Amazon Serverless Application Repository Application Policy Examples
Permissions policies attached to Amazon Serverless Application Repository applications are referred to as application policies. Application policies determine the actions that a specified principal or principalOrg can perform on an Amazon Serverless Application Repository application.
An Amazon Serverless Application Repository application is the primary Amazon resource in the Amazon Serverless Application Repository. Amazon Serverless Application Repository application policies are primarily used by publishers to grant permission to consumers to deploy their applications, and related operations such as to search for and view details of those applications.
Publishers can set application permissions to the following three categories:
-
Private – Applications that were created with the same account, and haven't been shared with any other account. Only consumers that share your Amazon account have permission to deploy private applications.
-
Privately shared – Applications that the publisher has explicitly shared with a specific set of Amazon accounts, or with Amazon accounts in an Amazon organization. Consumers have permission to deploy applications that have been shared with their Amazon account or Amazon organization. For more information about Amazon organizations, see the Amazon Organizations User Guide.
-
Publicly shared – Applications that the publisher has shared with everyone. All consumers have permission to deploy any publicly shared application.
Note
For privately shared applications, the Amazon Serverless Application Repository only supports Amazon accounts as principals. Publishers can grant or deny all users within an Amazon account as a single group to an Amazon Serverless Application Repository application. Publishers cannot grant or deny individual users within an Amazon account to an Amazon Serverless Application Repository application.
For instructions on setting application permissions using the Amazon Web Services Management Console, see Sharing an Application.
For instructions on setting application permissions using the Amazon CLI and examples, see the following sections.
Application Permissions (Amazon CLI and Amazon SDKs)
When you're using the Amazon CLI or the Amazon SDKs to set permissions for an Amazon Serverless Application Repository application, you can specify the following actions:
| Action | Description |
|---|---|
| GetApplication |
Grants permission to view information about the application. |
| CreateCloudFormationChangeSet |
Grants permission for the application to be deployed. Note: This action does not grant any other permission other than to deploy. |
| CreateCloudFormationTemplate |
Grants permission to create an Amazon CloudFormation template for the application. |
| ListApplicationVersions | Grants permission to list the versions of the application. |
| ListApplicationDependencies | Grants permission to list the list applications that are nested in the containing application. |
| SearchApplications | Grants permission for the application to be searched for. |
| Deploy |
This action enables all the actions listed earlier in the table. That is, it grants permission for the application to be viewed, for it to be deployed, for versions to be listed, and for it to be searched for. |
Application Policy Examples
The following examples show how to grant permissions by using the Amazon CLI. For information on how to grant permissions using the Amazon Web Services Management Console, see Sharing an Application.
All of the examples in this section use these Amazon CLI commands to manage permissions policies associated with Amazon Serverless Application Repository applications:
Topics
- Example 1: Share an Application with Another Account
- Example 2: Share an Application Publicly
- Example 3: Make an Application Private
- Example 4: Specifying Multiple Accounts and Permissions
- Example 5: Share an Application with All Accounts in an Amazon Organization
- Example 6: Sharing an Application with Some Accounts in an Amazon Organization
- Example 7: Retrieve an Application Policy
- Example 8: Allow Application to Be Nested by Specific Accounts
Example 1: Share an Application with Another Account
To share an application with another specific account, but keep it from being shared with others, you specify the Amazon account ID that you want to share with as the principal. This is also known as setting the application to privately shared. To do this, use the following Amazon CLI command.
aws serverlessrepo put-application-policy \ --regionregion\ --application-idapplication-arn\ --statements Principals=account-id,Actions=Deploy
Note
Privately shared applications can only be used in the same Amazon Region where the application is created.
Example 2: Share an Application Publicly
To make an application public, you share it with everyone by specifying "*" as the principal, as in the following example. Applications that are shared publicly are available in all Regions.
aws serverlessrepo put-application-policy \ --regionregion\ --application-idapplication-arn\ --statements Principals=*,Actions=Deploy
Note
In order to share an application publicly, it must have both the
SemanticVersion and LicenseUrl properties
set.
Example 3: Make an Application Private
You can make an application private, so it's not shared with anyone and can only be deployed by the Amazon account that owns it. To do so, you clear out the principals and actions from the policy, which also removes permissions from other accounts within your Amazon organization from deploying your application.
aws serverlessrepo put-application-policy \ --regionregion\ --application-idapplication-arn\ --statements '[]'
Note
Private applications can only be used in the same Amazon Region where the application is created.
Example 4: Specifying Multiple Accounts and Permissions
You can grant multiple permissions, and you can grant them to more than one Amazon account at a time. To do this, you specify lists as the principal and actions, as shown in the following example.
aws serverlessrepo put-application-policy \ --regionregion\ --application-idapplication-arn\ --statements Principals=account-id-1,account-id-2,Actions=GetApplication,CreateCloudFormationChangeSet
Example 5: Share an Application with All Accounts in an Amazon Organization
Permissions can be granted to all users within an Amazon organization. You do this by specifying your organization ID, as in the following example.
aws serverlessrepo put-application-policy \ --regionregion\ --application-idapplication-arn\ --statements Principals=*,PrincipalOrgIDs=org-id,Actions=Deploy,UnshareApplication
For more informaton about Amazon organizations, see the Amazon Organizations User Guide.
Note
You can only specify the Amazon organization that your Amazon account is a member of. If you try to specify an Amazon organization that you are not a member of, an error will result.
To share your application with your Amazon organization, you must include
permission for the UnshareApplication action, in case the sharing
needs to be revoked in the future.
Example 6: Sharing an Application with Some Accounts in an Amazon Organization
Permissions can be granted to specific accounts within an Amazon organization. You do this by specifying a list of Amazon accounts as the principal, and your organization ID, as in the following example.
aws serverlessrepo put-application-policy \ --regionregion\ --application-idapplication-arn\ --statements Principals=account-id-1,account-id-2,PrincipalOrgIDs=org-id,Actions=Deploy,UnshareApplication
Note
You can only specify the Amazon organization that your Amazon account is a member of. If you try to specify an Amazon organization that you are not a member of, an error will result.
To share your application with your Amazon organization, you must include
permission for the UnshareApplication action, in case the sharing
needs to be revoked in the future.
Example 7: Retrieve an Application Policy
To view an application's current policy, for example to see whether it's currently
being shared, you use the get-application-policy command, like in the
following example.
aws serverlessrepo get-application-policy \ --regionregion\ --application-idapplication-arn
Example 8: Allow Application to Be Nested by Specific Accounts
Public applications are allowed to be nested by anyone. If you want to only allow your application to be nested by specific accounts, you must set the following minimal permissions, as shown in the following example.
aws serverlessrepo put-application-policy \ --regionregion\ --application-idapplication-arn\ --statements Principals=account-id-1,account-id-2,Actions=GetApplication,CreateCloudFormationTemplate