Merge remote-tracking branch 'origin/python-refactor' into python-refactor
Showing
2 changed files
with
40 additions
and
4 deletions
| ... | @@ -70,9 +70,9 @@ simple/ | ... | @@ -70,9 +70,9 @@ simple/ |
| 70 | 70 | ||
| 71 | Within the directory we see: | 71 | Within the directory we see: |
| 72 | 72 | ||
| 73 | -* kappa.yml.sample which is a sample YAML configuration file for the project | 73 | +* `kappa.yml.sample` which is a sample YAML configuration file for the project |
| 74 | -* _src which is a directory containing the source code for the Lambda function | 74 | +* `_src` which is a directory containing the source code for the Lambda function |
| 75 | -* _test which is a directory containing some test data | 75 | +* `_test` which is a directory containing some test data |
| 76 | 76 | ||
| 77 | The first step is to make a copy of the sample configuration file: | 77 | The first step is to make a copy of the sample configuration file: |
| 78 | 78 | ||
| ... | @@ -204,3 +204,36 @@ Kappa will figure out what has changed and make the necessary updates for you. | ... | @@ -204,3 +204,36 @@ Kappa will figure out what has changed and make the necessary updates for you. |
| 204 | 204 | ||
| 205 | That gives you a quick overview of kappa. To learn more about it, I recommend | 205 | That gives you a quick overview of kappa. To learn more about it, I recommend |
| 206 | you check out the tutorial. | 206 | you check out the tutorial. |
| 207 | + | ||
| 208 | +Policies | ||
| 209 | +-------- | ||
| 210 | + | ||
| 211 | +Hands up who loves writing IAM policies. Yeah, that's what I thought. With | ||
| 212 | +Kappa, there is a simplified way of writing policies and granting your Lambda | ||
| 213 | +function the permissions it needs. | ||
| 214 | + | ||
| 215 | +The simplified version allows you to specify, in your `kappa.yml` file, the | ||
| 216 | +ARN of the resource you want to access, and then a list of the API methods you | ||
| 217 | +want to allow. For example: | ||
| 218 | + | ||
| 219 | +``` | ||
| 220 | +policy: | ||
| 221 | + resources: | ||
| 222 | + - arn: arn:aws:logs:*:*:* | ||
| 223 | + actions: | ||
| 224 | + - "*" | ||
| 225 | +``` | ||
| 226 | + | ||
| 227 | +To express this using the official IAM policy format, you can instead use a | ||
| 228 | +statement: | ||
| 229 | + | ||
| 230 | +``` | ||
| 231 | +policy: | ||
| 232 | + statements: | ||
| 233 | + - Effect: Allow | ||
| 234 | + Resource: "*" | ||
| 235 | + Action: | ||
| 236 | + - "logs:*" | ||
| 237 | +``` | ||
| 238 | + | ||
| 239 | +Both of these do the same thing. | ... | ... |
| ... | @@ -44,7 +44,8 @@ class Policy(object): | ... | @@ -44,7 +44,8 @@ class Policy(object): |
| 44 | self.environment) | 44 | self.environment) |
| 45 | 45 | ||
| 46 | def document(self): | 46 | def document(self): |
| 47 | - if 'resources' not in self._config['policy']: | 47 | + if ('resources' not in self._config['policy'] and |
| 48 | + 'statements' not in self._config['policy']): | ||
| 48 | return None | 49 | return None |
| 49 | document = {"Version": "2012-10-17"} | 50 | document = {"Version": "2012-10-17"} |
| 50 | statements = [] | 51 | statements = [] |
| ... | @@ -59,6 +60,8 @@ class Policy(object): | ... | @@ -59,6 +60,8 @@ class Policy(object): |
| 59 | actions.append("{}:{}".format(service, action)) | 60 | actions.append("{}:{}".format(service, action)) |
| 60 | statement['Action'] = actions | 61 | statement['Action'] = actions |
| 61 | statements.append(statement) | 62 | statements.append(statement) |
| 63 | + for statement in self._config['policy'].get('statements', []): | ||
| 64 | + statements.append(statement) | ||
| 62 | return json.dumps(document, indent=2, sort_keys=True) | 65 | return json.dumps(document, indent=2, sort_keys=True) |
| 63 | 66 | ||
| 64 | @property | 67 | @property | ... | ... |
-
Please register or login to post a comment