How the Amazon Serverless Application Repository Works with IAM
Before you use IAM to manage access to the Amazon Serverless Application Repository, you should understand what IAM features are available to use with the Amazon Serverless Application Repository.
To get an overview of how IAM works, see Understanding How IAM Works in the IAM User Guide. To get a high-level view of how the Amazon Serverless Application Repository and other Amazon services work with IAM, see Amazon Services That Work with IAM in the IAM User Guide.
Topics
Amazon Serverless Application Repository Identity-Based Policies
With IAM identity-based policies, you can specify allowed or denied actions and resources, as well as the conditions under which actions are allowed or denied. The Amazon Serverless Application Repository supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see IAM JSON Policy Elements Reference in the IAM User Guide.
The following shows an example of a permissions policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateApplication", "Effect": "Allow", "Action": [ "serverlessrepo:CreateApplication" ], "Resource": "*" }, { "Sid": "CreateApplicationVersion", "Effect": "Allow", "Action": [ "serverlessrepo:CreateApplicationVersion" ], "Resource": "arn:partition:serverlessrepo:region:account-id:applications/application-name" } ] }
The policy has two statements:
-
The first statement grants permissions for the Amazon Serverless Application Repository action
serverlessrepo:CreateApplicationon all Amazon Serverless Application Repository resources, as specified by the wildcard character (*) as theResourcevalue. -
The second statement grants permission for the Amazon Serverless Application Repository action
serverlessrepo:CreateApplicationVersionon an Amazon resource by using the Amazon Resource Name (ARN) for an Amazon Serverless Application Repository application. The application is specified by theResourcevalue.
The policy doesn't specify the Principal element because in an
identity-based policy, you don't specify the principal who gets the permission. When you
attach policy to a user, the user is the implicit principal. When you attach a
permission policy to an IAM role, the principal identified in the role's trust policy
gets the permissions.
For a table showing all of the Amazon Serverless Application Repository API operations and the Amazon resources that they apply to, see Amazon Serverless Application Repository API Permissions: Actions and Resources Reference.
Actions
Administrators can use Amazon JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.
The Action element of a JSON policy describes the
actions that you can use to allow or deny access in a policy. Policy
actions usually have the same name as the associated Amazon API operation. There are some exceptions, such as permission-only
actions that don't have a matching API operation. There are also some operations that require multiple actions in a policy.
These additional actions are called dependent actions.
Include actions in a policy to grant permissions to perform the associated operation.
Policy actions in the Amazon Serverless Application Repository use the following prefix before the action:
serverlessrepo:. For example, to grant someone permission to
run an Amazon Serverless Application Repository instance with the Amazon Serverless Application Repository
SearchApplications API operation, you include the
serverlessrepo:SearchApplications action in their policy.
Policy statements must include either an Action or
NotAction element. The Amazon Serverless Application Repository defines its own set of
actions that describe tasks that you can perform with this service.
To specify multiple actions in a single statement, separate them with commas as follows:
"Action": [ "serverlessrepo:action1", "serverlessrepo:action2" ]
You can specify multiple actions using wildcards (*). For example, to specify all
actions that begin with the word List, include the following
action:
"Action": "serverlessrepo:List*"
To see a list of Amazon Serverless Application Repository actions, see Actions Defined by Amazon Serverless Application Repository in the IAM User Guide.
Resources
Administrators can use Amazon JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.
The Resource JSON policy element specifies the object or objects to which the action applies. Statements must include either a
Resource or a NotResource element. As a best practice, specify a resource using its Amazon Resource Name (ARN). You can do this for actions that support a
specific resource type, known as resource-level permissions.
For actions that don't support resource-level permissions, such as listing operations, use a wildcard (*) to indicate that the statement applies to all resources.
"Resource": "*"
In the Amazon Serverless Application Repository, the primary Amazon resource is an Amazon Serverless Application Repository application. Amazon Serverless Application Repository applications have unique Amazon Resource Names (ARNs) associated with them, as shown in the following table.
| Amazon Resource Type | Amazon Resource Name (ARN) Format |
|---|---|
| Application |
arn: |
For more information about the format of ARNs, see Amazon Resource Names (ARNs) and Amazon Service Namespaces.
The following is an example policy that grants permissions for the
serverlessrepo:ListApplications action on all Amazon resources. In the
current implementation, the Amazon Serverless Application Repository doesn't support identifying specific Amazon resources
by using the Amazon resource ARNs (also referred to as resource-level permissions) for
some of the API actions. In these cases, you must specify a wildcard character
(*).
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListExistingApplications", "Effect": "Allow", "Action": [ "serverlessrepo:ListApplications" ], "Resource": "*" } ] }
For a table showing all of the Amazon Serverless Application Repository API actions and the Amazon resources that they apply to, see Amazon Serverless Application Repository API Permissions: Actions and Resources Reference.
Condition Keys
The Amazon Serverless Application Repository doesn't provide any service-specific condition keys, but it does support using some global condition keys. To see all Amazon global condition keys, see Amazon Global Condition Context Keys in the IAM User Guide.
Examples
To view examples of Amazon Serverless Application Repository identity-based policies, see Amazon Serverless Application Repository Identity-Based Policy Examples.
Amazon Serverless Application Repository Application Policies
Application policies determine the actions that a specified principal or principalOrg can perform on an Amazon Serverless Application Repository application.
You can add permissions to the policy associated with an Amazon Serverless Application Repository application. Permissions policies attached to Amazon Serverless Application Repository applications are referred to as application policies. Application policies are extensions of IAM resource-based policies. The primary resource is the Amazon Serverless Application Repository application. You can use Amazon Serverless Application Repository application policies to manage application deployment permissions.
Amazon Serverless Application Repository application policies are primarily used by publishers to grant permission to consumers to deploy their applications, and related operations such as to search for and view details of those applications. Publishers can set application permissions to the following three categories:
-
Private – Applications that were created with the same account, and haven't been shared with any other account. You have permission to deploy applications that were created using your Amazon account.
-
Privately shared – Applications that the publisher has explicitly shared with a specific set of Amazon accounts or Amazon Organizations. You have permission to deploy applications that have been shared with your Amazon account or Amazon Organization.
-
Publicly shared – Applications that the publisher has shared with everyone. You have permission to deploy any publicly shared application.
You can grant permissions by using the Amazon CLI, the Amazon SDKs, or the Amazon Web Services Management Console.
Examples
To view examples of managing Amazon Serverless Application Repository application policies, see Amazon Serverless Application Repository Application Policy Examples.
Authorization Based on Amazon Serverless Application Repository Tags
The Amazon Serverless Application Repository doesn't support controlling access to resources or actions based on tags.
Amazon Serverless Application Repository IAM Roles
An IAM role is an entity within your Amazon account that has specific permissions.
Using Temporary Credentials with the Amazon Serverless Application Repository
You can use temporary credentials to sign in with federation, to assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling Amazon STS API operations such as AssumeRole or GetFederationToken.
The Amazon Serverless Application Repository supports using temporary credentials.
Service-Linked Roles
The Amazon Serverless Application Repository doesn't support service-linked roles.
Service Roles
The Amazon Serverless Application Repository doesn't support service roles.