Application Capabilities: IAM Roles, Resource Policies, and Nested Applications
Before you can deploy an application, the AWS Serverless Application Repository checks the application’s template for IAM roles, AWS resource policies, and nested applications that the template specifies that it should create. IAM resources, such as an IAM role with full access, can modify any resource in your AWS account. Therefore, we recommend that you review the permissions associated with the application before proceeding so that you don't unintentionally create resources with escalated permissions. To ensure that you've done so, you must acknowledge that the application contains capabilities before the AWS Serverless Application Repository can deploy the application on your behalf.
Applications can contain any of the following four capabilities:
CAPABILITY_IAM
, CAPABILITY_NAMED_IAM
,
CAPABILITY_RESOURCE_POLICY
, and CAPABILITY_AUTO_EXPAND
.
The following resources require you to specify CAPABILITY_IAM
or
CAPABILITY_NAMED_IAM
: AWS::IAM::Group, AWS::IAM::InstanceProfile, AWS::IAM::Policy, and AWS::IAM::Role. If the
application contains IAM resources with custom names, you must specify
CAPABILITY_NAMED_IAM
. For an example of how to specify capabilities, see
Finding and
Acknowledging Application Capabilities (AWS CLI).
The following resources require you to specify CAPABILITY_RESOURCE_POLICY
:
AWS::Lambda::LayerVersionPermission, AWS::Lambda::Permission,
AWS::Events::EventBusPolicy, AWS::IAM:Policy, AWS::ApplicationAutoScaling::ScalingPolicy, AWS::S3::BucketPolicy, AWS::SQS::QueuePolicy, and
AWS::SNS::TopicPolicy.
Applications that contain one or more nested applications require you to specify
CAPABILITY_AUTO_EXPAND
. For more information about nested applications, see
Nested Applications in the AWS Serverless Application Model Developer
Guide.
Finding and Acknowledging Application Capabilities (Console)
You can find applications available in the AWS Serverless Application Repository on the AWS Serverless Application Repository website
Applications that require acknowledgment of capabilities for creating custom IAM roles or resource policies aren't shown in search results by default. To search for applications that contain these capabilities, you must select the Show apps that create custom IAM roles or resource policies check box.
You can review the capabilities of an application under the Permissions tab when you select the application. To deploy the application, you need to select the I acknowledge this application creates custom IAM roles or resource policies check box. If you don’t acknowledge these capabilities, you see this error message: Acknowledgement required. To deploy, check the box in Configure application parameters section.
Viewing Application Capabilities (AWS CLI)
To view an application's capabilities using the AWS CLI, you first need the application's Amazon Resource Name (ARN). You can then execute the following command:
aws serverlessrepo get-application \ --application-id
application-arn
The requiredCapabilities response property contains the list of application capabilities that you need to acknowledge before you can deploy the application. Note that if the requiredCapabilities property is empty, the application has no required capabilities.