Create one scaling dedicated IAM role per project (not table)

[medikoo]

Currently, project creates scaling role per table, which inconveniently increases resources count of CloudFormation stack, e.g. with larger number of tables it's more likely to reach 200 resources limit which is not shiftable.

As it's scalable targets that states which roles they're going to use, the ScalingRole can safely be configured as one global resource, it's also how it's exampled in AWS CloudFormation documentation

[sbstjn]

Good point 👍

[mithun]

It would also be useful to allow use of a role defined outside the stack.

[medikoo]

I addressed this in plain JS version of this module at https://github.com/medikoo/serverless-plugin-dynamodb-autoscaling (still role name remains fixed at this point)

[ro-savage]

@sbstjn - Just had a very quick check of the source. Wouldn't changing this line fix it?

(Unless there is a reason to have an option to either have 1 role or multiple roles?)

  public role(): string {
    return clean(this.build(TEXT.ROLE))
  }

to

  public role(): string {
    return TEXT.ROLE
  }

[sbstjn]

This only works if you update/create the role to have permission for every table. I try to have the role permissions as restricted as possible and to avoid resources: * whenever possible. Therefore a new role is created for every table with only permissions for that one specific table.

[sbstjn]

Basically those two approaches are very different regarding (un-)restricted access:

• https://github.com/medikoo/serverless-plugin-dynamodb-autoscaling/blob/master/lib/scaling-role-resource.json#L39
• https://github.com/sbstjn/serverless-dynamodb-autoscaling/blob/master/src/aws/role.ts#L62-L66

[ro-savage]

Yep, I had a play and could see it wasn't going to be so simple unfortunately.

I have little knowledge of CloudFormation. But could you create a single role that has access only to the tables that have been added to the capacities config?

e.g. loop through all the tables, build a list, and give that list of resources to the role.

Thanks for the great work btw, I spent a while trying to get the config working manually, gave up and this just worked in seconds!

[medikoo]

serverless-plugin-dynamodb-autoscaling now reuses existing project's IAM role (so no single IAM role resource is created).

Project's IAM role provides lambdas with access to dynamo tables, and range of access is decided by owner of a project. Same range of access is automatically provided to autoscaling resources.

[cdichiara]

Thank you @medikoo ... just switched to your plugin, looks great & I like your configuration approach. There were so many roles being created across all of my dynamoDb's & stages that I couldn't assign the proper roles to the Cognito identity pool, the list was so long! Your work really helped us, thanks again.

[jefersonlemos]

In my case, I haven't permission to create roles and I just can't use the plugin. Is there any way to workaroung on it by using this plugin ?
Weird: it worked before on same acoount and user :/