Skip to main content

Permissions

SST makes it easy to select the level of access you want to grant while attaching permissions to your application.

The Permissions type is used in:

  1. The various attachPermissions style functions. For example, attachPermissions in the Function construct.
  2. The attachPermissionsForAuthUsers and attachPermissionsForUnauthUsers in the Cognito construct.

Examples

Let's look at the various ways to attach permissions. Starting with the most permissive option.

Take a simple function.

const fun = new Function(stack, "Function", { handler: "src/lambda.main" });

Giving full permissions

fun.attachPermissions("*");

This allows the function admin access to all resources.

Access to a list of services

fun.attachPermissions(["s3", "dynamodb"]);

Specify a list of AWS resource types that this function has complete access to. Takes a list of strings.

Access to a list of actions

fun.attachPermissions(["s3:PutObject", "dynamodb:PutItem"]);

Specify a list of AWS IAM actions that this function has complete access to. Takes a list of strings.

Access to a list of SST constructs

import { Topic, Table } from "sst/constructs";

const topic = new topic(stack, "Topic");
const table = new Table(stack, "Table");

fun.bind([topic, table]);

To give access to SST constructs, bind them to the function. Read more about Resource Binding.

Access to a list of CDK constructs

import * as sns from "aws-cdk-lib/aws-sns";
import * as dynamodb from "aws-cdk-lib/aws-dynamodb";

const topic = new sns.Topic(stack, "Topic");
const table = new dynamodb.Table(stack, "Table");

fun.attachPermissions([topic, table]);

Specify which CDK constructs you want to give complete access to. Check out the list of supported constructs.

Access to a list of specific permissions in a construct

import * as sns from "aws-cdk-lib/aws-sns";
import * as dynamodb from "aws-cdk-lib/aws-dynamodb";

const topic = new sns.Topic(stack, "Topic");
const table = new dynamodb.Table(stack, "Table");

fun.attachPermissions([
  [topic, "grantPublish"],
  [table, "grantReadData"],
]);

Specify which permission in the construct you want to give access to. Specified as a tuple of construct and a grant permission function.

CDK constructs have methods of the format grantX that allow you to grant specific permissions. So in the example above, the grant functions are: Topic.grantPublish and Table.grantReadData. The attachPermissions method, takes the construct and calls the grant permission function specified.

Unlike the previous option, this supports all the CDK constructs.

List of IAM policies

import * as iam from "aws-cdk-lib/aws-iam";

fun.attachPermissions([
  new iam.PolicyStatement({
    actions: ["s3:*"],
    effect: iam.Effect.ALLOW,
    resources: [
      bucket.bucketArn + "/private/${cognito-identity.amazonaws.com:sub}/*",
    ],
  }),
  new iam.PolicyStatement({
    actions: ["execute-api:Invoke"],
    effect: iam.Effect.ALLOW,
    resources: [`arn:aws:execute-api:${region}:${account}:${api.httpApiId}/*`],
  }),
]);

The cdk.aws-iam.PolicyStatement allows you to craft granular IAM policies that you can attach to the function.

Types

Below are the types and enums used to support permissions in SST.

Permissions

Type : "*" | Permission[]

Takes a * or an array of Permission.

On a high level, you can either give admin access to all the resources in your account or a specific list of services.

Permission

Type : string | cdk.IConstruct | [cdk.IConstruct, string] | cdk.aws-iam.PolicyStatement

Allows you to define the permission in a few different ways to control the level of access.

The name of the AWS resource as referenced in an IAM policy.

"s3"
"dynamodb"
...

A CDK construct. Check out the list of supported constructs.

new cdk.aws-sns.Topic(stack, "Topic")
new cdk.aws-dynamodb.Table(stack, "Table")
...

A CDK construct with their specific grant permission method. Many CDK constructs have a method of the format grantX that allows you to grant specific permissions. Pass in the consutrct and grant method as a tuple.

// const topic = new cdk.aws-sns.Topic(stack, "Topic");
// const table = new sst.Table(stack, "Table");

[topic, "grantPublish"]
[table, "grantReadData"]

Or, pass in a policy statement.

new cdk.aws-iam.PolicyStatement({
  actions: ["s3:*"],
  effect: cdk.aws-iam.Effect.ALLOW,
  resources: [
    bucket.bucketArn + "/private/${cognito-identity.amazonaws.com:sub}/*",
  ],
})

Supported Constructs

You can grant access to an CDK construct.

fun.attachPermissions([topic, table]);

Currently the following CDK constructs are supported.

To add to this list, please open a new issue.