Merge pull request #42 from pas256/add-statements
Adding a way to put in a policy as is into the kappa config file
Showing
2 changed files
with
40 additions
and
4 deletions
... | @@ -70,9 +70,9 @@ simple/ | ... | @@ -70,9 +70,9 @@ simple/ |
70 | 70 | ||
71 | Within the directory we see: | 71 | Within the directory we see: |
72 | 72 | ||
73 | -* kappa.yml.sample which is a sample YAML configuration file for the project | 73 | +* `kappa.yml.sample` which is a sample YAML configuration file for the project |
74 | -* _src which is a directory containing the source code for the Lambda function | 74 | +* `_src` which is a directory containing the source code for the Lambda function |
75 | -* _test which is a directory containing some test data | 75 | +* `_test` which is a directory containing some test data |
76 | 76 | ||
77 | The first step is to make a copy of the sample configuration file: | 77 | The first step is to make a copy of the sample configuration file: |
78 | 78 | ||
... | @@ -204,3 +204,36 @@ Kappa will figure out what has changed and make the necessary updates for you. | ... | @@ -204,3 +204,36 @@ Kappa will figure out what has changed and make the necessary updates for you. |
204 | 204 | ||
205 | That gives you a quick overview of kappa. To learn more about it, I recommend | 205 | That gives you a quick overview of kappa. To learn more about it, I recommend |
206 | you check out the tutorial. | 206 | you check out the tutorial. |
207 | + | ||
208 | +Policies | ||
209 | +-------- | ||
210 | + | ||
211 | +Hands up who loves writing IAM policies. Yeah, that's what I thought. With | ||
212 | +Kappa, there is a simplified way of writing policies and granting your Lambda | ||
213 | +function the permissions it needs. | ||
214 | + | ||
215 | +The simplified version allows you to specify, in your `kappa.yml` file, the | ||
216 | +ARN of the resource you want to access, and then a list of the API methods you | ||
217 | +want to allow. For example: | ||
218 | + | ||
219 | +``` | ||
220 | +policy: | ||
221 | + resources: | ||
222 | + - arn: arn:aws:logs:*:*:* | ||
223 | + actions: | ||
224 | + - "*" | ||
225 | +``` | ||
226 | + | ||
227 | +To express this using the official IAM policy format, you can instead use a | ||
228 | +statement: | ||
229 | + | ||
230 | +``` | ||
231 | +policy: | ||
232 | + statements: | ||
233 | + - Effect: Allow | ||
234 | + Resource: "*" | ||
235 | + Action: | ||
236 | + - "logs:*" | ||
237 | +``` | ||
238 | + | ||
239 | +Both of these do the same thing. | ... | ... |
... | @@ -44,7 +44,8 @@ class Policy(object): | ... | @@ -44,7 +44,8 @@ class Policy(object): |
44 | self.environment) | 44 | self.environment) |
45 | 45 | ||
46 | def document(self): | 46 | def document(self): |
47 | - if 'resources' not in self._config['policy']: | 47 | + if ('resources' not in self._config['policy'] and |
48 | + 'statements' not in self._config['policy']): | ||
48 | return None | 49 | return None |
49 | document = {"Version": "2012-10-17"} | 50 | document = {"Version": "2012-10-17"} |
50 | statements = [] | 51 | statements = [] |
... | @@ -59,6 +60,8 @@ class Policy(object): | ... | @@ -59,6 +60,8 @@ class Policy(object): |
59 | actions.append("{}:{}".format(service, action)) | 60 | actions.append("{}:{}".format(service, action)) |
60 | statement['Action'] = actions | 61 | statement['Action'] = actions |
61 | statements.append(statement) | 62 | statements.append(statement) |
63 | + for statement in self._config['policy'].get('statements', []): | ||
64 | + statements.append(statement) | ||
62 | return json.dumps(document, indent=2, sort_keys=True) | 65 | return json.dumps(document, indent=2, sort_keys=True) |
63 | 66 | ||
64 | @property | 67 | @property | ... | ... |
-
Please register or login to post a comment