Post on 31-Jul-2018
AWS ServerlessApplication Repository
Developer Guide
AWS Serverless Application Repository Developer Guide
AWS Serverless Application Repository: Developer GuideCopyright © 2018 Amazon Web Services, Inc. and/or its affiliates. All rights reserved.
Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any mannerthat is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks notowned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored byAmazon.
AWS Serverless Application Repository Developer Guide
Table of ContentsWhat Is the AWS Serverless Application Repository? .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Consuming Applications and Publishing Applications .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Consuming Applications .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Browsing, Searching, and Deploying Applications .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Deleting Application Stacks .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Publishing Applications .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Publishing an Application Through the AWS Management Console .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Publishing an Application Through the AWS CLI ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Deleting an Application Through the AWS Management Console .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Deleting an Application Through the AWS CLI ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Using the AWS Serverless Application Model (AWS SAM) .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Authentication and Access Control ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Authentication .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Access Control ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Overview of Managing Access .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
AWS Serverless Application Repository Resources and Operations .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Understanding Resource Ownership .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Managing Access to AWS Resources .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Specifying Policy Elements: Actions, Effects, AWS Resources, and Principals ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Using Identity-Based Policies (IAM Policies) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Permissions Required to Use the AWS Serverless Application Repository Console .... . . . . . . . . . . . . . . . . . . 34Customer Managed Policy Examples .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Using Resource-Based Policies (Application Policies) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Application Permissions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Share an Application with Another Specific Account .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Share an Application Publicly ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Make an Application Private .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Specifying Multiple Accounts and Permissions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Retrieve an Application Policy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
AWS Serverless Application Repository API Permissions Reference .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Limits ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Troubleshooting .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
You Can't Make an Application Public ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43A Limit Was Exceeded .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43An Updated Readme File Doesn't Appear Immediately .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43You Can't Deploy an Application Due to Insufficient IAM Permissions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44You Can't Deploy the Same Application Twice .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Why Is My Application Not Publicly Available .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Contacting Support ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Resources .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Applications .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
URI ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45HTTP Methods .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Schemas .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Applications applicationId .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60URI ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60HTTP Methods .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Schemas .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Applications applicationId Changesets ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72URI ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72HTTP Methods .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Schemas .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
iii
AWS Serverless Application Repository Developer Guide
Properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Applications applicationId Policy .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
URI ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76HTTP Methods .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Schemas .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Applications applicationId Versions .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81URI ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81HTTP Methods .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Schemas .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Applications applicationId Versions semanticVersion .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86URI ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86HTTP Methods .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Schemas .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Document History .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94AWS Glossary .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
iv
AWS Serverless Application Repository Developer Guide
What Is the AWS ServerlessApplication Repository?
The AWS Serverless Application Repository makes it easy for developers and enterprises to quickly find,deploy, and publish serverless applications in the AWS Cloud. For more information about serverlessapplications, see Serverless Computing and Applications on the AWS website.
The AWS Serverless Application Repository is deeply integrated with the AWS Lambda console. Thisintegration means that developers of all levels can get started with serverless computing withoutneeding to learn anything new. You can use category keywords to browse for applications such as weband mobile backends, data processing applications, or chatbots. You can also search for applicationsby name, publisher, or event source. To use an application, you simply choose it, configure any requiredfields, and deploy it with a few clicks.
You can also easily publish applications, sharing them publicly with the community at large, or privatelywithin your team or across your organization. To publish a serverless application (or app), you can use theAWS Management Console, AWS Command Line Interface (AWS CLI), or AWS SDKs to upload your code.Along with your code, you upload a simple manifest file, also known as an AWS Serverless ApplicationModel (AWS SAM) template. For more information about AWS SAM, see AWS Serverless ApplicationModel (AWS SAM).
In this guide, you can learn about the two ways to work with the AWS Serverless Application Repository:
• Consuming Applications (p. 2) – Browse for applications and view information about them,including source code and readme files. Also install, configure, and deploy applications of yourchoosing.
• Publishing Applications (p. 3) – Configure and upload applications to make them available to otherdevelopers, and publish new versions of applications.
1
AWS Serverless Application Repository Developer GuideConsuming Applications
Consuming Applications andPublishing Applications
Following, you can find information on how to consume and publish serverless applications through theAWS Serverless Application Repository.
Topics
• Consuming Applications (p. 2)
• Publishing Applications (p. 3)
Consuming ApplicationsFollowing, you can find out how to find and deploy serverless applications that have been published tothe AWS Serverless Application Repository. You can browse for applications that are publicly availablewithout having an AWS account by visiting the public site. Alternatively, you can browse for applicationsfrom within the AWS Lambda console.
Browsing, Searching, and Deploying ApplicationsFind, configure, and deploy an application in the AWS Serverless Application Repository by using thefollowing procedure.
To find and configure an application in the AWS Serverless Application Repository
1. Open the AWS Serverless Application Repository public home page, or open the AWS Lambdaconsole and choose Serverless Application Repository.
2. Browse or search for an application.
3. Choose an application to view details such as its capabilities and the number of times it has beendeployed by AWS customers.
The deployment counts are shown for the AWS Region in which you are trying to deploy theapplication.
4. On the application detail page, view the application's permissions and application resources byviewing the SAM template, license, and readme file. On this page, you can also find the Source codeURL link for applications that are publicly shared.
5. Configure the application in the Configure application parameters section. For guidance onconfiguring a particular application, see that application’s readme file.
For example, configuration requirements might include specifying the name of a resource that youwant the application to have access to. Such a resource might be an Amazon DynamoDB table, anAmazon S3 bucket, or an Amazon API Gateway API.
6. Choose Deploy. Doing this takes you to the Deployment status page.
7. On the Deployment status page, you can view the progress of your deployment. While waiting foryour deployment to complete, you can search and browse for other applications, and return to thispage through the Lambda console.
2
AWS Serverless Application Repository Developer GuideDeleting Application Stacks
After your application has been successfully deployed, you can review and manage the resources thathave been created using existing AWS tools.
Deleting Application StacksTo delete an application that you previously deployed using the AWS Serverless Application Repository,follow the same procedure as for deleting an AWS CloudFormation stack:
• AWS Management Console: To delete an application using the AWS Management Console, seeDeleting a Stack on the AWS CloudFormation Console in the AWS CloudFormation User Guide.
• AWS CLI: To delete an application using the AWS CLI, see Deleting a Stack in the AWS CloudFormationUser Guide.
Publishing ApplicationsFollowing, you can find how to make your serverless applications available for others to find and deploy.You can publish serverless applications by using the AWS Management Console, the AWS Command LineInterface (AWS CLI), or an AWS SDK.
To publish an application, you first upload the application code. You also upload a simple manifest file,also known as an AWS Serverless Application Model (AWS SAM) template. For more information aboutusing AWS SAM, see Using the AWS Serverless Application Model (AWS SAM) (p. 6).
NoteTo make the serverless applications that you publish available to developers in other AWSRegions, publish your applications to either US East (N. Virginia) (us-east-1) or US East (Ohio)(us-east-2). Publishing your application in any other AWS Region restricts its availability to thatAWS Region. For more information about AWS Serverless Application Repository regions andendpoints, see Regions and Endpoints in the AWS General Reference.
Before you publish an application to the AWS Serverless Application Repository, you need the following:
• A valid AWS account.
• A valid AWS Serverless Application Model (AWS SAM) template that defines the AWS resources used.For more information about AWS SAM, see AWS Serverless Application Model (AWS SAM).
• A package for your application that you created using the AWS CloudFormation package commandfor the AWS CLI. This command packages the local artifacts (local paths) that your AWS SAM templatereferences. For more details, see package in the AWS CloudFormation documentation.
• A URL pointing to your application's source code, in case you want to publish your application publicly.
• A readme.txt file. This file should describe how customers can use your application, and how toconfigure it before deploying it in their own AWS accounts.
• A license.txt file.
• A valid Amazon S3 bucket policy that grants the service read permissions for artifacts uploaded toAmazon S3 when you packaged your application. Following is an example of such a policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "serverlessrepo.amazonaws.com" },
3
AWS Serverless Application Repository Developer GuidePublishing an Application Through
the AWS Management Console
"Action": "s3:GetObject", "Resource": "arn:aws:s3:::<your-bucket-name>/*" } ]}
NoteThe information that you enter when publishing an application is not encrypted. Thisinformation includes such data as the author name, location, and contact information. If youhave personally identifiable information that you don't want to be stored or made public, werecommend that you don't enter this information when publishing your application.
Publishing an Application Through the AWSManagement ConsoleYou can create and publish an application through the AWS Management Console as described following.
Creating a New Application Through the Console
Create a new application in the AWS Serverless Application Repository by using the following procedure.
To create a new application in the AWS Serverless Application Repository
1. Open the AWS Serverless Application Repository console and choose Publish applications.
2. On the Publish an application page, type the indicated application information into the followingboxes:
• Application Name
• Author
• Description
• Search labels (space delimited)
• SPDX license
• Readme.txt file
• Semantic version
• Source code URL (required only for publicly shared applications)
• AWS SAM template file
3. Choose Publish application.
Sharing an Application Through the Console
Make your application publicly available using the following procedure.
To make your application publicly available
1. Open the AWS Serverless Application Repository console.
2. On the navigation pane, choose My Applications to bring up the list of applications that you havecreated.
3. Choose the application that you want to share.
4. In the Application Details section, move the Visibility slider to Application is public.
4
AWS Serverless Application Repository Developer GuidePublishing an Application Through the AWS CLI
Publishing a New Version of an Existing Application Through theConsolePublish a new version of an application that you already created using the following procedure.
To publish a new version of an application
1. Open the AWS Serverless Application Repository console.
2. On the navigation pane, choose My Applications to bring up the list of applications that you havecreated.
3. Choose the application that you want to publish a new version for.
4. Choose Publish new version.
5. For AWS SAM template file, type the name of the new AWS SAM template file for this version.
6. Choose Publish.
Publishing an Application Through the AWS CLIYou can create and publish an application through the AWS CLI as described following.
Creating a New Application Through the AWS CLITo create a new application using the AWS CLI, first gather the same items required for publishingthrough the AWS Management Console, described preceding. Then use the aws serverlessrepocreate-application function, passing it each of these items as parameters.
For more information about the parameters to be passed to this function, type aws serverlessrepocreate-application help at the AWS CLI.
Sharing an Application Through the AWS CLITo make your application publicly available using the AWS CLI, you can use the aws serverlessrepoput-application-policy function, passing the application ID and policy statement as parameters.
For more information about the parameters to be passed to this function, type aws serverlessrepoput-application-policy help at the AWS CLI.
Publishing a New Version of an Existing Application Through theAWS CLITo create a new version of an application using the AWS CLI, you can use the aws serverlessrepocreate-application-version function. You pass as parameters the application ID, semantic version,new SAM template, and source code URL.
For more information about the parameters to be passed to this function, type aws serverlessrepocreate-application-version help at the AWS CLI.
Deleting an Application Through the AWSManagement ConsoleTo delete a published application through the AWS Management Console, do the following.
5
AWS Serverless Application Repository Developer GuideDeleting an Application Through the AWS CLI
1. Open the AWS Serverless Application Repository console.
2. For My Applications, choose the application that you want to delete.
3. In the application's detail page, choose Delete application.
A message appears.
4. Choose Delete application to complete the deletion.
Deleting an Application Through the AWS CLITo delete a published application using the AWS CLI, you run the aws serverlessrepo delete-application command. In the command, specify the application ID of the application that you want todelete.
The following command deletes an application, where <value> is the application ID:
PROMPT> aws serverlessrepo delete-application --application-id <value>
Using the AWS Serverless Application Model (AWSSAM)The AWS Serverless Application Model (AWS SAM) is a model that defines serverless applications.AWS SAM is natively supported by AWS CloudFormation and defines a simplified syntax for expressingserverless resources. The specification currently covers API operations, AWS Lambda functions, andAmazon DynamoDB tables. The specification is available under Apache 2.0 for AWS partners andcustomers to adopt and extend within their own tool sets. For details on the specification, see AWSServerless Application Model.
AWS SAM supports special resource types that simplify how to express functions, API operations,mappings, and DynamoDB tables for serverless applications. AWS SAM also supports certain otherfeatures for these services, such as environment variables. The AWS CloudFormation description ofthese resources conforms to the AWS Serverless Application Model. To deploy your application, specifythe resources that you need as part of your application. You specify these along with their associatedpermissions policies in an AWS CloudFormation template file (written in either JSON or YAML). You thenpackage your deployment artifacts, and deploy the template.
Requesting new AWS Resources for AWS Serverless ApplicationRepositoryThe sections below list AWS Resources and Policy Templates currently supported by AWS ServerlessApplication Repository. If you would like to request new AWS Resources and/or Policy Templates to beadded, please contact AWS Support.
Supported AWS Resources in the AWS Serverless ApplicationRepositoryServerless applications that you publish to the AWS Serverless Application Repository can includeadditional AWS CloudFormation resources. The following is a complete list of supported resources:
• AWS::Serverless::Function
• AWS::Serverless::Api
6
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
• AWS::Serverless::SimpleTable
• AWS::Lambda::Alias
• AWS::Lambda::Version
• AWS::Lambda::EventSourceMapping
• AWS::ApiGateway::Account
• AWS::ApiGateway::ApiKey
• AWS::ApiGateway::Authorizer
• AWS::ApiGateway::BasePathMapping
• AWS::ApiGateway::ClientCertificate
• AWS::ApiGateway::Deployment
• AWS::ApiGateway::DocumentationPart
• AWS::ApiGateway::DocumentationVersion
• AWS::ApiGateway::DomainName
• AWS::ApiGateway::GatewayResponse
• AWS::ApiGateway::Method
• AWS::ApiGateway::Model
• AWS::ApiGateway::RequestValidator
• AWS::ApiGateway::Resource
• AWS::ApiGateway::RestApi
• AWS::ApiGateway::Stage
• AWS::ApiGateway::UsagePlan
• AWS::ApiGateway::UsagePlanKey
• AWS::Cognito::IdentityPool
• AWS::Cognito::UserPool
• AWS::Cognito::UserPoolClient
• AWS::Cognito::UserPoolGroup
• AWS::Cognito::UserPoolUser
• AWS::Cognito::UserPoolUserToGroupAttachment
• AWS::DynamoDB::Table
• AWS::Logs::Destination
• AWS::Logs::LogGroup
• AWS::Logs::LogStream
• AWS::Logs::MetricFilter
• AWS::Logs::SubscriptionFilter
• AWS::Kinesis::Streams
• AWS::S3::Bucket
• AWS::SNS::Subscription
• AWS::SNS::Topic
• AWS::SQS::Queue
• AWS::CloudWatch::Alarm
• AWS::CloudWatch::Dashboard
7
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
Policy TemplatesWhen you add a serverless application to the AWS Serverless Application Repository, AWS SAM allowsyou to choose from a list of policy templates. When you choose one of these templates, your AWSLambda functions are scoped to the resources that are used by your application. The following lists thepermissions that are applied to each policy template in the policy templates list. AWS SAM automaticallypopulates the placeholder items (such as AWS Region and account ID) with the appropriate information.
The following example shows that the SQSPollerPolicy policy expects a QueueName as a resource.The AWS SAM template retrieves the name of the "MyQueue" Amazon SQS queue, which can be createdin the same application or requested as a parameter to the application.
MyFunction: Type: 'AWS::Serverless::Function' Properties: CodeUri: ${codeuri} Handler: hello.handler Runtime: python2.7 Policies: - SQSPollerPolicy: QueueName: Fn::GetAtt: ["MyQueue", "QueueName"]
SQSPollerPolicy: Gives Permissions to Poll an Amazon SQSQueue
"Statement": [ { "Effect": "Allow", "Action": [ "sqs:ChangeMessageVisibility", "sqs:ChangeMessageVisibilityBatch", "sqs:DeleteMessage", "sqs:DeleteMessageBatch", "sqs:GetQueueAttributes", "sqs:ReceiveMessage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ]
LambdaInvokePolicy: Gives Permission to Invoke a LambdaFunction, Alias, or Version
"Statement": [
8
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
{ "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}*", { "functionName": { "Ref": "FunctionName" } } ] } } ]
CloudWatchPutMetricPolicy: Gives Permissions to Put Metrics toCloudWatch
"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*" } ]
EC2DescribePolicy: Gives Permission to Describe Amazon EC2Instances
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "ec2:DescribeInstances" ], "Resource": "*" } ]
DynamoDBCrudPolicy: Gives Create/Read/Update/DeletePermissions to a DynamoDB Table
"Statement": [ { "Effect": "Allow",
9
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
"Action": [ "dynamodb:GetItem", "dynamodb:DeleteItem", "dynamodb:PutItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:UpdateItem", "dynamodb:BatchWriteItem", "dynamodb:BatchGetItem" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]
DynamoDBReadPolicy: Gives Read-Only Access to a DynamoDBTable
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:Scan", "dynamodb:Query", "dynamodb:BatchGetItem" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } } ] } } ]
SESSendBouncePolicy: Gives SendBounce Permission to anAmazon SES Identity
"Statement": [ { "Effect": "Allow",
10
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
"Action": [ "ses:SendBounce" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]
ElasticsearchHttpPostPolicy: Gives POST Permissions to AmazonElasticsearch Service
"Statement": [ { "Effect": "Allow", "Action": [ "es:ESHttpPost" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:es:${AWS::Region}:${AWS::AccountId}:domain/${domainName}", { "domainName": { "Ref": "DomainName" } } ] } } ]
S3ReadPolicy: Gives Read Permissions to Objects in the AmazonS3 Bucket
"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:GetLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [
11
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
"arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
S3CrudPolicy: Gives Create/Read/Update Permissions to Objectsin the Amazon S3 Bucket
"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObjectVersion", "s3:PutObject", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] }, { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
12
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
AMIDescribePolicy: Gives Permissions to Describe AmazonMachine Images (AMIs)
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeImages" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/*" } } ]
CloudFormationDescribeStacksPolicy: Gives Permission toDescribe AWS CloudFormation Stacks
"Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/*" } } ]
RekognitionNoDataAccessPolicy: Gives Permission to Compareand Detect Faces and Labels
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces", "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId"
13
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
} } ] } } ]
RekognitionReadPolicy: Gives Permission to List and SearchFaces
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:ListCollections", "rekognition:ListFaces", "rekognition:SearchFaces", "rekognition:SearchFacesByImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]
RekognitionWriteOnlyAccessPolicy: Gives Permission to CreateCollection and Index Faces
"Statement": [ { "Effect": "Allow", "Action": [ "rekognition:CreateCollection", "rekognition:IndexFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } } ]
14
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
SQSSendMessagePolicy: Gives Permission to Send Message toAmazon SQS Queue
"Statement": [ { "Effect": "Allow", "Action": [ "sqs:SendMessage*" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}", { "queueName": { "Ref": "QueueName" } } ] } } ]
SNSPublishMessagePolicy: Gives Permission to Publish aMessage to an Amazon SNS Topic
"Statement": [ { "Effect": "Allow", "Action": [ "sns:Publish" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}", { "topicName": { "Ref": "TopicName" } } ] } } ]
VPCAccessPolicy: Gives Access to Create, Delete, Describe, andDetach Elastic Network Interfaces
"Statement": [ { "Effect": "Allow", "Action": [
15
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
"ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface" ], "Resource": "*" } ]
DynamoDBStreamReadPolicy: Gives Permission to Describe andRead a DynamoDB Stream and Records
"Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:DescribeStream", "dynamodb:GetRecords", "dynamodb:GetShardIterator", "dynamodb:ListStreams" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/${streamName}", { "tableName": { "Ref": "TableName" }, "streamName": { "Ref": "StreamName" } } ] } } ]
KinesisStreamReadPolicy: Gives Permission to List and Read anAmazon Kinesis Stream
"Statement": [ { "Effect": "Allow", "Action": [ "kinesis:ListStreams", "kinesis:DescribeLimits" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/*" } }, { "Effect": "Allow", "Action": [
16
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
"kinesis:DescribeStream", "kinesis:GetRecords", "kinesis:GetShardIterator" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ]
SESCrudPolicy: Gives Permission to Send Email and VerifyIdentity
"Statement": [ { "Effect": "Allow", "Action": [ "ses:GetIdentityVerificationAttributes", "ses:SendEmail", "ses:VerifyEmailIdentity" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ses:${AWS::Region}:${AWS::AccountId}:identity/${identityName}", { "identityName": { "Ref": "IdentityName" } } ] } } ]
SNSCrudPolicy: Gives Permissions to Create, Publish, andSubscribe to Amazon SNS Topics
"Statement": [ { "Effect": "Allow", "Action": [ "sns:ListSubscriptionsByTopic", "sns:CreateTopic", "sns:SetTopicAttributes", "sns:Subscribe", "sns:Publish" ],
17
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
"Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:sns:${AWS::Region}:${AWS::AccountId}:${topicName}*", { "topicName": { "Ref": "TopicName" } } ] } } ]
KinesisCrudPolicy: Gives Permission to Create, Publish, andDelete an Amazon Kinesis Stream
"Statement": [ { "Effect": "Allow", "Action": [ "kinesis:AddTagsToStream", "kinesis:CreateStream", "kinesis:DecreaseStreamRetentionPeriod", "kinesis:DeleteStream", "kinesis:DescribeStream", "kinesis:GetShardIterator", "kinesis:IncreaseStreamRetentionPeriod", "kinesis:ListTagsForStream", "kinesis:MergeShards", "kinesis:PutRecord", "kinesis:PutRecords", "kinesis:SplitShard", "kinesis:RemoveTagsFromStream" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:kinesis:${AWS::Region}:${AWS::AccountId}:stream/${streamName}", { "streamName": { "Ref": "StreamName" } } ] } } ]
KMSDecryptPolicy: Gives Permission to Decrypt with an AWSKMS Key
"Statement": [ { "Action": "kms:Decrypt", "Effect": "Allow", "Resource": {
18
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
"Fn::Sub": [ "arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${keyId}", { "keyId": { "Ref": "KeyId" } } ] } } ]
PollyFullAccessPolicy: Gives full access permissions to AmazonPolly lexicon resources
"Statement": [ { "Effect": "Allow", "Action": [ "polly:GetLexicon", "polly:DeleteLexicon" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/${lexiconName}", { "lexiconName": { "Ref": "LexiconName" } } ] } ] }, { "Effect": "Allow", "Action": [ "polly:DescribeVoices", "polly:ListLexicons", "polly:PutLexicon", "polly:SynthesizeSpeech" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:polly:${AWS::Region}:${AWS::AccountId}:lexicon/*" } ] } ]
S3FullAccessPolicy: Gives full access permissions to objects inthe Amazon S3 Bucket
19
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
"Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectAcl", "s3:GetObjectVersion", "s3:PutObject", "s3:PutObjectAcl", "s3:DeleteObject" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}/*", { "bucketName": { "Ref": "BucketName" } } ] } ] }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetLifecycleConfiguration", "s3:PutLifecycleConfiguration" ], "Resource": [ { "Fn::Sub": [ "arn:${AWS::Partition}:s3:::${bucketName}", { "bucketName": { "Ref": "BucketName" } } ] } ] } ]
CodePipelineLambdaExecutionPolicy: Gives permission for aLambda function invoked by AWS CodePipeline to report backstatus of the job
"Statement": [ { "Effect": "Allow", "Action": [ "codepipeline:PutJobSuccessResult", "codepipeline:PutJobFailureResult" ], "Resource": [ {
20
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
"Fn::Sub": "arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:*" } ] } ]
ServerlessRepoReadWriteAccessPolicy: Gives access permissionsto create and list applications in the AWS Serverless ApplicationRepository service
"Statement": [ { "Effect": "Allow", "Action": [ "serverlessrepo:CreateApplication", "serverlessrepo:CreateApplicationVersion", "serverlessrepo:GetApplication", "serverlessrepo:ListApplications", "serverlessrepo:ListApplicationVersions" ], "Resource": [ { "Fn::Sub": "arn:${AWS::Partition}:serverlessrepo:${AWS::Region}:${AWS::AccountId}:applications/*" } ] } ]
EC2CopyImagePolicy: Gives permission to copy Amazon EC2Images
"Statement": [ { "Effect": "Allow", "Action": [ "ec2:CopyImage" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:image/${imageId}", { "imageId": { "Ref": "ImageId" } } ] } } ]
21
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
AWSSecretsManagerRotationPolicy: Grants permissions to APIsrequired to rotate a secret in AWS Secrets Manager
"Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecretVersionStage" ], "Resource": { "Fn::Sub": "arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*" }, "Condition": { "StringEquals": { "secretsmanager:resource/AllowRotationLambdaArn": { "Fn::Sub": [ "arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:${functionName}", { "functionName": { "Ref": "FunctionName" } } ] } } } }, { "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" ], "Resource": "*" } ]
CodePipelineReadOnlyPolicy: Gives read permissions to getdetails about a CodePipeline pipeline
"Statement": [ { "Effect": "Allow", "Action": [ "cloudwatch:GetDashboard", "cloudwatch:ListDashboards", "cloudwatch:PutDashboard", "cloudwatch:ListMetrics" ], "Resource": "*" } ]
22
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
RekognitionFacesPolicy: Gives permission to compare anddetect faces and labels
"Statement": [{ "Effect": "Allow", "Action": [ "rekognition:CompareFaces", "rekognition:DetectFaces" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:rekognition:${AWS::Region}:${AWS::AccountId}:collection/${collectionId}", { "collectionId": { "Ref": "CollectionId" } } ] } ]
RekognitionLabelsPolicy: Gives permission to compare anddetect faces and labels
"Statement": [{ "Effect": "Allow", "Action": [ "rekognition:DetectLabels", "rekognition:DetectModerationLabels" ], "Resource": "*" } ]
DynamoDBBackupFullAccessPolicy: Gives read/writepermissions to DynamoDB on-demand backups for a table
"Statement": [{ "Effect": "Allow", "Action": [ "dynamodb:CreateBackup", "dynamodb:DescribeContinuousBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": { "Ref": "TableName" } }
23
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
] } }, { "Effect": "Allow", "Action": [ "dynamodb:DeleteBackup", "dynamodb:DescribeBackup", "dynamodb:ListBackups" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } } ]
DynamoDBRestoreFromBackupPolicy: Gives permissions torestore a table from backup
"Statement": [{ "Effect": "Allow", "Action": [ "dynamodb:RestoreTableFromBackup" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}/backup/*", { "tableName": { "Ref": "TableName" } } ] } }, { "Effect": "Allow", "Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:GetItem", "dynamodb:Query", "dynamodb:Scan", "dynamodb:BatchWriteItem" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${tableName}", { "tableName": {
24
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
"Ref": "TableName" } } ] } } ]
ComprehendBasicAccessPolicy: Gives access to AmazonComprehend APIs for detecting entities, key phrases, languagesand sentiments
"Statement": [{ "Effect": "Allow", "Action": [ "comprehend:BatchDetectKeyPhrases", "comprehend:DetectDominantLanguage", "comprehend:DetectEntities", "comprehend:BatchDetectEntities", "comprehend:DetectKeyPhrases", "comprehend:DetectSentiment", "comprehend:BatchDetectDominantLanguage", "comprehend:BatchDetectSentiment" ], "Resource": "*" } ]
MobileAnalyticsWriteOnlyAccessPolicy: Gives write onlypermissions to put event data for all application resources
"Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents" ], "Resource": "*" } ]
PinpointEndpointAccessPolicy: Gives permissions to get andupdate endpoints for a Pinpoint application
"Statement": [ { "Effect": "Allow", "Action": [ "mobiletargeting:GetEndpoint", "mobiletargeting:UpdateEndpoint",
25
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
"mobiletargeting:UpdateEndpointsBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:mobiletargeting:${AWS::Region}:${AWS::AccountId}:apps/${pinpointApplicationId}/endpoints/*", { "pinpointApplicationId": { "Ref": "PinpointApplicationId" } } ] } } ]
FirehoseWritePolicy: Gives permission to write to a KinesisFirehose Delivery Stream
"Statement": [ { "Effect": "Allow", "Action": [ "firehose:PutRecord", "firehose:PutRecordBatch" ], "Resource": { "Fn::Sub": [ "arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ]
FirehoseCrudPolicy: Gives permission to create, write to, update,and delete a Kinesis Firehose Delivery Stream
"Statement": [ { "Effect": "Allow", "Action": [ "firehose:CreateDeliveryStream", "firehose:DeleteDeliveryStream", "firehose:DescribeDeliveryStream", "firehose:PutRecord", "firehose:PutRecordBatch", "firehose:UpdateDestination" ], "Resource": { "Fn::Sub": [
26
AWS Serverless Application Repository Developer GuideUsing the AWS Serverless Application Model (AWS SAM)
"arn:${AWS::Partition}:firehose:${AWS::Region}:${AWS::AccountId}:deliverystream/${deliveryStreamName}", { "deliveryStreamName": { "Ref": "DeliveryStreamName" } } ] } } ]
27
AWS Serverless Application Repository Developer GuideAuthentication
Authentication and Access Controlfor AWS Serverless ApplicationRepository
Access to AWS Serverless Application Repository requires credentials that AWS can use to authenticateyour requests. Those credentials must have permissions to access AWS resources, such as an AWSServerless Application Repository application. In the following sections, you can find details on how touse AWS Identity and Access Management (IAM) and AWS Serverless Application Repository to help AWSsecure your resources by controlling who can access them:
• Authentication (p. 28)
• Access Control (p. 29)
AuthenticationYou can access AWS as any of the following types of identities:
• AWS account root user – When you first create an AWS account, you begin with a single sign-inidentity that has complete access to all AWS services and resources in the account. This identity iscalled the AWS account root user and is accessed by signing in with the email address and passwordthat you used to create the account. We strongly recommend that you do not use the root user foryour everyday tasks, even the administrative ones. Instead, adhere to the best practice of using theroot user only to create your first IAM user. Then securely lock away the root user credentials and usethem to perform only a few account and service management tasks.
• IAM user – An IAM user is an identity within your AWS account that has specific custom permissions(for example, permissions to create an application in AWS Serverless Application Repository). You canuse an IAM user name and password to sign in to secure AWS webpages like the AWS ManagementConsole, AWS Discussion Forums, or the AWS Support Center.
In addition to a user name and password, you can also generate access keys for each user. You canuse these keys when you access AWS services programmatically, either through one of the severalSDKs or by using the AWS Command Line Interface (CLI). The SDK and CLI tools use the access keysto cryptographically sign your request. If you don’t use AWS tools, you must sign the request yourself.AWS Serverless Application Repository supports Signature Version 4, a protocol for authenticatinginbound API requests. For more information about authenticating requests, see Signature Version 4Signing Process in the AWS General Reference.
• IAM role – An IAM role is an IAM identity that you can create in your account that has specificpermissions. It is similar to an IAM user, but it is not associated with a specific person. An IAM roleenables you to obtain temporary access keys that can be used to access AWS services and resources.IAM roles with temporary credentials are useful in the following situations:
28
AWS Serverless Application Repository Developer GuideAccess Control
• Federated user access – Instead of creating an IAM user, you can use existing user identities from
AWS Directory Service, your enterprise user directory, or a web identity provider. These are known asfederated users. AWS assigns a role to a federated user when access is requested through an identityprovider. For more information about federated users, see Federated Users and Roles in the IAM UserGuide.
• AWS service access – You can use an IAM role in your account to grant an AWS service permissions
to access your account’s resources. For example, you can create a role that allows Amazon Redshiftto access an Amazon S3 bucket on your behalf and then load data from that bucket into an AmazonRedshift cluster. For more information, see Creating a Role to Delegate Permissions to an AWSService in the IAM User Guide.
• Applications running on Amazon EC2 – You can use an IAM role to manage temporary credentials
for applications that are running on an EC2 instance and making AWS API requests. This is preferableto storing access keys within the EC2 instance. To assign an AWS role to an EC2 instance and makeit available to all of its applications, you create an instance profile that is attached to the instance.An instance profile contains the role and enables programs that are running on the EC2 instanceto get temporary credentials. For more information, see Using an IAM Role to Grant Permissions toApplications Running on Amazon EC2 Instances in the IAM User Guide.
Access ControlYou can have valid credentials to authenticate your requests, but unless you have permissions you cannotcreate or access AWS Serverless Application Repository resources. For example, as a publisher you musthave permissions to create an AWS Serverless Application Repository application, update applicationmetadata, and publish a new version of an application. As another example, as a consumer you musthave permissions to search for, view the details of, and deploy applications.
The following sections describe how to manage permissions for AWS Serverless Application Repository.We recommend that you read the overview first.
• Overview of Managing Access Permissions to Your AWS Serverless Application RepositoryResources (p. 29)
• Using Identity-Based Policies (IAM Policies) for AWS Serverless Application Repository (p. 33)• Using Resource-Based Policies for AWS Serverless Application Repository (Application
Policies) (p. 37)
Overview of Managing Access Permissions to YourAWS Serverless Application Repository Resources
Every AWS resource is owned by an AWS account, and permissions to create or access an AWS resourceare governed by permissions policies. An account administrator can attach permissions policies to IAMidentities (that is, users, groups, and roles). Also, some services (such as AWS Serverless ApplicationRepository) support attaching permissions policies to AWS resources.
NoteAn account administrator (or administrator user) is a user with administrator privileges. For moreinformation, see IAM Best Practices in the IAM User Guide.
29
AWS Serverless Application Repository Developer GuideAWS Serverless Application
Repository Resources and Operations
When granting permissions, you decide who is getting the permissions, the AWS resources they getpermissions for, and the specific actions that you want to allow on those AWS resources.
Topics
• AWS Serverless Application Repository Resources and Operations (p. 30)
• Understanding Resource Ownership (p. 30)
• Managing Access to AWS Resources (p. 30)
• Specifying Policy Elements: Actions, Effects, AWS Resources, and Principals (p. 32)
AWS Serverless Application Repository Resources andOperationsIn AWS Serverless Application Repository, the primary AWS resource is an AWS Serverless ApplicationRepository application.
AWS Serverless Application Repository applications have unique Amazon Resource Names (ARNs)associated with them as shown in the following table.
AWS Resource Type Amazon Resource Name (ARN) Format
Application arn:aws:serverlessrepo:region:account-id:applications/application-name
AWS Serverless Application Repository provides a set of operations to work with the AWS ServerlessApplication Repository resources. For a list of available operations, see Resources (p. 45).
Understanding Resource OwnershipAn AWS resource owner is the AWS account that created the AWS resource. That is, the AWS resourceowner is the AWS account of the principal entity (the root account, an IAM user, or an IAM role) thatauthenticates the request that creates the AWS resource. The following examples illustrate how thisworks:
• If you use the root account credentials of your AWS account to create an AWS Serverless ApplicationRepository application, your AWS account is the owner of the AWS resource. In AWS ServerlessApplication Repository, the AWS resource is the application.
• If you create an IAM user in your AWS account and grant permissions to create an AWS ServerlessApplication Repository application to that user, the user can create an application. However, yourAWS account, to which the user belongs, owns the AWS Serverless Application Repository applicationresource.
• If you create an IAM role in your AWS account with permissions to create an AWS ServerlessApplication Repository application, anyone who can assume the role can create an application. YourAWS account, to which the role belongs, owns the AWS Serverless Application Repository applicationresource.
Managing Access to AWS ResourcesA permissions policy describes who has access to what. The following section explains the availableoptions for creating permissions policies.
30
AWS Serverless Application Repository Developer GuideManaging Access to AWS Resources
NoteThis section discusses using IAM in the context of AWS Serverless Application Repository. Itdoesn't provide detailed information about the IAM service. For complete IAM documentation,see What Is IAM? in the IAM User Guide. For information about IAM policy syntax anddescriptions, see AWS IAM Policy Reference in the IAM User Guide.
Policies attached to an IAM identity are referred to as identity-based policies (IAM polices) and policiesattached to an AWS resource are referred to as resource-based policies. AWS Serverless ApplicationRepository supports both identity-based (IAM policies) and resource-based policies.
Topics
• Identity-Based Policies (IAM Policies) (p. 31)
• Resource-Based Policies (AWS Serverless Application Repository Application Policies) (p. 32)
Identity-Based Policies (IAM Policies)
You can attach policies to IAM identities. For example, you can do the following:
• Attach a permissions policy to a user or a group in your account – An account administrator canuse a permissions policy that is associated with a particular user to grant permissions for that user tocreate an AWS Serverless Application Repository application.
• Attach a permissions policy to a role (grant cross-account permissions) – You can attach anidentity-based permissions policy to an IAM role to grant cross-account permissions. For example,the administrator in Account A can create a role to grant cross-account permissions to another AWSaccount (for example, Account B) or an AWS service as follows:
1. Account A administrator creates an IAM role and attaches a permissions policy to the role thatgrants permissions on AWS resources in Account A.
2. Account A administrator attaches a trust policy to the role identifying Account B as the principalwho can assume the role.
3. Account B administrator can then delegate permissions to assume the role to any users in AccountB. Doing this allows users in Account B to create or access AWS resources in Account A. Theprincipal in the trust policy can also be an AWS service principal if you want to grant an AWS servicepermissions to assume the role.
For more information about using IAM to delegate permissions, see Access Management in the IAMUser Guide.
The following is an example policy that grants permissions for theserverlessrepo:ListApplications action on all AWS resources. In the current implementation,AWS Serverless Application Repository doesn't support identifying specific AWS resources using the AWSresource ARNs (also referred to as resource-level permissions) for some of the API actions. In these cases,you must specify a wildcard character (*).
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListExistingApplications", "Effect": "Allow", "Action": [ "serverlessrepo:ListApplications" ], "Resource": "*" } ]
31
AWS Serverless Application Repository Developer GuideSpecifying Policy Elements: Actions,
Effects, AWS Resources, and Principals
}
For more information about using identity-based policies with AWS Serverless Application Repository,see Using Identity-Based Policies (IAM Policies) for AWS Serverless Application Repository (p. 33). Formore information about users, groups, roles, and permissions, see Identities (Users, Groups, and Roles) inthe IAM User Guide.
Resource-Based Policies (AWS Serverless Application RepositoryApplication Policies)Each AWS Serverless Application Repository application can have resource-based permissions policiesassociated with it. For AWS Serverless Application Repository, an application is the primary AWS resourceand these policies are referred to as AWS Serverless Application Repository application policies or simplyapplication policies. For AWS Serverless Application Repository, you can use an application policy toallow another account to deploy applications you have published. You can either allow deployments by aspecific list of accounts (private), or you can allow deployments to all other accounts (public).
For more information about using resource-based policies with AWS Serverless ApplicationRepository, see Using Resource-Based Policies for AWS Serverless Application Repository (ApplicationPolicies) (p. 37). For additional information about using IAM roles (identity-based policies) as opposedto resource-based policies, see How IAM Roles Differ from Resource-based Policies in the IAM User Guide.
Specifying Policy Elements: Actions, Effects, AWSResources, and PrincipalsFor each AWS Serverless Application Repository resource (see AWS Serverless ApplicationRepository Resources and Operations (p. 30)), the service defines a set of API operations (seeResources (p. 45)). To grant permissions for these API operations, AWS Serverless ApplicationRepository defines a set of actions that you can specify in a policy. Performing an API operation canrequire permissions for more than one action. When granting permissions for specific actions, you alsoidentify the AWS resource on which the actions are allowed or denied.
The following are the most basic policy elements. In AWS Serverless Application Repository, werecommend defining policies using these elements only with identity-based policies.
• Resource – In a policy, you use an Amazon Resource Name (ARN) to identify the AWS resource to whichthe policy applies. For more information, see AWS Serverless Application Repository Resources andOperations (p. 30).
• Action – You use action keywords to identify AWS resource operations that you want to allow or deny.For example, the serverlessrepo:CreateApplication permission allows the user permissions toperform the AWS Serverless Application Repository CreateApplication operation.
• Effect – You specify the effect when the user requests the specific action—this can be either allow ordeny. If you don't explicitly grant access to (allow) an AWS resource, access is implicitly denied. You canalso explicitly deny access to an AWS resource, which you might do to make sure that a user cannotaccess it, even if a different policy grants access.
• Principal – In identity-based policies (IAM policies), the user that the policy is attached to is theimplicit principal. For resource-based policies, you specify the user, account, service, or other entitythat you want to receive permissions (applies to resource-based policies only).
To learn more about IAM policy syntax and descriptions, see AWS IAM Policy Reference in the IAM UserGuide.
For a table showing all of the AWS Serverless Application Repository API actions and the AWS resourcesthat they apply to, see AWS Serverless Application Repository API Permissions: Actions and ResourcesReference (p. 39).
32
AWS Serverless Application Repository Developer GuideUsing Identity-Based Policies (IAM Policies)
Using Identity-Based Policies (IAM Policies) forAWS Serverless Application Repository
You can use this topic to find examples of identity-based policies in which an account administrator canattach permissions policies to IAM identities (that is, users, groups, and roles).
ImportantWe recommend that you first review the introductory topics that explain the basic conceptsand options available for you to manage access to your AWS Serverless Application Repositoryresources. For more information, see Overview of Managing Access Permissions to Your AWSServerless Application Repository Resources (p. 29).
You can find the following information in the sections in this topic:
• Permissions Required to Use the AWS Serverless Application Repository Console (p. 34)• Customer Managed Policy Examples (p. 34)
The following shows an example of a permissions policy.
{
"Version": "2012-10-17", "Statement": [ { "Sid": "CreateApplication", "Effect": "Allow", "Action": [ "serverlessrepo:CreateApplication" ], "Resource": "*" }, { "Sid": "CreateApplicationVersion", "Effect": "Allow", "Action": [ "serverlessrepo:CreateApplicationVersion" ], "Resource": "arn:aws:serverlessrepo:region:account-id:applications/application-name" } ]}
The policy has two statements:
• The first statement grants permissions for the AWS Serverless Application Repository actionserverlessrepo:CreateApplication on all AWS Serverless Application Repository resources, asspecified by the wildcard character (*) as the Resource value.
• The second statement grants permission for the AWS Serverless Application Repository actionserverlessrepo:CreateApplicationVersion on an AWS resource by using the AmazonResource Name (ARN) for an AWS Serverless Application Repository application. The application isspecified by the Resource value.
The policy doesn't specify the Principal element because in an identity-based policy you don't specifythe principal who gets the permission. When you attach policy to a user, the user is the implicit principal.When you attach a permission policy to an IAM role, the principal identified in the role's trust policy getsthe permissions.
33
AWS Serverless Application Repository Developer GuidePermissions Required to Use the AWS
Serverless Application Repository Console
For a table showing all of the AWS Serverless Application Repository API operations and the AWSresources that they apply to, see AWS Serverless Application Repository API Permissions: Actions andResources Reference (p. 39).
Permissions Required to Use the AWS ServerlessApplication Repository ConsoleThe AWS Serverless Application Repository console provides an integrated environment for you todiscover and manage AWS Serverless Application Repository applications. The console provides featuresand workflows that often require permissions to manage an AWS Serverless Application Repositoryapplication in addition to the API-specific permissions documented in the AWS Serverless ApplicationRepository API Permissions: Actions and Resources Reference (p. 39).
For more information about these additional console permissions, see Customer Managed PolicyExamples (p. 34).
Customer Managed Policy ExamplesThe examples in this section provide a group of sample policies that you can attach to a user. If you arenew to creating policies, we recommend that you first create an IAM user in your account and attach thepolicies to the user in sequence. This process is outlined in the steps in this section.
You can use the console to verify the effects of each policy as you attach the policy to the user. Initially,the user doesn't have permissions and can't do anything in the console. As you attach policies to the user,you can verify that the user can perform various actions in the console.
We recommend that you use two browser windows: one to create the user and grant permissions, andthe other to sign in to the AWS Management Console using the user's credentials and verify permissionsas you grant them to the user.
Examples
• Publisher Example 1: Allow a Publisher to List Applications (p. 34)
• Publisher Example 2: Allow a Publisher to View Details of an Application or ApplicationVersion (p. 35)
• Publisher Example 3: Allow a Publisher to Create an Application or Application Version (p. 35)
• Publisher Example 4: Allow a Publisher to Create an Application Policy to Share Applications withOthers (p. 36)
• Consumer Example 1: Allow a Consumer to Search for Applications (p. 36)
• Consumer Example 2: Allow a Consumer to View Details of an Application (p. 36)
• Consumer Example 3: Allow a Consumer to Deploy an Application (p. 37)
Publisher Example 1: Allow a Publisher to List Applications
An IAM user in your account must have permissions for the serverlessrepo:ListApplications action beforethe user can see anything in the console. When you grant these permissions, the console can show thelist of AWS Serverless Application Repository applications in the AWS account created in the specific AWSRegion the user belongs to.
{ "Version": "2012-10-17", "Statement": [
34
AWS Serverless Application Repository Developer GuideCustomer Managed Policy Examples
{ "Sid": "ListExistingApplications", "Effect": "Allow", "Action": [ "serverlessrepo:ListApplications" ], "Resource": "*" } ]}
Publisher Example 2: Allow a Publisher to View Details of anApplication or Application VersionA user can select an AWS Serverless Application Repository application and view details of theapplication. Such details include author, description, versions, and other configuration information.To do this, the user needs permissions for the serverlessrepo:GetApplication andserverlessrepo:ListApplicationVersions API operations for AWS Serverless ApplicationRepository.
In the following example, these permissions are granted for the specific application whose AmazonResource Name (ARN) is specified as the Resource value.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewApplication", "Effect": "Allow", "Action": [ "serverlessrepo:GetApplication", "serverlessrepo:ListApplicationVersions" ], "Resource": "arn:aws:serverlessrepo:region:account-id:applications/application-name" } ]}
Publisher Example 3: Allow a Publisher to Create an Applicationor Application VersionIf you want to allow a user permissions to create AWS Serverless Application Repositoryapplications, you need to grant permissions to serverlessrepo:CreateApplication andserverlessrepo:CreateApplicationVersions operations, as shown in the following policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateApplication", "Effect": "Allow", "Action": [ "serverlessrepo:CreateApplication", "serverlessrepo:CreateApplicationVersion", ], "Resource": "*" }
35
AWS Serverless Application Repository Developer GuideCustomer Managed Policy Examples
]}
Publisher Example 4: Allow a Publisher to Create an ApplicationPolicy to Share Applications with Others
In order for users to share applications with others, you must grant them permissions to createapplication policies, as with the following policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ShareApplication", "Effect": "Allow", "Action": [ "serverlessrepo:PutApplicationPolicy", "serverlessrepo:GetApplicationPolicy", ], "Resource": "*" } ]}
Consumer Example 1: Allow a Consumer to Search forApplications
For consumers to search for applications, you must grant them the following permissions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "SearchApplications", "Effect": "Allow", "Action": [ "serverlessrepo:SearchApplications" ], "Resource": "*" } ]}
Consumer Example 2: Allow a Consumer to View Details of anApplication
A user can select an AWS Serverless Application Repository application and view details of theapplication, such as author, description, versions, and other configuration information. To do so, the usermust have permissions for the following AWS Serverless Application Repository operations.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ViewApplication",
36
AWS Serverless Application Repository Developer GuideUsing Resource-Based Policies (Application Policies)
"Effect": "Allow", "Action": [ "serverlessrepo:GetApplication", "serverlessrepo:ListApplicationVersions" ], "Resource": "*" } ]}
Consumer Example 3: Allow a Consumer to Deploy anApplicationFor customers to deploy applications, you must grant them permissions to perform a number ofoperations. The following policy provides customers with the required permissions.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DeployApplication", "Effect": "Allow", "Action": [ "serverlessrepo:CreateCloudFormationChangeSet", "cloudformation:CreateChangeSet", "cloudformation:ExecuteChangeSet" "cloudformation:DescribeStacks"
], "Resource": "*" } ]}
NoteDeploying an application might require permissions to use additional AWS resources. BecauseAWS Serverless Application Repository uses the same underlying deployment mechanismas AWS CloudFormation, you can see Controlling Access with AWS Identity and AccessManagement for more information. You can also see Troubleshooting: Insufficient IAMPermissions for help with deployment issues related to permissions.
Using Resource-Based Policies for AWS ServerlessApplication Repository (Application Policies)
An AWS Serverless Application Repository application is the primary AWS resource in AWS ServerlessApplication Repository. You can add permissions to the policy associated with an AWS ServerlessApplication Repository application. Permissions policies attached to AWS Serverless ApplicationRepository applications are referred to as resource-based policies (or application policies). You canuse AWS Serverless Application Repository application policies to manage application deploymentpermissions.
ImportantBefore you create resource-based policies, we recommend that you first review the introductorytopics that explain the basic concepts and options available for you to manage accessto your AWS Serverless Application Repository resources. For more information, see
37
AWS Serverless Application Repository Developer GuideApplication Permissions
Overview of Managing Access Permissions to Your AWS Serverless Application RepositoryResources (p. 29).
AWS Serverless Application Repository application policies are primarily used by publishers to grantpermission to consumers to deploy their applications. Permissions can be granted using either the AWSCLI, the AWS SDKs, or the AWS Management Console. The AWS CLI and the AWS SDKs allow publishersto set both coarse-grained and fine-grained permissions for their applications. That is, publishers canset applications to be available for everyone, available to no one, and available only to a specific list ofAWS accounts. The AWS Management Console only allows publishers to set coarse permissions for theirapplications (that is, available for everyone and available to no one).
Application PermissionsThis table contains the list of supported actions for setting permissions for AWS Serverless ApplicationRepository applications when using the AWS CLI or the AWS SDKs.
Action Description
GetApplication Grants permission to view information about the application.
CreateCloudFormationChangeSetGrants permission for the application to be deployed.
Note: This action does not grant any other permission other than todeploy.
ListApplicationVersions Grants permission to list the versions of the application.
SearchApplications Grants permission for the application to be searched for.
Deploy This action enables all actions listed above, that is, it grants permissionfor the application to be viewed, deployed, versions to be listed, and tobe searched for.
The examples below show how to grant permissions using the AWS CLI. For information on how to grantpermissions using the AWS Management Console see Sharing an Application Through the Console (p. 4).
AWS Serverless Application Repository provides the following AWS CLI commands to manage apermissions policy associated with an AWS Serverless Application Repository application:
• put-application-policy
• get-application-policy
Example 1: Share an Application with AnotherSpecific AccountTo share an application with another specific account, but keep it from being shared with others, youspecify the AWS account ID you want to share with as the principal. Following is the AWS CLI commandto do this.
aws serverlessrepo put-application-policy \--region region \--application-id application-arn \--statements Principals=account-id,Actions=Deploy
38
AWS Serverless Application Repository Developer GuideShare an Application Publicly
Example 2: Share an Application PubliclyTo make an application public, you share it with everyone by specifying "*" as the principal, as in thefollowing example.
aws serverlessrepo put-application-policy \--region region \--application-id application-arn \--statements Principals=*,Actions=Deploy
Example 3: Make an Application PrivateYou can make an application private, so it's not shared with anyone and can only be deployed by theAWS account that owns it. To do so, you clear out the principals and actions from the policy, as follows.
aws serverlessrepo put-application-policy \--region region \--application-id application-arn \--statements '[]'
Example 4: Specifying Multiple Accounts andPermissionsMultiple permissions can be granted, and to more than one AWS account at a time. This is done byspecifying lists as the principal and actions, as in the following example.
aws serverlessrepo put-application-policy \--region region \--application-id application-arn \--statements Principals=account-id-1,account-id-2,Actions=GetApplication,CreateCloudFormationChangeSet
Example 5: Retrieve an Application PolicyTo view an application's currently policy, for example to see whether it is currently being shared, you usethe get-application-policy command, like in the following example.
aws serverlessrepo get-application-policy \--region region \--application-id application-arn
AWS Serverless Application Repository APIPermissions: Actions and Resources Reference
When you set up access control (p. 29) and write permissions policies that you can attach to an IAMidentity (identity-based policies), you can use the following table as a reference. The each AWS ServerlessApplication Repository API operation, the corresponding actions for which you can grant permissions
39
AWS Serverless Application Repository Developer GuideAWS Serverless Application
Repository API Permissions Reference
to perform the action, and the AWS resource for which you can grant the permissions. You specify theactions in the policy's Action field, and the resource value in the policy's Resource field.
To specify an action, use the serverlessrepo: prefix followed by the API operation name (forexample, serverlessrepo:ListApplications).
Operation URI Method AWS Resources (ARNs)
Operation:ListApplications
Required Permissions:serverlessrepo:ListApplications
/applications GET *
Operation:CreateApplication
Required Permissions:serverlessrepo:CreateApplication
/applications POST *
Operation:GetApplication
Required Permissions:serverlessrepo:GetApplication
/applications/application-id
GET arn:aws:serverlessrepo:region:account-id:applications/application-name
Operation:DeleteApplication
Required Permissions:serverlessrepo:DeleteApplication
/applications/application-id
DELETE arn:aws:serverlessrepo:region:account-id:applications/application-name
Operation:UpdateApplication
Required Permissions:serverlessrepo:UpdateApplication
/applications/application-id
PATCH arn:aws:serverlessrepo:region:account-id:applications/application-name
Operation:CreateCloudFormationChangeSet
Required Permissions:serverlessrepo:CreateCloudFormationChangeSet
/applications/application-id/changesets
POST arn:aws:serverlessrepo:region:account-id:applications/application-name
Operation:GetApplicationPolicy
Required Permissions:serverlessrepo:GetApplicationPolicy
/applications/application-id/policy
GET arn:aws:serverlessrepo:region:account-id:applications/application-name
Operation:PutApplicationPolicy
Required Permissions:serverlessrepo:PutApplicationPolicy
/applications/application-id/policy
PUT arn:aws:serverlessrepo:region:account-id:applications/application-name
Operation:ListApplicationVersions
/applications/application-id/versions
GET arn:aws:serverlessrepo:region:account-id:applications/application-name
40
AWS Serverless Application Repository Developer GuideAWS Serverless Application
Repository API Permissions Reference
Operation URI Method AWS Resources (ARNs)
Required Permissions:serverlessrepo:ListApplicationVersions
Operation:CreateApplicationVersion
Required Permissions:serverlessrepo:CreateApplicationVersion
/applications/application-id/versions/semantic-version
PUT arn:aws:serverlessrepo:region:account-id:applications/application-name
Operation:SearchApplications
Required Permissions:serverlessrepo:SearchApplications
n/a n/a *
41
AWS Serverless Application Repository Developer Guide
AWS Serverless ApplicationRepository Limits
Following, you can find a table that lists the limits that AWS Serverless Application Repository imposesfor each AWS account for each AWS Region.
Resource Default Limit per AWS Account perAWS Region
Public applications 100
Free Amazon S3 storage for code packages 5 GB
42
AWS Serverless Application Repository Developer GuideYou Can't Make an Application Public
Troubleshooting the AWS ServerlessApplication Repository
When you use the AWS Serverless Application Repository, you might encounter issues when you create,update, or delete your applications. Use this section to help troubleshoot common issues that youmight encounter. You can also search for answers and post questions in the AWS Serverless ApplicationRepository forums.
NoteApplications in the AWS Serverless Application Repository are deployed by using AWSCloudFormation. For information on troubleshooting AWS CloudFormation issues, see the AWSCloudFormation Troubleshooting Guide.
Topics• You Can't Make an Application Public (p. 43)• A Limit Was Exceeded (p. 43)• An Updated Readme File Doesn't Appear Immediately (p. 43)• You Can't Deploy an Application Due to Insufficient IAM Permissions (p. 44)• You Can't Deploy the Same Application Twice (p. 44)• Why Is My Application Not Publicly Available (p. 44)• Contacting Support (p. 44)
You Can't Make an Application PublicIf you can't make your application public, you might be missing a license file for your application that isapproved by the Open Source Initiative (OSI).
To make your application public, you need an OSI-approved license file, and also a successfully publishedversion of the application with a source code URL for the version. You can't update the license of anapplication after the application is created.
If you can't make your application public because you are missing a license file, delete the applicationand create a new one with the same name. Make sure that you provide it with one or more open-sourcelicenses approved by the Open Source Initiative (OSI) organization.
A Limit Was ExceededIf you receive an error message indicating that a limit was exceeded, check to see if you reached aresource limit. For AWS Serverless Application Repository limits, see AWS Serverless ApplicationRepository Limits (p. 42).
An Updated Readme File Doesn't AppearImmediately
When you make your application public, the contents of your application can take up to 24 hours toupdate. If you experience delays longer than 24 hours, try contacting AWS Support for help. For details,see following.
43
AWS Serverless Application Repository Developer GuideYou Can't Deploy an Application
Due to Insufficient IAM Permissions
You Can't Deploy an Application Due to InsufficientIAM Permissions
To deploy an AWS Serverless Application Repository application, you need permissions to AWS ServerlessApplication Repository resources and AWS CloudFormation stacks. You might also need permission touse the underlying services described in the application. For example, if you're creating an Amazon S3bucket or an Amazon DynamoDB table, you need permissions to Amazon S3 or DynamoDB.
If you run into this type of issue, review your AWS Identity and Access Management (IAM) policy andverify that you have the necessary permissions. For more information, see Controlling Access with AWSIdentity and Access Management.
You Can't Deploy the Same Application TwiceThe application name that you provide is used as the name of the AWS CloudFormation stack. If youhave problems deploying an application, make sure that you don't have an existing AWS CloudFormationstack with the same name. If you do, provide a different application name or delete the existing stack todeploy the application with the same name.
Why Is My Application Not Publicly AvailableApplications are private by default. In order to make your application public, follow the steps here.
Contacting SupportIn some cases, you might not be able to find troubleshooting solutions in this section or through theAWS Serverless Application Repository forums. If you have AWS Premium Support, you can create atechnical support case at AWS Support.
Before you contact AWS Support, make sure to get the Amazon Resource Name (ARN) for the applicationthat you have questions about. You can find the application ARN in the AWS Serverless ApplicationRepository console.
44
AWS Serverless Application Repository Developer GuideApplications
ResourcesThe AWS Serverless Application Repository REST API includes the following resources.
Topics
• Applications (p. 45)
• Applications applicationId (p. 60)
• Applications applicationId Changesets (p. 72)
• Applications applicationId Policy (p. 76)
• Applications applicationId Versions (p. 81)
• Applications applicationId Versions semanticVersion (p. 86)
ApplicationsURI/applications
HTTP Methods
GETOperation ID: ListApplications
Lists applications owned by the requester.
Query Parameters
Name Type Required Description
maxItems String False The total number ofitems to return.
nextToken String False A token to specifywhere to startpaginating.
Responses
Status Code Response Model Description
200 ApplicationPage (p. 47) Success
400 BadRequestException (p. 48)One of the parameters in therequest is invalid.
45
AWS Serverless Application Repository Developer GuideSchemas
Status Code Response Model Description
500 InternalServerErrorException (p. 48)The AWS Serverless ApplicationRepository service encounteredan internal error.
403 ForbiddenException (p. 48) The client is not authenticated.
404 NotFoundException (p. 48) The resource (for example,an access policy statement)specified in the request doesn'texist.
POSTOperation ID: CreateApplication
Creates an application, optionally including an AWS SAM file to create the first application version in thesame call.
Responses
Status Code Response Model Description
201 Application (p. 47) Success
400 BadRequestException (p. 48)One of the parameters in therequest is invalid.
500 InternalServerErrorException (p. 48)The AWS Serverless ApplicationRepository service encounteredan internal error.
403 ForbiddenException (p. 48) The client is not authenticated.
429 TooManyRequestsException (p. 48)The client is sending more thanthe allowed number of requestsper unit of time.
409 ConflictException (p. 48) The resource already exists.
Schemas
Request Bodies
Example POST
{ "name (p. 53)": "string", "description (p. 53)": "string", "author (p. 53)": "string", "spdxLicenseId (p. 53)": "string", "licenseBody (p. 53)": "string", "licenseUrl (p. 54)": "string", "readmeBody (p. 54)": "string", "readmeUrl (p. 54)": "string",
46
AWS Serverless Application Repository Developer GuideSchemas
"labels (p. 54)": [ "string" ], "homePageUrl (p. 54)": "string", "semanticVersion (p. 54)": "string", "templateBody (p. 55)": "string", "templateUrl (p. 55)": "string", "sourceCodeUrl (p. 55)": "string"}
Response Bodies
Example ApplicationPage
{ "applications (p. 50)": [ { "applicationId (p. 51)": "string", "name (p. 51)": "string", "description (p. 51)": "string", "author (p. 51)": "string", "spdxLicenseId (p. 51)": "string", "labels (p. 52)": [ "string" ], "creationTime (p. 52)": "string", "homePageUrl (p. 52)": "string" } ], "nextToken (p. 51)": "string"}
Example Application
{ "applicationId (p. 49)": "string", "name (p. 49)": "string", "description (p. 49)": "string", "author (p. 49)": "string", "spdxLicenseId (p. 49)": "string", "licenseUrl (p. 49)": "string", "readmeUrl (p. 50)": "string", "labels (p. 50)": [ "string" ], "creationTime (p. 50)": "string", "homePageUrl (p. 50)": "string", "version (p. 50)": { "applicationId (p. 59)": "string", "semanticVersion (p. 59)": "string", "sourceCodeUrl (p. 59)": "string", "templateUrl (p. 59)": "string", "creationTime (p. 59)": "string", "parameterDefinitions (p. 59)": [ { "name (p. 56)": "string", "defaultValue (p. 56)": "string", "description (p. 56)": "string", "type (p. 56)": "string", "noEcho (p. 57)": boolean, "allowedPattern (p. 57)": "string", "constraintDescription (p. 57)": "string",
47
AWS Serverless Application Repository Developer GuideSchemas
"minValue (p. 58)": integer, "maxValue (p. 58)": integer, "minLength (p. 58)": integer, "maxLength (p. 58)": integer, "allowedValues (p. 58)": [ "string" ], "referencedByResources (p. 58)": [ "string" ] } ] }}
Example BadRequestException
{ "message (p. 52)": "string", "errorCode (p. 52)": "string"}
Example ForbiddenException
{ "message (p. 55)": "string", "errorCode (p. 55)": "string"}
Example NotFoundException
{ "message (p. 56)": "string", "errorCode (p. 56)": "string"}
Example ConflictException
{ "message (p. 52)": "string", "errorCode (p. 52)": "string"}
Example TooManyRequestsException
{ "message (p. 58)": "string", "errorCode (p. 59)": "string"}
Example InternalServerErrorException
{ "message (p. 55)": "string", "errorCode (p. 56)": "string"
48
AWS Serverless Application Repository Developer GuideProperties
}
Properties
Application
applicationId
The application Amazon Resource Name (ARN).
Type: stringRequired: True
name
The name of the application.
Minimum length=1. Maximum length=140
Pattern: "[a-zA-Z0-9\\-]+";
Type: stringRequired: True
description
The description of the application.
Minimum length=1. Maximum length=256
Type: stringRequired: True
author
The name of the author publishing the app.
Minimum length=1. Maximum length=127.
Pattern "^[a-z0-9](([a-z0-9]|-(?!-))*[a-z0-9])?$";
Type: stringRequired: True
spdxLicenseId
A valid identifier from https://spdx.org/licenses/.
Type: stringRequired: False
licenseUrl
A link to a license file of the app that matches the spdxLicenseID value of your application.
49
AWS Serverless Application Repository Developer GuideProperties
Maximum size 5 MB
Type: stringRequired: False
readmeUrl
A link to the readme file in Markdown language that contains a more detailed description of theapplication and how it works.
Maximum size 5 MB
Type: stringRequired: False
labels
Labels to improve discovery of apps in search results.
Minimum length=1. Maximum length=127. Maximum number of labels: 10
Pattern: "^[a-zA-Z0-9+\\-_:\\/@]+$";
Type: Array of type stringRequired: False
creationTime
The date and time this resource was created.
Type: stringRequired: False
homePageUrl
A URL with more information about the application, for example the location of your GitHub repositoryfor the application.
Type: stringRequired: False
version
Version information about the application.
Type: Version (p. 59)Required: False
ApplicationPage
applications
An array of application summaries.
Type: Array of type ApplicationSummary (p. 51)
50
AWS Serverless Application Repository Developer GuideProperties
Required: True
nextToken
The token to request the next page of results.
Type: stringRequired: False
ApplicationSummary
applicationId
The application Amazon Resource Name (ARN).
Type: stringRequired: True
name
The name of the application.
Minimum length=1. Maximum length=140
Pattern: "[a-zA-Z0-9\\-]+";
Type: stringRequired: True
description
The description of the application.
Minimum length=1. Maximum length=256
Type: stringRequired: True
author
The name of the author publishing the app.
Minimum length=1. Maximum length=127.
Pattern "^[a-z0-9](([a-z0-9]|-(?!-))*[a-z0-9])?$";
Type: stringRequired: True
spdxLicenseId
A valid identifier from https://spdx.org/licenses/.
Type: stringRequired: False
51
AWS Serverless Application Repository Developer GuideProperties
labels
Labels to improve discovery of apps in search results.
Minimum length=1. Maximum length=127. Maximum number of labels: 10
Pattern: "^[a-zA-Z0-9+\\-_:\\/@]+$";
Type: Array of type stringRequired: False
creationTime
The date and time this resource was created.
Type: stringRequired: False
homePageUrl
A URL with more information about the application, for example the location of your GitHub repositoryfor the application.
Type: stringRequired: False
BadRequestException
message
One of the parameters in the request is invalid.
Type: stringRequired: False
errorCode
400
Type: stringRequired: False
ConflictException
message
The resource already exists.
Type: stringRequired: False
errorCode
409
52
AWS Serverless Application Repository Developer GuideProperties
Type: stringRequired: False
CreateApplicationInput
name
The name of the application that you want to publish.
Minimum length=1. Maximum length=140
Pattern: "[a-zA-Z0-9\\-]+";
Type: stringRequired: True
description
The description of the application.
Minimum length=1. Maximum length=256
Type: stringRequired: True
author
The name of the author publishing the app.
Minimum length=1. Maximum length=127.
Pattern "^[a-z0-9](([a-z0-9]|-(?!-))*[a-z0-9])?$";
Type: stringRequired: True
spdxLicenseId
A valid identifier from https://spdx.org/licenses/.
Type: stringRequired: False
licenseBody
A local text file that contains the license of the app that matches the spdxLicenseID value of yourapplication. The file has the format file://<path>/<filename>.
Maximum size 5 MB
You can specify only one of licenseBody and licenseUrl; otherwise, an error results.
Type: stringRequired: False
53
AWS Serverless Application Repository Developer GuideProperties
licenseUrl
A link to the S3 object that contains the license of the app that matches the spdxLicenseID value of yourapplication.
Maximum size 5 MB
You can specify only one of licenseBody and licenseUrl; otherwise, an error results.
Type: stringRequired: False
readmeBody
A local text readme file in Markdown language that contains a more detailed description of theapplication and how it works. The file has the format file://<path>/<filename>.
Maximum size 5 MB
You can specify only one of readmeBody and readmeUrl; otherwise, an error results.
Type: stringRequired: False
readmeUrl
A link to the S3 object in Markdown language that contains a more detailed description of theapplication and how it works.
Maximum size 5 MB
You can specify only one of readmeBody and readmeUrl; otherwise, an error results.
Type: stringRequired: False
labels
Labels to improve discovery of apps in search results.
Minimum length=1. Maximum length=127. Maximum number of labels: 10
Pattern: "^[a-zA-Z0-9+\\-_:\\/@]+$";
Type: Array of type stringRequired: False
homePageUrl
A URL with more information about the application, for example the location of your GitHub repositoryfor the application.
Type: stringRequired: False
semanticVersion
The semantic version of the application:
54
AWS Serverless Application Repository Developer GuideProperties
https://semver.org/
Type: stringRequired: False
templateBody
The local raw packaged AWS SAM template file of your application. The file has the format file://<path>/<filename>.
You can specify only one of templateBody and templateUrl; otherwise an error results.
Type: stringRequired: False
templateUrl
A link to the S3 object containing the packaged AWS SAM template of your application.
You can specify only one of templateBody and templateUrl; otherwise an error results.
Type: stringRequired: False
sourceCodeUrl
A link to a public repository for the source code of your application.
Type: stringRequired: False
ForbiddenException
message
The client is not authenticated.
Type: stringRequired: False
errorCode
403
Type: stringRequired: False
InternalServerErrorException
message
The AWS Serverless Application Repository service encountered an internal error.
Type: string
55
AWS Serverless Application Repository Developer GuideProperties
Required: False
errorCode
500
Type: stringRequired: False
NotFoundException
message
The resource (for example, an access policy statement) specified in the request doesn't exist.
Type: stringRequired: False
errorCode
404
Type: stringRequired: False
ParameterDefinition
name
The name of the parameter.
Type: stringRequired: True
defaultValue
A value of the appropriate type for the template to use if no value is specified when a stack is created. Ifyou define constraints for the parameter, you must specify a value that adheres to those constraints.
Type: stringRequired: False
description
A string of up to 4,000 characters that describes the parameter.
Type: stringRequired: False
type
The type of the parameter.
56
AWS Serverless Application Repository Developer GuideProperties
Valid values: String | Number | List<Number> | CommaDelimitedList
String: A literal string.
For example, users can specify "MyUserName".
Number: An integer or float. AWS CloudFormation validates the parameter value as a number. However,when you use the parameter elsewhere in your template (for example, by using the Ref intrinsicfunction), the parameter value becomes a string.
For example, users might specify "8888".
List<Number>: An array of integers or floats that are separated by commas. AWS CloudFormationvalidates the parameter value as numbers. However, when you use the parameter elsewhere in yourtemplate (for example, by using the Ref intrinsic function), the parameter value becomes a list of strings.
For example, users might specify "80,20", and then Ref results in ["80","20"].
CommaDelimitedList: An array of literal strings that are separated by commas. The total numberof strings should be one more than the total number of commas. Also, each member string is space-trimmed.
For example, users might specify "test,dev,prod", and then Ref results in ["test","dev","prod"].
Type: stringRequired: False
noEcho
Whether to mask the parameter value whenever anyone makes a call that describes the stack. If you setthe value to true, the parameter value is masked with asterisks (*****).
Type: booleanRequired: False
allowedPattern
A regular expression that represents the patterns to allow for String types.
Type: stringRequired: False
constraintDescription
A string that explains a constraint when the constraint is violated. For example, without a constraintdescription, a parameter that has an allowed pattern of [A-Za-z0-9]+ displays the following errormessage when the user specifies an invalid value:
Malformed input-Parameter MyParameter must match pattern [A-Za-z0-9]+
By adding a constraint description, such as "must contain only uppercase and lowercase letters andnumbers," you can display the following customized error message:
Malformed input-Parameter MyParameter must contain only uppercase and lowercaseletters and numbers.
Type: string
57
AWS Serverless Application Repository Developer GuideProperties
Required: False
minValue
A numeric value that determines the smallest numeric value that you want to allow for Number types.
Type: integerRequired: False
maxValue
A numeric value that determines the largest numeric value that you want to allow for Number types.
Type: integerRequired: False
minLength
An integer value that determines the smallest number of characters that you want to allow for Stringtypes.
Type: integerRequired: False
maxLength
An integer value that determines the largest number of characters that you want to allow for Stringtypes.
Type: integerRequired: False
allowedValues
An array containing the list of values allowed for the parameter.
Type: Array of type stringRequired: False
referencedByResources
A list of AWS SAM resources that use this parameter.
Type: Array of type stringRequired: True
TooManyRequestsException
message
The client is sending more than the allowed number of requests per unit of time.
Type: string
58
AWS Serverless Application Repository Developer GuideProperties
Required: False
errorCode
429
Type: stringRequired: False
Version
applicationId
The application Amazon Resource Name (ARN).
Type: stringRequired: True
semanticVersion
The semantic version of the application:
https://semver.org/
Type: stringRequired: True
sourceCodeUrl
A link to a public repository for the source code of your application.
Type: stringRequired: False
templateUrl
A link to the packaged AWS SAM template of your application.
Type: stringRequired: True
creationTime
The date and time this resource was created.
Type: stringRequired: True
parameterDefinitions
An array of parameter types supported by the application.
Type: Array of type ParameterDefinition (p. 56)Required: True
59
AWS Serverless Application Repository Developer GuideApplications applicationId
Applications applicationId
URI/applications/ applicationId
HTTP Methods
GET
Operation ID: GetApplication
Gets the specified application.
Path Parameters
Name Type Required Description
applicationId String True The Amazon ResourceName (ARN) of theapplication.
Query Parameters
Name Type Required Description
semanticVersion String False The semantic version ofthe application to get.
Responses
Status Code Response Model Description
200 Application (p. 62) Success
400 BadRequestException (p. 63)One of the parameters in therequest is invalid.
500 InternalServerErrorException (p. 64)The AWS Serverless ApplicationRepository service encounteredan internal error.
403 ForbiddenException (p. 63) The client is not authenticated.
404 NotFoundException (p. 63) The resource (for example,an access policy statement)specified in the request doesn'texist.
429 TooManyRequestsException (p. 64)The client is sending more thanthe allowed number of requestsper unit of time.
60
AWS Serverless Application Repository Developer GuideHTTP Methods
DELETE
Operation ID: DeleteApplication
Deletes the specified application.
Path Parameters
Name Type Required Description
applicationId String True The Amazon ResourceName (ARN) of theapplication.
Responses
Status Code Response Model Description
400 BadRequestException (p. 63)One of the parameters in therequest is invalid.
500 InternalServerErrorException (p. 64)The AWS Serverless ApplicationRepository service encounteredan internal error.
204 None Success
403 ForbiddenException (p. 63) The client is not authenticated.
404 NotFoundException (p. 63) The resource (for example,an access policy statement)specified in the request doesn'texist.
429 TooManyRequestsException (p. 64)The client is sending more thanthe allowed number of requestsper unit of time.
409 ConflictException (p. 63) The resource already exists.
PATCH
Operation ID: UpdateApplication
Updates the specified application.
Path Parameters
Name Type Required Description
applicationId String True The Amazon ResourceName (ARN) of theapplication.
61
AWS Serverless Application Repository Developer GuideSchemas
Responses
Status Code Response Model Description
200 Application (p. 62) Success
400 BadRequestException (p. 63)One of the parameters in therequest is invalid.
500 InternalServerErrorException (p. 64)The AWS Serverless ApplicationRepository service encounteredan internal error.
403 ForbiddenException (p. 63) The client is not authenticated.
404 NotFoundException (p. 63) The resource (for example,an access policy statement)specified in the request doesn'texist.
429 TooManyRequestsException (p. 64)The client is sending more thanthe allowed number of requestsper unit of time.
409 ConflictException (p. 63) The resource already exists.
Schemas
Request Bodies
Example PATCH
{ "description (p. 70)": "string", "author (p. 70)": "string", "readmeBody (p. 70)": "string", "readmeUrl (p. 70)": "string", "labels (p. 70)": [ "string" ], "homePageUrl (p. 71)": "string"}
Response Bodies
Example Application
{ "applicationId (p. 64)": "string", "name (p. 64)": "string", "description (p. 64)": "string", "author (p. 64)": "string", "spdxLicenseId (p. 65)": "string", "licenseUrl (p. 65)": "string", "readmeUrl (p. 65)": "string", "labels (p. 65)": [ "string"
62
AWS Serverless Application Repository Developer GuideSchemas
], "creationTime (p. 65)": "string", "homePageUrl (p. 65)": "string", "version (p. 66)": { "applicationId (p. 71)": "string", "semanticVersion (p. 71)": "string", "sourceCodeUrl (p. 71)": "string", "templateUrl (p. 71)": "string", "creationTime (p. 71)": "string", "parameterDefinitions (p. 71)": [ { "name (p. 67)": "string", "defaultValue (p. 67)": "string", "description (p. 67)": "string", "type (p. 68)": "string", "noEcho (p. 68)": boolean, "allowedPattern (p. 68)": "string", "constraintDescription (p. 68)": "string", "minValue (p. 69)": integer, "maxValue (p. 69)": integer, "minLength (p. 69)": integer, "maxLength (p. 69)": integer, "allowedValues (p. 69)": [ "string" ], "referencedByResources (p. 69)": [ "string" ] } ] }}
Example BadRequestException
{ "message (p. 66)": "string", "errorCode (p. 66)": "string"}
Example ForbiddenException
{ "message (p. 66)": "string", "errorCode (p. 66)": "string"}
Example NotFoundException
{ "message (p. 67)": "string", "errorCode (p. 67)": "string"}
Example ConflictException
{ "message (p. 66)": "string", "errorCode (p. 66)": "string"
63
AWS Serverless Application Repository Developer GuideProperties
}
Example TooManyRequestsException
{ "message (p. 69)": "string", "errorCode (p. 70)": "string"}
Example InternalServerErrorException
{ "message (p. 67)": "string", "errorCode (p. 67)": "string"}
Properties
Application
applicationId
The application Amazon Resource Name (ARN).
Type: stringRequired: True
name
The name of the application.
Minimum length=1. Maximum length=140
Pattern: "[a-zA-Z0-9\\-]+";
Type: stringRequired: True
description
The description of the application.
Minimum length=1. Maximum length=256
Type: stringRequired: True
author
The name of the author publishing the app.
Minimum length=1. Maximum length=127.
Pattern "^[a-z0-9](([a-z0-9]|-(?!-))*[a-z0-9])?$";
64
AWS Serverless Application Repository Developer GuideProperties
Type: stringRequired: True
spdxLicenseId
A valid identifier from https://spdx.org/licenses/.
Type: stringRequired: False
licenseUrl
A link to a license file of the app that matches the spdxLicenseID value of your application.
Maximum size 5 MB
Type: stringRequired: False
readmeUrl
A link to the readme file in Markdown language that contains a more detailed description of theapplication and how it works.
Maximum size 5 MB
Type: stringRequired: False
labels
Labels to improve discovery of apps in search results.
Minimum length=1. Maximum length=127. Maximum number of labels: 10
Pattern: "^[a-zA-Z0-9+\\-_:\\/@]+$";
Type: Array of type stringRequired: False
creationTime
The date and time this resource was created.
Type: stringRequired: False
homePageUrl
A URL with more information about the application, for example the location of your GitHub repositoryfor the application.
Type: stringRequired: False
65
AWS Serverless Application Repository Developer GuideProperties
version
Version information about the application.
Type: Version (p. 71)Required: False
BadRequestExceptionmessage
One of the parameters in the request is invalid.
Type: stringRequired: False
errorCode
400
Type: stringRequired: False
ConflictExceptionmessage
The resource already exists.
Type: stringRequired: False
errorCode
409
Type: stringRequired: False
ForbiddenExceptionmessage
The client is not authenticated.
Type: stringRequired: False
errorCode
403
Type: stringRequired: False
66
AWS Serverless Application Repository Developer GuideProperties
InternalServerErrorExceptionmessage
The AWS Serverless Application Repository service encountered an internal error.
Type: stringRequired: False
errorCode
500
Type: stringRequired: False
NotFoundExceptionmessage
The resource (for example, an access policy statement) specified in the request doesn't exist.
Type: stringRequired: False
errorCode
404
Type: stringRequired: False
ParameterDefinitionname
The name of the parameter.
Type: stringRequired: True
defaultValue
A value of the appropriate type for the template to use if no value is specified when a stack is created. Ifyou define constraints for the parameter, you must specify a value that adheres to those constraints.
Type: stringRequired: False
description
A string of up to 4,000 characters that describes the parameter.
Type: stringRequired: False
67
AWS Serverless Application Repository Developer GuideProperties
type
The type of the parameter.
Valid values: String | Number | List<Number> | CommaDelimitedList
String: A literal string.
For example, users can specify "MyUserName".
Number: An integer or float. AWS CloudFormation validates the parameter value as a number. However,when you use the parameter elsewhere in your template (for example, by using the Ref intrinsicfunction), the parameter value becomes a string.
For example, users might specify "8888".
List<Number>: An array of integers or floats that are separated by commas. AWS CloudFormationvalidates the parameter value as numbers. However, when you use the parameter elsewhere in yourtemplate (for example, by using the Ref intrinsic function), the parameter value becomes a list of strings.
For example, users might specify "80,20", and then Ref results in ["80","20"].
CommaDelimitedList: An array of literal strings that are separated by commas. The total numberof strings should be one more than the total number of commas. Also, each member string is space-trimmed.
For example, users might specify "test,dev,prod", and then Ref results in ["test","dev","prod"].
Type: stringRequired: False
noEcho
Whether to mask the parameter value whenever anyone makes a call that describes the stack. If you setthe value to true, the parameter value is masked with asterisks (*****).
Type: booleanRequired: False
allowedPattern
A regular expression that represents the patterns to allow for String types.
Type: stringRequired: False
constraintDescription
A string that explains a constraint when the constraint is violated. For example, without a constraintdescription, a parameter that has an allowed pattern of [A-Za-z0-9]+ displays the following errormessage when the user specifies an invalid value:
Malformed input-Parameter MyParameter must match pattern [A-Za-z0-9]+
By adding a constraint description, such as "must contain only uppercase and lowercase letters andnumbers," you can display the following customized error message:
Malformed input-Parameter MyParameter must contain only uppercase and lowercaseletters and numbers.
68
AWS Serverless Application Repository Developer GuideProperties
Type: stringRequired: False
minValue
A numeric value that determines the smallest numeric value that you want to allow for Number types.
Type: integerRequired: False
maxValue
A numeric value that determines the largest numeric value that you want to allow for Number types.
Type: integerRequired: False
minLength
An integer value that determines the smallest number of characters that you want to allow for Stringtypes.
Type: integerRequired: False
maxLength
An integer value that determines the largest number of characters that you want to allow for Stringtypes.
Type: integerRequired: False
allowedValues
An array containing the list of values allowed for the parameter.
Type: Array of type stringRequired: False
referencedByResources
A list of AWS SAM resources that use this parameter.
Type: Array of type stringRequired: True
TooManyRequestsException
message
The client is sending more than the allowed number of requests per unit of time.
Type: string
69
AWS Serverless Application Repository Developer GuideProperties
Required: False
errorCode
429
Type: stringRequired: False
UpdateApplicationInputdescription
The description of the application.
Minimum length=1. Maximum length=256
Type: stringRequired: False
author
The name of the author publishing the app.
Minimum length=1. Maximum length=127.
Pattern "^[a-z0-9](([a-z0-9]|-(?!-))*[a-z0-9])?$";
Type: stringRequired: False
readmeBody
A text readme file in Markdown language that contains a more detailed description of the applicationand how it works.
Maximum size 5 MB
Type: stringRequired: False
readmeUrl
A link to the readme file in Markdown language that contains a more detailed description of theapplication and how it works.
Maximum size 5 MB
Type: stringRequired: False
labels
Labels to improve discovery of apps in search results.
Minimum length=1. Maximum length=127. Maximum number of labels: 10
70
AWS Serverless Application Repository Developer GuideProperties
Pattern: "^[a-zA-Z0-9+\\-_:\\/@]+$";
Type: Array of type stringRequired: False
homePageUrl
A URL with more information about the application, for example the location of your GitHub repositoryfor the application.
Type: stringRequired: False
VersionapplicationId
The application Amazon Resource Name (ARN).
Type: stringRequired: True
semanticVersion
The semantic version of the application:
https://semver.org/
Type: stringRequired: True
sourceCodeUrl
A link to a public repository for the source code of your application.
Type: stringRequired: False
templateUrl
A link to the packaged AWS SAM template of your application.
Type: stringRequired: True
creationTime
The date and time this resource was created.
Type: stringRequired: True
parameterDefinitions
An array of parameter types supported by the application.
71
AWS Serverless Application Repository Developer GuideApplications applicationId Changesets
Type: Array of type ParameterDefinition (p. 67)Required: True
Applications applicationId ChangesetsURI/applications/ applicationId /changesets
HTTP MethodsPOSTOperation ID: CreateCloudFormationChangeSet
Creates an AWS CloudFormation change set for the given application.
Path Parameters
Name Type Required Description
applicationId String True The Amazon ResourceName (ARN) of theapplication.
Responses
Status Code Response Model Description
201 ChangeSetDetails (p. 73) Success
400 BadRequestException (p. 73)One of the parameters in therequest is invalid.
500 InternalServerErrorException (p. 73)The AWS Serverless ApplicationRepository service encounteredan internal error.
403 ForbiddenException (p. 73) The client is not authenticated.
429 TooManyRequestsException (p. 73)The client is sending more thanthe allowed number of requestsper unit of time.
SchemasRequest Bodies
Example POST
{ "stackName (p. 74)": "string",
72
AWS Serverless Application Repository Developer GuideProperties
"semanticVersion (p. 75)": "string", "parameterOverrides (p. 75)": [ { "name (p. 76)": "string", "value (p. 76)": "string" } ]}
Response Bodies
Example ChangeSetDetails
{ "applicationId (p. 74)": "string", "semanticVersion (p. 74)": "string", "changeSetId (p. 74)": "string", "stackId (p. 74)": "string"}
Example BadRequestException
{ "message (p. 73)": "string", "errorCode (p. 74)": "string"}
Example ForbiddenException
{ "message (p. 75)": "string", "errorCode (p. 75)": "string"}
Example TooManyRequestsException
{ "message (p. 76)": "string", "errorCode (p. 76)": "string"}
Example InternalServerErrorException
{ "message (p. 75)": "string", "errorCode (p. 75)": "string"}
PropertiesBadRequestExceptionmessage
One of the parameters in the request is invalid.
73
AWS Serverless Application Repository Developer GuideProperties
Type: stringRequired: False
errorCode
400
Type: stringRequired: False
ChangeSetDetails
applicationId
The application Amazon Resource Name (ARN).
Type: stringRequired: True
semanticVersion
The semantic version of the application:
https://semver.org/
Type: stringRequired: True
changeSetId
The Amazon Resource Name (ARN) of the change set.
Length constraints: Minimum length of 1.
Pattern: ARN:[-a-zA-Z0-9:/]*
Type: stringRequired: True
stackId
The unique ID of the stack.
Type: stringRequired: True
CreateCloudFormationChangeSetInput
stackName
The name or the unique ID of the stack for which you are creating a change set. AWS CloudFormationgenerates the change set by comparing this stack's information with the information that you submit,such as a modified template or different parameter input values.
74
AWS Serverless Application Repository Developer GuideProperties
Constraints: Minimum length of 1.
Pattern: ([a-zA-Z][-a-zA-Z0-9]*)|(arn:\b(aws|aws-us-gov|aws-cn)\b:[-a-zA-Z0-9:/._+]*)
Type: stringRequired: True
semanticVersion
The semantic version of the application:
https://semver.org/
Type: stringRequired: False
parameterOverrides
A list of parameter values for the parameters of the application.
Type: Array of type ParameterValue (p. 76)Required: False
ForbiddenException
message
The client is not authenticated.
Type: stringRequired: False
errorCode
403
Type: stringRequired: False
InternalServerErrorException
message
The AWS Serverless Application Repository service encountered an internal error.
Type: stringRequired: False
errorCode
500
Type: stringRequired: False
75
AWS Serverless Application Repository Developer GuideApplications applicationId Policy
ParameterValuename
The key associated with the parameter. If you don't specify a key and value for a particular parameter,AWS CloudFormation uses the default value that is specified in your template.
Type: stringRequired: True
value
The input value associated with the parameter.
Type: stringRequired: True
TooManyRequestsExceptionmessage
The client is sending more than the allowed number of requests per unit of time.
Type: stringRequired: False
errorCode
429
Type: stringRequired: False
Applications applicationId PolicyURI/applications/ applicationId /policy
HTTP MethodsGETOperation ID: GetApplicationPolicy
Retrieves the policy for the application.
Path Parameters
Name Type Required Description
applicationId String True The Amazon ResourceName (ARN) of theapplication.
76
AWS Serverless Application Repository Developer GuideHTTP Methods
Responses
Status Code Response Model Description
200 ApplicationPolicy (p. 78) Success
400 BadRequestException (p. 78)One of the parameters in therequest is invalid.
500 InternalServerErrorException (p. 79)The AWS Serverless ApplicationRepository service encounteredan internal error.
403 ForbiddenException (p. 78) The client is not authenticated.
404 NotFoundException (p. 79) The resource (for example,an access policy statement)specified in the request doesn'texist.
429 TooManyRequestsException (p. 79)The client is sending more thanthe allowed number of requestsper unit of time.
PUTOperation ID: PutApplicationPolicy
Sets the permission policy for an application. For the list of actions supported for this operation, seeApplication Permissions .
Path Parameters
Name Type Required Description
applicationId String True The Amazon ResourceName (ARN) of theapplication.
Responses
Status Code Response Model Description
200 ApplicationPolicy (p. 78) Success
400 BadRequestException (p. 78)One of the parameters in therequest is invalid.
500 InternalServerErrorException (p. 79)The AWS Serverless ApplicationRepository service encounteredan internal error.
403 ForbiddenException (p. 78) The client is not authenticated.
404 NotFoundException (p. 79) The resource (for example,an access policy statement)specified in the request doesn'texist.
77
AWS Serverless Application Repository Developer GuideSchemas
Status Code Response Model Description
429 TooManyRequestsException (p. 79)The client is sending more thanthe allowed number of requestsper unit of time.
Schemas
Request Bodies
Example PUT
{ "statements (p. 79)": [ { "statementId (p. 79)": "string", "principals (p. 79)": [ "string" ], "actions (p. 80)": [ "string" ] } ]}
Response Bodies
Example ApplicationPolicy
{ "statements (p. 79)": [ { "statementId (p. 79)": "string", "principals (p. 79)": [ "string" ], "actions (p. 80)": [ "string" ] } ]}
Example BadRequestException
{ "message (p. 80)": "string", "errorCode (p. 80)": "string"}
Example ForbiddenException
{
78
AWS Serverless Application Repository Developer GuideProperties
"message (p. 80)": "string", "errorCode (p. 80)": "string"}
Example NotFoundException
{ "message (p. 81)": "string", "errorCode (p. 81)": "string"}
Example TooManyRequestsException
{ "message (p. 81)": "string", "errorCode (p. 81)": "string"}
Example InternalServerErrorException
{ "message (p. 80)": "string", "errorCode (p. 80)": "string"}
Properties
ApplicationPolicy
statements
An array of policy statements applied to the application.
Type: Array of type ApplicationPolicyStatement (p. 79)Required: True
ApplicationPolicyStatement
statementId
A unique ID for the statement.
Type: stringRequired: False
principals
An AWS account ID, or * to make the application public.
Type: Array of type stringRequired: True
79
AWS Serverless Application Repository Developer GuideProperties
actions
For the list of actions supported for this operation, see Application Permissions.
Type: Array of type stringRequired: True
BadRequestExceptionmessage
One of the parameters in the request is invalid.
Type: stringRequired: False
errorCode
400
Type: stringRequired: False
ForbiddenExceptionmessage
The client is not authenticated.
Type: stringRequired: False
errorCode
403
Type: stringRequired: False
InternalServerErrorExceptionmessage
The AWS Serverless Application Repository service encountered an internal error.
Type: stringRequired: False
errorCode
500
Type: stringRequired: False
80
AWS Serverless Application Repository Developer GuideApplications applicationId Versions
NotFoundExceptionmessage
The resource (for example, an access policy statement) specified in the request doesn't exist.
Type: stringRequired: False
errorCode
404
Type: stringRequired: False
TooManyRequestsExceptionmessage
The client is sending more than the allowed number of requests per unit of time.
Type: stringRequired: False
errorCode
429
Type: stringRequired: False
Applications applicationId VersionsURI/applications/ applicationId /versions
HTTP MethodsGETOperation ID: ListApplicationVersions
Lists versions for the specified application.
Path Parameters
Name Type Required Description
applicationId String True The Amazon ResourceName (ARN) of theapplication.
81
AWS Serverless Application Repository Developer GuideSchemas
Query Parameters
Name Type Required Description
maxItems String False The total number ofitems to return.
nextToken String False A token to specifywhere to startpaginating.
Responses
Status Code Response Model Description
200 ApplicationVersionPage (p. 82)Success
400 BadRequestException (p. 82)One of the parameters in therequest is invalid.
500 InternalServerErrorException (p. 83)The AWS Serverless ApplicationRepository service encounteredan internal error.
403 ForbiddenException (p. 83) The client is not authenticated.
404 NotFoundException (p. 83) The resource (for example,an access policy statement)specified in the request doesn'texist.
429 TooManyRequestsException (p. 83)The client is sending more thanthe allowed number of requestsper unit of time.
SchemasResponse BodiesExample ApplicationVersionPage
{ "versions (p. 83)": [ { "applicationId (p. 85)": "string", "semanticVersion (p. 85)": "string", "sourceCodeUrl (p. 85)": "string", "creationTime (p. 85)": "string" } ], "nextToken (p. 83)": "string"}
Example BadRequestException
{ "message (p. 83)": "string",
82
AWS Serverless Application Repository Developer GuideProperties
"errorCode (p. 84)": "string"}
Example ForbiddenException
{ "message (p. 84)": "string", "errorCode (p. 84)": "string"}
Example NotFoundException
{ "message (p. 84)": "string", "errorCode (p. 84)": "string"}
Example TooManyRequestsException
{ "message (p. 85)": "string", "errorCode (p. 85)": "string"}
Example InternalServerErrorException
{ "message (p. 84)": "string", "errorCode (p. 84)": "string"}
PropertiesApplicationVersionPageversions
An array of version summaries for the application.
Type: Array of type VersionSummary (p. 85)Required: True
nextToken
The token to request the next page of results.
Type: stringRequired: False
BadRequestExceptionmessage
One of the parameters in the request is invalid.
83
AWS Serverless Application Repository Developer GuideProperties
Type: stringRequired: False
errorCode
400
Type: stringRequired: False
ForbiddenExceptionmessage
The client is not authenticated.
Type: stringRequired: False
errorCode
403
Type: stringRequired: False
InternalServerErrorExceptionmessage
The AWS Serverless Application Repository service encountered an internal error.
Type: stringRequired: False
errorCode
500
Type: stringRequired: False
NotFoundExceptionmessage
The resource (for example, an access policy statement) specified in the request doesn't exist.
Type: stringRequired: False
errorCode
404
84
AWS Serverless Application Repository Developer GuideProperties
Type: stringRequired: False
TooManyRequestsException
message
The client is sending more than the allowed number of requests per unit of time.
Type: stringRequired: False
errorCode
429
Type: stringRequired: False
VersionSummary
applicationId
The application Amazon Resource Name (ARN).
Type: stringRequired: True
semanticVersion
The semantic version of the application:
https://semver.org/
Type: stringRequired: True
sourceCodeUrl
A link to a public repository for the source code of your application.
Type: stringRequired: False
creationTime
The date and time this resource was created.
Type: stringRequired: True
85
AWS Serverless Application Repository Developer GuideApplications applicationId Versions semanticVersion
Applications applicationId VersionssemanticVersion
URI/applications/ applicationId /versions/ semanticVersion
HTTP Methods
PUT
Operation ID: CreateApplicationVersion
Creates an application version.
Path Parameters
Name Type Required Description
applicationId String True The Amazon ResourceName (ARN) of theapplication.
semanticVersion String True The semantic version ofthe new version.
Responses
Status Code Response Model Description
201 Version (p. 87) Success
400 BadRequestException (p. 87)One of the parameters in therequest is invalid.
500 InternalServerErrorException (p. 88)The AWS Serverless ApplicationRepository service encounteredan internal error.
403 ForbiddenException (p. 87) The client is not authenticated.
429 TooManyRequestsException (p. 88)The client is sending more thanthe allowed number of requestsper unit of time.
409 ConflictException (p. 88) The resource already exists.
86
AWS Serverless Application Repository Developer GuideSchemas
Schemas
Request Bodies
Example PUT
{ "templateBody (p. 89)": "string", "templateUrl (p. 89)": "string", "sourceCodeUrl (p. 89)": "string"}
Response Bodies
Example Version
{ "applicationId (p. 92)": "string", "semanticVersion (p. 92)": "string", "sourceCodeUrl (p. 93)": "string", "templateUrl (p. 93)": "string", "creationTime (p. 93)": "string", "parameterDefinitions (p. 93)": [ { "name (p. 90)": "string", "defaultValue (p. 90)": "string", "description (p. 90)": "string", "type (p. 90)": "string", "noEcho (p. 91)": boolean, "allowedPattern (p. 91)": "string", "constraintDescription (p. 91)": "string", "minValue (p. 91)": integer, "maxValue (p. 91)": integer, "minLength (p. 91)": integer, "maxLength (p. 92)": integer, "allowedValues (p. 92)": [ "string" ], "referencedByResources (p. 92)": [ "string" ] } ]}
Example BadRequestException
{ "message (p. 88)": "string", "errorCode (p. 88)": "string"}
Example ForbiddenException
{ "message (p. 89)": "string", "errorCode (p. 89)": "string"
87
AWS Serverless Application Repository Developer GuideProperties
}
Example ConflictException
{ "message (p. 88)": "string", "errorCode (p. 88)": "string"}
Example TooManyRequestsException
{ "message (p. 92)": "string", "errorCode (p. 92)": "string"}
Example InternalServerErrorException
{ "message (p. 89)": "string", "errorCode (p. 89)": "string"}
PropertiesBadRequestExceptionmessage
One of the parameters in the request is invalid.
Type: stringRequired: False
errorCode
400
Type: stringRequired: False
ConflictExceptionmessage
The resource already exists.
Type: stringRequired: False
errorCode
409
88
AWS Serverless Application Repository Developer GuideProperties
Type: stringRequired: False
CreateApplicationVersionInputtemplateBody
The raw packaged AWS SAM template of your application.
Type: stringRequired: False
templateUrl
A link to the packaged AWS SAM template of your application.
Type: stringRequired: False
sourceCodeUrl
A link to a public repository for the source code of your application.
Type: stringRequired: False
ForbiddenExceptionmessage
The client is not authenticated.
Type: stringRequired: False
errorCode
403
Type: stringRequired: False
InternalServerErrorExceptionmessage
The AWS Serverless Application Repository service encountered an internal error.
Type: stringRequired: False
errorCode
500
89
AWS Serverless Application Repository Developer GuideProperties
Type: stringRequired: False
ParameterDefinition
name
The name of the parameter.
Type: stringRequired: True
defaultValue
A value of the appropriate type for the template to use if no value is specified when a stack is created. Ifyou define constraints for the parameter, you must specify a value that adheres to those constraints.
Type: stringRequired: False
description
A string of up to 4,000 characters that describes the parameter.
Type: stringRequired: False
type
The type of the parameter.
Valid values: String | Number | List<Number> | CommaDelimitedList
String: A literal string.
For example, users can specify "MyUserName".
Number: An integer or float. AWS CloudFormation validates the parameter value as a number. However,when you use the parameter elsewhere in your template (for example, by using the Ref intrinsicfunction), the parameter value becomes a string.
For example, users might specify "8888".
List<Number>: An array of integers or floats that are separated by commas. AWS CloudFormationvalidates the parameter value as numbers. However, when you use the parameter elsewhere in yourtemplate (for example, by using the Ref intrinsic function), the parameter value becomes a list of strings.
For example, users might specify "80,20", and then Ref results in ["80","20"].
CommaDelimitedList: An array of literal strings that are separated by commas. The total numberof strings should be one more than the total number of commas. Also, each member string is space-trimmed.
For example, users might specify "test,dev,prod", and then Ref results in ["test","dev","prod"].
Type: string
90
AWS Serverless Application Repository Developer GuideProperties
Required: False
noEcho
Whether to mask the parameter value whenever anyone makes a call that describes the stack. If you setthe value to true, the parameter value is masked with asterisks (*****).
Type: booleanRequired: False
allowedPattern
A regular expression that represents the patterns to allow for String types.
Type: stringRequired: False
constraintDescription
A string that explains a constraint when the constraint is violated. For example, without a constraintdescription, a parameter that has an allowed pattern of [A-Za-z0-9]+ displays the following errormessage when the user specifies an invalid value:
Malformed input-Parameter MyParameter must match pattern [A-Za-z0-9]+
By adding a constraint description, such as "must contain only uppercase and lowercase letters andnumbers," you can display the following customized error message:
Malformed input-Parameter MyParameter must contain only uppercase and lowercaseletters and numbers.
Type: stringRequired: False
minValue
A numeric value that determines the smallest numeric value that you want to allow for Number types.
Type: integerRequired: False
maxValue
A numeric value that determines the largest numeric value that you want to allow for Number types.
Type: integerRequired: False
minLength
An integer value that determines the smallest number of characters that you want to allow for Stringtypes.
Type: integerRequired: False
91
AWS Serverless Application Repository Developer GuideProperties
maxLength
An integer value that determines the largest number of characters that you want to allow for Stringtypes.
Type: integerRequired: False
allowedValues
An array containing the list of values allowed for the parameter.
Type: Array of type stringRequired: False
referencedByResources
A list of AWS SAM resources that use this parameter.
Type: Array of type stringRequired: True
TooManyRequestsException
message
The client is sending more than the allowed number of requests per unit of time.
Type: stringRequired: False
errorCode
429
Type: stringRequired: False
Version
applicationId
The application Amazon Resource Name (ARN).
Type: stringRequired: True
semanticVersion
The semantic version of the application:
https://semver.org/
Type: string
92
AWS Serverless Application Repository Developer GuideProperties
Required: True
sourceCodeUrl
A link to a public repository for the source code of your application.
Type: stringRequired: False
templateUrl
A link to the packaged AWS SAM template of your application.
Type: stringRequired: True
creationTime
The date and time this resource was created.
Type: stringRequired: True
parameterDefinitions
An array of parameter types supported by the application.
Type: Array of type ParameterDefinition (p. 90)Required: True
93
AWS Serverless Application Repository Developer Guide
Document History• API version: latest• Latest documentation update: July 2, 2018
The following table describes the important changes in each release of the AWS Serverless ApplicationRepository Developer Guide. For notification about updates to this documentation, you can subscribe toan RSS feed.
Change Description Date
Documentation updates Added Authentication andAccess Control topic to the AWSServerless Application RepositoryDeveloper Guide.
July 2, 2018
Public release Public release of the AWSServerless ApplicationRepository, which is nowavailable in 14 AWS Regions.For more information aboutthe AWS Regions where theAWS Serverless ApplicationRepository is available andAWS Serverless ApplicationRepository endpoints, seeRegions and Endpoints in theAWS General Reference.
February 20, 2018
New guide This is the first, preview releaseof the AWS Serverless ApplicationRepository Developer Guide.
November 30, 2017
94
AWS Serverless Application Repository Developer Guide
AWS GlossaryFor the latest AWS terminology, see the AWS Glossary in the AWS General Reference.
95