The README at https://github.com/Miserlou/Zappa#custom-aws-iam-roles-and-policies-for-execution talks about using manage_roles: false to manually set a role for custom permissions.

This along with #244 led me down a rabbit hole.

However, if all you want to do is restrict the permissions of the Lambda itself, it seems that the partially documented attach_policy is a much better option because this keeps the policy managed by Zappa (no need for manual steps).

Might be worth adding this as an option to the "IAM Roles and polices" section because surely this will solve 95% of requirements for users?

E.g. here is my settings.json:

{
    "build": {
        "app_function": "webapp.app",
        "aws_region": "eu-west-1",
        "profile_name": "test",
        "project_name": "deploy",
        "runtime": "python3.7",
        "s3_bucket": "xxxx-zappa-test",
        "attach_policy": "aws_attach_policy.json"
    }
}

And my aws_attach_policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "logs:*"
      ],
      "Resource": "arn:aws:logs:eu-west-1:*:log-group:/aws/lambda/deploy-build:*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "lambda:InvokeFunction"
      ],
      "Resource": [
        "arn:aws:lambda:eu-west-1:*:function:deploy-build"
      ]
    }
  ]
}

(In my case I didn't need much permissions, but you get the idea).