AWS Serverless Application Repository
Developer Guide

Using Resource-Based Policies for AWS Serverless Application Repository (Application Policies)

An AWS Serverless Application Repository application is the primary AWS resource in AWS Serverless Application Repository. You can add permissions to the policy associated with an AWS Serverless Application Repository application. Permissions policies attached to AWS Serverless Application Repository applications are referred to as resource-based policies (or application policies). You can use AWS Serverless Application Repository application policies to manage application deployment permissions.

Important

Before you create resource-based policies, we recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your AWS Serverless Application Repository resources. For more information, see Overview of Managing Access Permissions to Your AWS Serverless Application Repository Resources.

AWS Serverless Application Repository application policies are primarily used by publishers to grant permission to consumers to deploy their applications. Permissions can be granted using either the AWS CLI, the AWS SDKs, or the AWS Management Console. The AWS CLI and the AWS SDKs allow publishers to set both coarse-grained and fine-grained permissions for their applications. That is, publishers can set applications to be available for everyone, available to no one, and available only to a specific list of AWS accounts. The AWS Management Console only allows publishers to set coarse permissions for their applications (that is, available for everyone and available to no one).

Application Permissions

This table contains the list of supported actions for setting permissions for AWS Serverless Application Repository applications when using the AWS CLI or the AWS SDKs.

Action Description
GetApplication

Grants permission to view information about the application.

CreateCloudFormationChangeSet

Grants permission for the application to be deployed.

Note: This action does not grant any other permission other than to deploy.

CreateCloudFormationTemplate

Grants permission to create an AWS CloudFormation template for the application.

ListApplicationVersions Grants permission to list the versions of the application.
ListApplicationDependencies Grants permission to list the list applications nested in the containing application.
SearchApplications Grants permission for the application to be searched for.
Deploy

This action enables all actions listed above, that is, it grants permission for the application to be viewed, deployed, versions to be listed, and to be searched for.

The examples below show how to grant permissions using the AWS CLI. For information on how to grant permissions using the AWS Management Console see Sharing an Application Through the Console.

AWS Serverless Application Repository provides the following AWS CLI commands to manage a permissions policy associated with an AWS Serverless Application Repository application:

Example 1: Share an Application with Another Specific Account

To share an application with another specific account, but keep it from being shared with others, you specify the AWS account ID you want to share with as the principal. Following is the AWS CLI command to do this.

aws serverlessrepo put-application-policy \ --region region \ --application-id application-arn \ --statements Principals=account-id,Actions=Deploy

Example 2: Share an Application Publicly

To make an application public, you share it with everyone by specifying "*" as the principal, as in the following example.

aws serverlessrepo put-application-policy \ --region region \ --application-id application-arn \ --statements Principals=*,Actions=Deploy

Example 3: Make an Application Private

You can make an application private, so it's not shared with anyone and can only be deployed by the AWS account that owns it. To do so, you clear out the principals and actions from the policy, as follows.

aws serverlessrepo put-application-policy \ --region region \ --application-id application-arn \ --statements '[]'

Example 4: Specifying Multiple Accounts and Permissions

Multiple permissions can be granted, and to more than one AWS account at a time. This is done by specifying lists as the principal and actions, as in the following example.

aws serverlessrepo put-application-policy \ --region region \ --application-id application-arn \ --statements Principals=account-id-1,account-id-2,Actions=GetApplication,CreateCloudFormationChangeSet

Example 5: Retrieve an Application Policy

To view an application's currently policy, for example to see whether it is currently being shared, you use the get-application-policy command, like in the following example.

aws serverlessrepo get-application-policy \ --region region \ --application-id application-arn

Example 6: Allow Application to be Nested by Specific Accounts

Public applications are allowed to be nested by anyone. If you want to only allow your application to be nested by specific accounts, you must set the following minimal permissions, as in the following example.

aws serverlessrepo put-application-policy \ --region region \ --application-id application-arn \ --statements Principals=account-id-1,account-id-2,Actions=GetApplication,CreateCloudFormationTemplate