2

I am trying to deploy an AWS Lambda function that gets triggered when an AVRO file is written to an existing S3 bucket.

My serverless.yml configuration is as follows:

service: braze-lambdas

provider:
  name: aws
  runtime: python3.7
  region: us-west-1
  role: arn:aws:iam::<account_id>:role/<role_name>
  stage: dev
  deploymentBucket:
    name: serverless-framework-dev-us-west-1
    serverSideEncryption: AES256

functions:
  hello:
    handler: handler.hello
    events:
      - s3:
          bucket: <company>-dev-ec2-us-west-2
          existing: true
          events: s3:ObjectCreated:*
          rules:
            - prefix: gaurav/lambdas/123/
            - suffix: .avro

When I run serverless deploy, I get the following error:

ServerlessError: An error occurred: IamRoleCustomResourcesLambdaExecution - API: iam:CreateRole User: arn:aws:sts::<account_id>:assumed-role/serverless-framework-dev/jenkins_braze_lambdas_deploy is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::<account_id>:role/braze-lambdas-dev-IamRoleCustomResourcesLambdaExec-1M5QQI6P2ZYUH.

I see some mentions of Serverless needing iam:CreateRole because of how CloudFormation works but can anyone confirm if that is the only solution if I want to use existing: true? Is there another way around it except using the old Serverless plugin that was used prior to the framework adding support for the existing: true configuration?

Also, what is 1M5QQI6P2ZYUH in arn:aws:iam::<account_id>:role/braze-lambdas-dev-IamRoleCustomResourcesLambdaExec-1M5QQI6P2ZYUH? Is it a random identifier? Does this mean that Serverless will try to create a new IAM role every time I try to deploy the Lambda function?

Max
  • 1,051
  • 1
  • 12
  • 20
Gaurav Keswani
  • 241
  • 2
  • 11

3 Answers3

2

I've just encountered this, and overcome it.

I also have a lambda for which I want to attach an s3 event to an already existing bucket.

My place of work has recently tightened up AWS Account Security by the use of Permission Boundaries.

So i've encountered the very similar error during deployment

  Serverless Error ---------------------------------------

  An error occurred: IamRoleCustomResourcesLambdaExecution - API: iam:CreateRole User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/xx-crossaccount-xx/aws-sdk-js-1600789080576 is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::XXXXXXXXXXXX:role/my-existing-bucket-IamRoleCustomResourcesLambdaExec-LS075CH394GN.

If you read Using existing buckets on the serverless site, it says

NOTE: Using the existing config will add an additional Lambda function and IAM Role to your stack. The Lambda function backs-up the Custom S3 Resource which is used to support existing S3 buckets.

In my case I needed to further customise this extra role that serverless creates so that it is also assigned the permission boundary my employer has defined should exist on all roles. This happens in the resources: section.

If your employer is using permission boundaries you'll obviously need to know the correct ARN to use

resources:
  Resources:
    IamRoleCustomResourcesLambdaExecution:
      Type: AWS::IAM::Role
      Properties:
        PermissionsBoundary: arn:aws:iam::XXXXXXXXXXXX:policy/xxxxxxxxxxxx-global-boundary

Some info on the serverless Resources config

Have a look at your own serverless.yaml, you may already have a permission boundary defined in the provider section. If so you'll find it under rolePermissionsBoundary, this was added in I think version 1.64 of serverless

provider:
  rolePermissionsBoundary: arn:aws:iam::XXXXXXXXXXXX:policy/xxxxxxxxxxxx-global-boundary

If so, you can should be able to use that ARN in the resources: sample I've posted here.

Dharman
  • 21,838
  • 18
  • 57
  • 107
Gary Richards
  • 21
  • 3
0

For testing purpose we can use:

provider:
  name: aws
  runtime: python3.8
  region: us-east-1
  iamRoleStatements:
  - Effect: Allow
    Action: "*"
    Resource: "*"
SYED FAISAL
  • 161
  • 2
  • 4
-1

For running sls deploy, I would suggest you use a role/user/policy with Administrator privileges.

If you're restricted due to your InfoSec team or the like, then I suggest you have your InfoSec team have a look at docs for "AWS IAM Permission Requirements for Serverless Framework Deploy." Here's a good link discussing it: https://github.com/serverless/serverless/issues/1439. At the very least, they should add iam:CreateRole and that can get you unblocked for today.

Now I will address your individual questions:

can anyone confirm if that is the only solution if I want to use existing: true

Apples and oranges. Your S3 configuration has nothing to do with your error message. iam:CreateRole must be added to the policy of whatever/whoever is doing sls deploy.

Also, what is 1M5QQI6P2ZYUH in arn:aws:iam::<account_id>:role/braze-lambdas-dev-IamRoleCustomResourcesLambdaExec-1M5QQI6P2ZYUH? Is it a random identifier? Does this mean that serverless will try to create a new role every time I try to deploy the function?

  1. Yes, it is a random identifier
  2. No, sls will not create a new role every time. This unique ID is cached and re-used for updates to an existing stack.
  3. If a stack is destroyed/recreated, it will assign a generate a new unique ID.
solsglasses
  • 177
  • 5
  • The first answer is incorrect, I've been deploying many Serverless projects without giving `iam:createRole`, it can be done. And then, when I try to add an S3 to Lambda event like done here to my project, I get the same error as OP. I, too, am searching for a way to not have to create roles that I don't have a handle on, for obvious security reasons. I'm guessing Serverless just can't do this, for now hopefully. – Max Jun 05 '20 at 00:39
  • @Max any updates? – I'm not human Jan 07 '21 at 19:12