How the AWS Serverless Application Repository Works with IAM

Before you use IAM to manage access to the AWS Serverless Application Repository, you should understand what IAM features are available to use with the AWS Serverless Application Repository.

To get an overview of how IAM works, see Understanding How IAM Works in the IAM User Guide. To get a high-level view of how the AWS Serverless Application Repository and other AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide.

AWS Serverless Application Repository Identity-Based Policies

With IAM identity-based policies, you can specify allowed or denied actions and resources, as well as the conditions under which actions are allowed or denied. The AWS Serverless Application Repository supports specific actions, resources, and condition keys. To learn about all of the elements that you use in a JSON policy, see IAM JSON Policy Elements Reference in the IAM User Guide.

The following shows an example of a permissions policy.

{

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateApplication",
            "Effect": "Allow",
            "Action": [
                "serverlessrepo:CreateApplication"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CreateApplicationVersion",
            "Effect": "Allow",
            "Action": [
                "serverlessrepo:CreateApplicationVersion"
            ],
            "Resource": "arn:partition:serverlessrepo:region:account-id:applications/application-name"
        }
    ]
}

The policy has two statements:

• The first statement grants permissions for the AWS Serverless Application Repository action serverlessrepo:CreateApplication on all AWS Serverless Application Repository resources, as specified by the wildcard character (*) as the Resource value.

• The second statement grants permission for the AWS Serverless Application Repository action serverlessrepo:CreateApplicationVersion on an AWS resource by using the Amazon Resource Name (ARN) for an AWS Serverless Application Repository application. The application is specified by the Resource value.

The policy doesn't specify the Principal element because in an identity-based policy, you don't specify the principal who gets the permission. When you attach policy to a user, the user is the implicit principal. When you attach a permission policy to an IAM role, the principal identified in the role's trust policy gets the permissions.

For a table showing all of the AWS Serverless Application Repository API operations and the AWS resources that they apply to, see AWS Serverless Application Repository API Permissions: Actions and Resources Reference.

Actions

Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.

The Action element of a JSON policy describes the actions that you can use to allow or deny access in a policy. Policy actions usually have the same name as the associated AWS API operation. There are some exceptions, such as permission-only actions that don't have a matching API operation. There are also some operations that require multiple actions in a policy. These additional actions are called dependent actions.

Include actions in a policy to grant permissions to perform the associated operation.

Policy actions in the AWS Serverless Application Repository use the following prefix before the action: serverlessrepo:. For example, to grant someone permission to run an AWS Serverless Application Repository instance with the AWS Serverless Application Repository SearchApplications API operation, you include the serverlessrepo:SearchApplications action in their policy. Policy statements must include either an Action or NotAction element. The AWS Serverless Application Repository defines its own set of actions that describe tasks that you can perform with this service.

To specify multiple actions in a single statement, separate them with commas as follows:

"Action": [
      "serverlessrepo:action1",
      "serverlessrepo:action2"
]

You can specify multiple actions using wildcards (*). For example, to specify all actions that begin with the word List, include the following action:

"Action": "serverlessrepo:List*"

To see a list of AWS Serverless Application Repository actions, see Actions Defined by AWS Serverless Application Repository in the IAM User Guide.

Resources

Administrators can use AWS JSON policies to specify who has access to what. That is, which principal can perform actions on what resources, and under what conditions.

The Resource JSON policy element specifies the object or objects to which the action applies. Statements must include either a Resource or a NotResource element. As a best practice, specify a resource using its Amazon Resource Name (ARN). You can do this for actions that support a specific resource type, known as resource-level permissions.

For actions that don't support resource-level permissions, such as listing operations, use a wildcard (*) to indicate that the statement applies to all resources.

"Resource": "*"

In the AWS Serverless Application Repository, the primary AWS resource is an AWS Serverless Application Repository application. AWS Serverless Application Repository applications have unique Amazon Resource Names (ARNs) associated with them, as shown in the following table.

AWS Resource Type	Amazon Resource Name (ARN) Format
Application	arn:partition:serverlessrepo:region:account-id:applications/application-name

For more information about the format of ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces.

The following is an example policy that grants permissions for the serverlessrepo:ListApplications action on all AWS resources. In the current implementation, the AWS Serverless Application Repository doesn't support identifying specific AWS resources by using the AWS resource ARNs (also referred to as resource-level permissions) for some of the API actions. In these cases, you must specify a wildcard character (*).

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListExistingApplications",
            "Effect": "Allow",
            "Action": [
                "serverlessrepo:ListApplications"
            ],
            "Resource": "*"
        }
    ]
}        

For a table showing all of the AWS Serverless Application Repository API actions and the AWS resources that they apply to, see AWS Serverless Application Repository API Permissions: Actions and Resources Reference.

Condition Keys

The AWS Serverless Application Repository doesn't provide any service-specific condition keys, but it does support using some global condition keys. To see all AWS global condition keys, see AWS Global Condition Context Keys in the IAM User Guide.

Examples

To view examples of AWS Serverless Application Repository identity-based policies, see AWS Serverless Application Repository Identity-Based Policy Examples.

AWS Serverless Application Repository Application Policies

Application policies determine the actions that a specified principal or principalOrg can perform on an AWS Serverless Application Repository application.

You can add permissions to the policy associated with an AWS Serverless Application Repository application. Permissions policies attached to AWS Serverless Application Repository applications are referred to as application policies. Application policies are extensions of IAM resource-based policies. The primary resource is the AWS Serverless Application Repository application. You can use AWS Serverless Application Repository application policies to manage application deployment permissions.

AWS Serverless Application Repository application policies are primarily used by publishers to grant permission to consumers to deploy their applications, and related operations such as to search for and view details of those applications. Publishers can set application permissions to the following three categories:

• Private – Applications that were created with the same account, and haven't been shared with any other account. You have permission to deploy applications that were created using your AWS account.

• Privately shared – Applications that the publisher has explicitly shared with a specific set of AWS accounts or AWS Organizations. You have permission to deploy applications that have been shared with your AWS account or AWS Organization.

• Publicly shared – Applications that the publisher has shared with everyone. You have permission to deploy any publicly shared application.

You can grant permissions by using the AWS CLI, the AWS SDKs, or the AWS Management Console.

Examples

To view examples of managing AWS Serverless Application Repository application policies, see AWS Serverless Application Repository Application Policy Examples.

Authorization Based on AWS Serverless Application Repository Tags

The AWS Serverless Application Repository doesn't support controlling access to resources or actions based on tags.

AWS Serverless Application Repository IAM Roles

An IAM role is an entity within your AWS account that has specific permissions.

Using Temporary Credentials with the AWS Serverless Application Repository

You can use temporary credentials to sign in with federation, to assume an IAM role, or to assume a cross-account role. You obtain temporary security credentials by calling AWS STS API operations such as AssumeRole or GetFederationToken.

The AWS Serverless Application Repository supports using temporary credentials.

Service-Linked Roles

The AWS Serverless Application Repository doesn't support service-linked roles.

Service Roles

The AWS Serverless Application Repository doesn't support service roles.