Attach a custom policy to a Function

Functions that require access to other resources need to have policies attached that grant them permissions to access the required resources. For most cases, this is done automatically by Altostra when you create a connection between resources.

If, however, you need to grant a Function access to a resource outside of your Altostra project, or if you need to grant your Function a custom policy, then you need to attach a custom policy to that function. The attached policy, or policies, will be added to the other policies generated for that function.

Keep in mind that the resources you add using the Custom Resources resource are not checked by Altostra for validity. This resource is meant to help you extend your needs beyond what is currently supported by Altostra, but at your own risk. Please feel free to submit a feature request if you find yourself using this resource.

Attach custom policies to a Function

  1. Open the project in Visual Studio Code.
  2. Edit the Function to which you wish to attach custom policies.
  3. Expand the Policies section:
    Expand policy
    The displayed text is an example of a possible policy definition.
  4. Enter your custom policies in the policy text field.
  5. Click SAVE to finish editing the function.

Acceptable policy formats

You can use either one of the following three formats to define your policies:

A comma separated list of policy names

read-write-files-policy, read-only-database-policy

IMPORTANT: For this to work, the policy names you enter must already exist on the account to which you will deploy the project. Please refer to Manage Enviroments for more information about accounts and environments.

A policy document

Enter a custom policy in JSON format that adheres to the AWS IAM policy format. See Grammar of the IAM JSON Policy Language for more information.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:ListBucketVersions"
      ],
      "Resource": [
        "arn:aws:s3:::*/*"
      ]
    }
  ]
}

A list of policy documents and policy names

You can mix both formats by specifying a JSON array. The items of the array can be predefined policy names and custom policy objects.

[
  "read-write-files-policy",
  "read-only-database-policy",
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "s3:ListBucket",
          "s3:ListBucketVersions"
        ],
        "Resource": [
          "arn:aws:s3:::*/*"
        ]
      }
    ]
  }
]
Use a custom CloudFormation resourceAltostra CLI
© 2020 Altostra, Inc.