Permissions Metadata for Resource Definitions - Lumberyard User Guide

Permissions Metadata for Resource Definitions

To determine what permissions should go into a policy, the Custom::AccessControl resource looks for Cloud Canvas permissions metadata on resource definitions in resource group stacks. In the following example, the metadata on the Messages resource gives the SayHello AWS Lambda function permission to put items into a Amazon DynamoDB table. The metadata on the SayHello resource gives players permission to invoke the SayHello Lambda function.

... "Messages": { "Type": "AWS::DynamoDB::Table", "Properties": { "AttributeDefinitions": [ { "AttributeName": "PlayerId", "AttributeType": "S" } ], "KeySchema": [ { "AttributeName": "PlayerId", "KeyType": "HASH" } ], "ProvisionedThroughput": { "ReadCapacityUnits": { "Ref": "ReadCapacityUnits" }, "WriteCapacityUnits": { "Ref": "WriteCapacityUnits" } } }, "Metadata": { "CloudCanvas": { "Permissions": [ { "AbstractRole": "SayHello", "Action": "dynamodb:PutItem" } ] } } }, "SayHello": { "Type": "AWS::Lambda::Function", "Properties": { "Description": "Example of a function called by the game to write data into a DynamoDB table.", "Handler": "main.say_hello", "Role": { "Fn::GetAtt": [ "SayHelloConfiguration", "Role" ] }, "Runtime": { "Fn::GetAtt": [ "SayHelloConfiguration", "Runtime" ] }, "Code": { "S3Bucket": { "Fn::GetAtt": [ "SayHelloConfiguration", "ConfigurationBucket" ] }, "S3Key": { "Fn::GetAtt": [ "SayHelloConfiguration", "ConfigurationKey" ] } } }, "Metadata": { "CloudCanvas": { "Permissions": [ { "AbstractRole": "Player", "Action": "lambda:InvokeFunction" } ] } } }, ...

You can use the lmbr_aws command line tool to manage permissions metadata on the resource definitions in a resource group's resource-template.json file. For more information, see Permission Metadata Management.


Each Cloud Canvas Permission metadata object can have the following properties.

  • Property Description
    AbstractRole Required string or list of strings. Identifies the role whose policy will reflect the permission. For more information, see Role Mapping Metadata.
    Action Required string or list of strings. Identifies the actions to be placed in the policy. This is used as the Action property of a Statement in the policy. See AWS Service Actions and Condition Context Keys for Use in IAM Policies for a list of actions supported by IAM.
    ResourceSuffix Optional string or list of strings. Provides values that are appended to the ARN in the Resource property of a statement in the policy. There is one Resource property value for each suffix listed. If no suffixes are listed, the Resource property value is the resource ARN with no suffix.

See Also

For an overview of security in Cloud Canvas Resource Manager, see Understanding the Resource Manager Security System.