Gathering detailed insights and metrics for serverless-iam-roles-per-function
Gathering detailed insights and metrics for serverless-iam-roles-per-function
Gathering detailed insights and metrics for serverless-iam-roles-per-function
Gathering detailed insights and metrics for serverless-iam-roles-per-function
serverless-plugin-custom-roles
A Serverless plugin that makes creation of per function IAM roles easier
serverless-iam-roles-per-function-v4
Serverless framework plugin to manage IAM roles. Compatible with serverless-aws-alias-v4 and AWS
@emilhdiaz/serverless-iam-roles-per-function
A Serverless plugin to define IAM Role statements as part of the function definition block
@maaraanas/randomhash-serverless-iam-roles-per-function
Forked Serverless plugin to define IAM Role statements as part of the function definition block. Base: https://github.com/functionalone/serverless-iam-roles-per-function
Serverless Plugin for easily defining IAM roles per function via the use of iamRoleStatements at the function level.
npm install serverless-iam-roles-per-function
Typescript
Module System
Min. Node Version
Node Version
NPM Version
TypeScript (89.39%)
JavaScript (6.49%)
Shell (4.11%)
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
MIT License
417 Stars
119 Commits
58 Forks
16 Watchers
23 Branches
15 Contributors
Updated on May 24, 2025
Latest Version
3.2.0
Package Id
serverless-iam-roles-per-function@3.2.0
Size
21.87 kB
NPM Version
6.14.13
Node Version
14.17.0
Published on
May 21, 2021
Cumulative downloads
Total Downloads
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
A Serverless plugin to easily define IAM roles per function via the use of iamRoleStatements
at the function definition block.
npm install --save-dev serverless-iam-roles-per-function
Or if you want to try out the next
upcoming version:
npm install --save-dev serverless-iam-roles-per-function@next
Add the plugin to serverless.yml:
1plugins: 2 - serverless-iam-roles-per-function
Note: Node 6.10 or higher runtime required.
Define iamRoleStatements
definitions at the function level:
1functions: 2 func1: 3 handler: handler.get 4 iamRoleStatementsName: my-custom-role-name #optional custom role name setting instead of the default generated one 5 iamRoleStatements: 6 - Effect: "Allow" 7 Action: 8 - dynamodb:GetItem 9 Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/mytable" 10 ... 11 func2: 12 handler: handler.put 13 iamRoleStatements: 14 - Effect: "Allow" 15 Action: 16 - dynamodb:PutItem 17 Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/mytable" 18 ...
The plugin will create a dedicated role for each function that has an iamRoleStatements
definition. It will include the permissions for create and write to CloudWatch logs, stream events and if VPC is defined: AWSLambdaVPCAccessExecutionRole
will be included (as is done when using iamRoleStatements
at the provider level).
if iamRoleStatements
are not defined at the function level default behavior is maintained and the function will receive the global iam role. It is possible to define an empty iamRoleStatements
for a function and then the function will receive a dedicated role with only the permissions needed for CloudWatch and (if needed) stream events and VPC. Example of defining a function with empty iamRoleStatements
and configured VPC. The function will receive a custom role with CloudWatch logs permissions and the policy AWSLambdaVPCAccessExecutionRole
:
1functions: 2 func1: 3 handler: handler.get 4 iamRoleStatements: [] 5 vpc: 6 securityGroupIds: 7 - sg-xxxxxx 8 subnetIds: 9 - subnet-xxxx 10 - subnet-xxxxx
By default, function level iamRoleStatements
override the provider level definition. It is also possible to inherit the provider level definition by specifying the option iamRoleStatementsInherit: true
:
serverless >= v2.24.0
1provider: 2 name: aws 3 iam: 4 role: 5 statements: 6 - Effect: "Allow" 7 Action: 8 - xray:PutTelemetryRecords 9 - xray:PutTraceSegments 10 Resource: "*" 11 ... 12functions: 13 func1: 14 handler: handler.get 15 iamRoleStatementsInherit: true 16 iamRoleStatements: 17 - Effect: "Allow" 18 Action: 19 - dynamodb:GetItem 20 Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/mytable"
serverless < v2.24.0
1provider: 2 name: aws 3 iamRoleStatements: 4 - Effect: "Allow" 5 Action: 6 - xray:PutTelemetryRecords 7 - xray:PutTraceSegments 8 Resource: "*" 9 ... 10functions: 11 func1: 12 handler: handler.get 13 iamRoleStatementsInherit: true 14 iamRoleStatements: 15 - Effect: "Allow" 16 Action: 17 - dynamodb:GetItem 18 Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/mytable"
The generated role for func1
will contain both the statements defined at the provider level and the ones defined at the function level.
If you wish to change the default behavior to inherit
instead of override
it is possible to specify the following custom configuration:
1custom: 2 serverless-iam-roles-per-function: 3 defaultInherit: true
The plugin uses a naming convention for function roles which is similar to the naming convention used by the Serverless Framework. Function roles are named with the following convention:
<service-name>-<stage>-<function-name>-<region>-lambdaRole
AWS has a 64 character limit on role names. If the default naming exceeds 64 chars the plugin will remove the suffix: -lambdaRole
to shorten the name. If it still exceeds 64 chars an error will be thrown containing a message of the form:
auto generated role name for function: ${functionName} is too long (over 64 chars).
Try setting a custom role name using the property: iamRoleStatementsName.
In this case you should set the role name using the property iamRoleStatementsName
. For example:
1functions: 2 func1: 3 handler: handler.get 4 iamRoleStatementsName: my-custom-role-name 5 iamRoleStatements: 6 - Effect: "Allow" 7 Action: 8 - dynamodb:GetItem 9 Resource: "arn:aws:dynamodb:${self:provider.region}:*:table/mytable" 10 ...
Define iamPermissionsBoundary definitions at the function level:
1functions: 2 func1: 3 handler: handler.get 4 iamPermissionsBoundary: !Sub arn:aws:iam::xxxxx:policy/your_permissions_boundary_policy 5 iamRoleStatementsName: my-custom-role-name 6 iamRoleStatements: 7 - Effect: "Allow" 8 Action: 9 - sqs:* 10 Resource: "*" 11 ...
You can set permissionsBoundary for all roles with iamGlobalPermissionsBoundary in custom:
1custom: 2 serverless-iam-roles-per-function: 3 iamGlobalPermissionsBoundary: !Sub arn:aws:iam::xxxx:policy/permissions-boundary-policy
For more information, see Permissions Boundaries.
Contributions are welcome and appreciated.
npm run release
npm run release
(we have the auto-commit option disabled by default).next
tag. You will see your version deployed at: https://www.npmjs.com/package/serverless-iam-roles-per-function?activeTab=versions.next
tag. For example:
npm install --save-dev serverless-iam-roles-per-function@next
Once a contributed PR (or multiple PRs) have been merged into master
, there is need to publish a production release, after we are sure that the release is stable. Maintainers with commit access to the repository can publish a release by merging into the release
branch. Steps to follow:
Verify that the current deployed pre-release version under the next
tag in npmjs is working properly. Usually, it is best to allow the next
version to gain traction a week or two before releasing. Also, if the version solves a specific reported issue, ask the community on the issue to test out the next
version.
Make sure the version being used in master hasn't been released. This can happen if a PR was merged without bumping the version by running npm run release
. If the version needs to be advanced, open a PR to advance the version as specified here.
Open a PR to merge into the release
branch. Use as a base the release
branch and compare the tag
version to release
. For example:
Once approved by another maintainer, merge the PR.
Make sure to check after the Travis CI build completes that the release has been published to the latest
tag on nmpjs.
Introduction post: Serverless Framework: Defining Per-Function IAM Roles
Note: Serverless Framework provides support for defining custom IAM roles on a per function level through the use of the role
property and creating CloudFormation resources, as documented here. This plugin doesn't support defining both the role
property and iamRoleStatements
at the function level.
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
license file detected
Details
Reason
Found 6/19 approved changesets -- score normalized to 3
Reason
0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
Reason
project is not fuzzed
Details
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
Reason
74 existing vulnerabilities detected
Details
Score
Last Scanned on 2025-07-07
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More