A newer version is available. For the latest information, see the
current release documentation.
IAM permissions required to deploy Functionbeatedit
This section describes the minimum privileges or roles required to deploy functions to your cloud provider:
Permissions required by AWSedit
The list of required permissions depends on the type of events that you are collecting. Here are some example policies that grant the required privileges.
CloudWatch logsedit
The following policy grants the permissions required to deploy and run a Lambda function that collects events from CloudWatch logs.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "cloudformation:UpdateStack", "cloudformation:ValidateTemplate", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:GetRole", "iam:GetRolePolicy", "iam:PassRole", "iam:PutRolePolicy", "lambda:AddPermission", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:PutFunctionConcurrency", "lambda:RemovePermission", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "logs:CreateLogGroup", "logs:DeleteLogGroup", "logs:DeleteSubscriptionFilter", "logs:DescribeLogGroups", "logs:PutSubscriptionFilter", "s3:CreateBucket", "s3:DeleteObject", "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": "*" } ] }
SQS and Kinesisedit
The following policy grants the permissions required to deploy and run a Lambda function that reads from SQS queues or Kinesis data streams.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResources", "cloudformation:GetTemplate", "cloudformation:UpdateStack", "cloudformation:ValidateTemplate", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePolicy", "iam:GetRole", "iam:GetRolePolicy", "iam:PassRole", "iam:PutRolePolicy", "lambda:AddPermission", "lambda:CreateFunction", "lambda:CreateEventSourceMapping", "lambda:DeleteFunction", "lambda:DeleteEventSourceMapping", "lambda:GetEventSourceMapping", "lambda:GetFunction", "lambda:GetFunctionConfiguration", "lambda:PutFunctionConcurrency", "lambda:RemovePermission", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration", "logs:DescribeLogGroups", "logs:CreateLogGroup", "s3:CreateBucket", "s3:DeleteObject", "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": "*" } ] }
Roles required by Google Cloud Platformedit
The following roles are required to deploy Cloud Functions to Google Cloud Platform:
- Cloud Functions Developer
- Cloud Functions Service Agent
- Service Account User
- Storage Admin
- Storage Object Admin