/aws-dynamodb";

const topic = new sns.Topic(this, "Topic");
const table = new dynamodb.Table(this, "Table");

fun.attachPermissions([
 [topic, "grantPublish"],
 [table, "grantReadData"],
]);

Specify which permission in the construct you want to give access to. Specified as a tuple of construct and a grant permission function.

CDK constructs have methods of the format grantX that allow you to grant specific permissions. So in the example above, the grant functions are: Topic.grantPublish and Table.grantReadData. The attachPermissions method, takes the construct and calls the grant permission function specified.

Unlike the previous option, this supports all the CDK constructs.

List of IAM policies

import * as iam from "aws-cdk-lib/aws-iam";

fun.attachPermissions([
 new iam.PolicyStatement({
   actions: ["s3:*"],
   effect: iam.Effect.ALLOW,
   resources: [
     bucket.bucketArn + "/private/${cognito-identity.amazonaws.com:sub}/*",
   ],
 }),
 new iam.PolicyStatement({
   actions: ["execute-api:Invoke"],
   effect: iam.Effect.ALLOW,
   resources: [
     `arn:aws:execute-api:${region}:${account}:${api.httpApiId}/*`,
   ],
 }),
]);

The cdk.aws-iam.PolicyStatement allows you to craft granular IAM policies that you can attach to the function.

Types

Below are the types and enums used to support permissions in SST.

Permissions

Type : PermissionType | Permission[]

Takes a PermissionType or an array of Permission.

On a high level, you can either give admin access to all the resources in your account or a specific list of services.

PermissionType

An enum with the following option(s).

MemberDescription
ALLGives complete admin access to all resources.

In a Function construct this would look like.

Set using sst.PermissionType.ALL.

Permission

Type : string | cdk.IConstruct | [cdk.IConstruct, string] | cdk.aws-iam.PolicyStatement

Allows you to define the permission in a few different ways to control the level of access.

The name of the AWS resource as referenced in an IAM policy.

"s3"
"dynamodb"
...

A CDK or SST construct. Check out the list of supported constructs.

new cdk.aws-sns.Topic(this, "Topic")
new sst.Table(this, "Table")
...

A CDK construct with their specific grant permission method. Many CDK constructs have a method of the format grantX that allows you to grant specific permissions. Pass in the consutrct and grant method as a tuple.

// const topic = new cdk.aws-sns.Topic(this, "Topic");
// const table = new sst.Table(this, "Table");

[topic, "grantPublish"]
[table, "grantReadData"]

Or, pass in a policy statement.

new cdk.aws-iam.PolicyStatement({
  actions: ["s3:*"],
  effect: cdk.aws-iam.Effect.ALLOW,
  resources: [
    bucket.bucketArn + "/private/${cognito-identity.amazonaws.com:sub}/*",
  ],
})

Supported Constructs

You can grant access to an SST or CDK construct.

fun.attachPermissions([sns, table]);

Currently the following SST and CDK constructs are supported.

To add to this list, please open a new issue.