0

I want to assume an IAM role that's already been created in another serverless.yml file. It seems as if using the iam property is the only (?) way to do this for all of the iam functions at once. The source code I've encountered mainly uses iamRoleStatements to apply IAM permissions, but that doesn't seem to be made to actually have the option to assume already created roles.

Secondary question, should I use the ARN of the role or create an export for it from the stack where it's being created?

provider:
  name: aws
  runtime: python3.8
  stage: ${opt:stage, 'dev'}
  region: ${opt:region, 'eu-west-1'}
  iam:
    role: arn:aws:iam::123456789012:role/execution-role
  iamRoleStatements:
    - Effect: Allow
      Action:
        - events:PutEvents
      Resource: arn:aws:events:${self:provider.region}:#{AWS::AccountId}:blablabla-${self:provider.stage}
    - Effect: Allow
      Action:
        - states:SendTaskSuccess
      Resource: arn:aws:states:${self:provider.region}:#{AWS::AccountId}:stateMachine:${self:provider.stage}-blablabla
Claudiu Moise
  • 97
  • 1
  • 9
  • Can you clarify what you mean by "assume a role"? STS::AssumeRole is a specific API call used to generate temporary credentials (ex: if you wanted to make AWS SDK requests to an AWS account from a lambda function in another AWS account or something). Or do you mean "I want my lambda function's execution role to use an existing role, instead of creating a new one"? – Aaron Stuyvenberg Apr 08 '21 at 21:32
  • Yeah the latter is what I meant to say, I want all the Lambda's to use an existing role that's being created in one of my other stacks – Claudiu Moise Apr 09 '21 at 14:40

1 Answers1

0

If you want to use one existing role for all functions in a Serverless app, you'll need to either specify iam.role or iamRoleStatements.

I believe the framework is attempting to create a new role based on the iamRoleStatements you provided. You can refer to the documentation for more information.

Aaron Stuyvenberg
  • 1,563
  • 3
  • 13
  • Ok, so `iamRoleStatements` creates a role that is applied to all functions in the serverless.yml with the specified policies but other roles can't be "merged" into it. The solution was to just ditch the default role and attach the specific role directly to the function that needed the permission. What I was trying to do before was to apply this outside role to all the functions in my stack, but I realized this would just cause me more problems. Though I am curious if one role created in another stack could be used as this "default role" for the serverless.yml page – Claudiu Moise Apr 10 '21 at 18:05