SST makes it easy to select the level of access you want to grant while attaching permissions to your application.
Permissions type is used in:
- The various
attachPermissionsstyle functions. For example,
Let's look at the various ways to attach permissions. Starting with the most permissive option.
Take a simple function.
This allows the function admin access to all resources.
Specify a list of AWS resource types that this function has complete access to. Takes a list of strings.
Specify which SST or CDK constructs you want to give complete access to. Check out the list of supported constructs.
Specify which permission in the construct you want to give access to. Specified as a tuple of construct and a grant permission function.
CDK constructs have methods of the format grantX that allow you to grant specific permissions. So in the example above, the grant functions are:
attachPermissions method, takes the construct and calls the grant permission function specified.
Unlike the previous option, this supports all the CDK constructs.
cdk.aws-iam.PolicyStatement allows you to craft granular IAM policies that you can attach to the function.
Below are the types and enums used to support permissions in SST.
PermissionType | Permission
On a high level, you can either give admin access to all the resources in your account or a specific list of services.
An enum with the following option(s).
|ALL||Gives complete admin access to all resources.|
Function construct this would look like.
string | cdk.Construct | [cdk.Construct, string] | cdk.aws-iam.PolicyStatement
Allows you to define the permission in a few different ways to control the level of access.
The name of the AWS resource as referenced in an IAM policy.
A CDK or SST construct. Check out the list of supported constructs.
A CDK construct with their specific grant permission method. Many CDK constructs have a method of the format grantX that allows you to grant specific permissions. Pass in the consutrct and grant method as a tuple.
Or, pass in a policy statement.
You can grant access to an SST or CDK construct.
Currently the following SST and CDK constructs are supported.
To add to this list, please open a new issue.