0

I am facing a permission issue trying to deploy a lambda using the Serverless framework.

It actually does not work on a simple (QuickStart-given example) and I have admin privileges on AWS.

So I am wondering what I might have been done wrong.

In my understanding, it might be linked to the permissions given to CloudFormation but I don't know what and how to properly set in order to make it running.

When trying to

$ serverless deploy -v --region eu-west-1

I get the following error:

Serverless: Packaging service...
Serverless: Excluding development dependencies...
Serverless: Creating Stack...
Serverless: Checking Stack create progress...
CloudFormation - CREATE_IN_PROGRESS - AWS::CloudFormation::Stack - slstest-dev
CloudFormation - CREATE_IN_PROGRESS - AWS::S3::Bucket - ServerlessDeploymentBucket
CloudFormation - CREATE_FAILED - AWS::S3::Bucket - ServerlessDeploymentBucket
CloudFormation - DELETE_IN_PROGRESS - AWS::CloudFormation::Stack - slstest-dev
CloudFormation - DELETE_COMPLETE - AWS::S3::Bucket - ServerlessDeploymentBucket
CloudFormation - DELETE_COMPLETE - AWS::CloudFormation::Stack - slstest-dev
Serverless: Operation failed!
Serverless: View the full error output: https://eu-west-1.console.aws.amazon.com/cloudformation/home?region=eu-west-1#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aeu-west-1%3A175264504000%3Astack%2Fslstest-dev%2Fa097e1b0-994a-11eb-b621-0ad1aa52c931
 
 Serverless Error ----------------------------------------
 
  An error occurred: ServerlessDeploymentBucket - API: s3:CreateBucket Access Denied.
 
  Get Support --------------------------------------------
     Docs:          docs.serverless.com
     Bugs:          github.com/serverless/serverless/issues
     Issues:        forum.serverless.com
 
  Your Environment Information ---------------------------
     Operating System:          linux
     Node Version:              14.16.0
     Framework Version:         2.33.1
     Plugin Version:            4.5.3
     SDK Version:               4.2.2
     Components Version:        3.8.1

I created a serverless service by doing

$ serverless

Serverless: No project detected. Do you want to create a new one? Yes
Serverless: What do you want to make? AWS Python
Serverless: What do you want to call this project? slstest

Project successfully created in 'slstest' folder.

You can monitor, troubleshoot, and test your new service with a free Serverless account.

Serverless: Would you like to enable this? No
You can run the “serverless” command again if you change your mind later.

$ cd slstest

Here is my serverless.yml:

service: slstest

frameworkVersion: '2'

provider:
  name: aws
  runtime: python3.8
  lambdaHashingVersion: 20201221

functions:
  hello:
    handler: handler.hello
    events:
      - httpApi:
         path: /hello
         method: post

My ~/.aws/credentials file contains

[default]
aws_access_key_id=<key>
aws_secret_access_key=<secret>

that refers to an admin account.

EnzoMolion
  • 605
  • 3
  • 17

2 Answers2

0

Try running the same command with AWS_PROFILE=default serverless deploy -v --region eu-west-1 or serverless deploy -v --region eu-west-1 --aws-profile default

If that still doesn't work, verify that your provided access keys actually do have permissions to create an s3 bucket by using the aws-cli.

Aaron Stuyvenberg
  • 1,563
  • 3
  • 13
  • I made sure that I can create an S3 bucket via the aws-cli and this showed no problem. Same with manually setting the AWS profile via en environment variable. That's the reason why I think I just did not pass the good policy to some object (but cannot figure out which and how) – EnzoMolion Apr 12 '21 at 07:25
0

It turned out that the problem was that AWS was expecting a multifacto authentication (MFA).

I resolved it by

  • writing a script able to generate a MFA-authentified AWS Profile on the fly with given profile to identify, MFA device' ARN and MFA token,
  • using created MFA-authentified AWS Profile to deploy.
EnzoMolion
  • 605
  • 3
  • 17