AWS Serverless Application Repository
Developer Guide

Acknowledging IAM Roles, Resource Policies, and Nested Applications When You Deploy Applications

Before you can deploy an application, the AWS Serverless Application Repository checks the application’s template for IAM roles, AWS resource policies, and nested applications that it might create. IAM resources, such as an IAM role with full access, can modify any resource in your AWS account. Therefore, we recommend that you review the permissions associated with the application before proceeding so that you don't unintentionally create resources with escalated permissions. To ensure that you've done so, you must acknowledge that the application contains capabilities before the AWS Serverless Application Repository can deploy the application on your behalf.

Applications may contain any of the following four capabilities: CAPABILITY_IAM, CAPABILITY_NAMED_IAM, CAPABILITY_RESOURCE_POLICY, and CAPABILITY_AUTO_EXPAND.

The following resources require you to specify CAPABILITY_IAM or CAPABILITY_NAMED_IAM: AWS::IAM::Group, AWS::IAM::InstanceProfile, AWS::IAM::Policy, and AWS::IAM::Role. If the application contains IAM resources with custom names, you must specify CAPABILITY_NAMED_IAM. See Finding and Acknowledging Application Capabilities (AWS CLI) for an example for how to specify capabilities.

The following resources require you to specify CAPABILITY_RESOURCE_POLICY: AWS::Lambda::LayerVersionPermission, AWS::Lambda::Permission, AWS::Events::EventBusPolicy, AWS::IAM:Policy, AWS::ApplicationAutoScaling::ScalingPolicy, AWS::S3::BucketPolicy, AWS::SQS::QueuePolicy, and AWS::SNS::TopicPolicy.

Applications that contain one or more nested applications require you to specify CAPABILITY_AUTO_EXPAND. For more information about nested applications, see Nested Applications in the AWS Serverless Application Model Developer Guide.

Finding and Acknowledging Application Capabilities (Lambda Console or AWS Website)

You can find applications available in the AWS Serverless Application Repository on the AWS Serverless Application Repository website or through the Lambda console in the Create Function page under the AWS Serverless Application Repository tab.

Applications that require acknowledgement of capabilities for creating custom IAM roles or resource policies aren't shown in search results by default. To search for applications that contain these capabilities, you must select the check box Show apps that create custom IAM roles or resource policies.

You can review the capabilities of an application under the Permissions tab when you select the application. To deploy the application, you need to select the check box: I acknowledge this application creates custom IAM roles or resource policies. If you don’t acknowledge these capabilities, you see the error message Acknowledgement required. To deploy, check the box in Configure application parameters section.

Finding and Acknowledging Application Capabilities (AWS CLI)

To acknowledge an application's capabilities using the AWS CLI, follow these steps:

  1. Review the application's capabilities: Use the following AWS CLI command to review an application's capabilities:

    aws serverlessrepo get-application \ --application-id application-arn

    The requiredCapabilities response property contains the list of application capabilities that you need to acknowledge before you can deploy the application. You can also use the GetApplication API in the AWS SDKs to get this data.

  2. Deploy the application: To deploy an application with capabilities, pass the list of its capabilities when creating the AWS CloudFormation changeset. For example, use the following AWS CLI command to deploy an application by acknowledging its capabilities:

    aws serverlessrepo create-cloud-formation-change-set \ -–application-id application-arn \ --stack-name unique-name-for-cloud-formation-stack \ --capabilities list-of-capabilities

    You can also use the CreateCloudFormationChangeSet API in the AWS SDKs to deploy the application.

    Example:

    The following AWS CLI command acknowledges an application that contains an AWS::IAM::Role resource with a custom name and one or more nested applications:

    aws serverlessrepo create-cloud-formation-change-set \ -–application-id application-arn \ --stack-name unique-name-for-cloud-formation-stack \ --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND