serverless.yml

service: example-service

frameworkVersion: '>=1.49.0 <2.0.0'

provider:
  name: aws
  region: us-west-2
  runtime: nodejs8.10
  stage: ${opt:stage}
  environment: 
    STAGE: ${self:provider.stage}
  apiname: example
  
plugins:
  - serverless-pseudo-parameters
  - serverless-iam-roles-per-function

functions:
  auth:
    handler: exampleAuth.verify
    iamRoleStatementsName: ${self:provider.apiname}-exampleAuth-verify-lambda-role
    iamRoleStatements:
      - Effect: Allow
        Action: ssm:GetParameters*
        Resource: arn:aws:ssm:#{AWS::Region}:#{AWS::AccountId}:parameter/${self:provider.apiname}/${self:provider.stage}/okta/*
      - Effect: 'Allow'
        Action: 'kms:Decrypt'
        Resource: arn:aws:kms:#{AWS::Region}:#{AWS::AccountId}:key/${ssm:/example/${self:provider.stage}/kms/keyid~true}
  exampleData:
    handler: example.getExample
    events:
      - http:
          path: /${self:provider.apiname}/read
          method: get
          authorizer:
            name: auth
            identitySource: method.request.header.Authorization
            identityValidationExpression: ^Bearer [-0-9a-zA-z\.]*$
            resultTtlInSeconds: 0
          cors: true