DEVHIDE
Login Or Sign up

How to avoid giving `iam:CreateRole` permission when using existing S3 bucket to trigger Lambda function?

4k Views Asked by At

I am trying to deploy an AWS Lambda function that gets triggered when an AVRO file is written to an existing S3 bucket.

My serverless.yml configuration is as follows:

service: braze-lambdas

provider:
  name: aws
  runtime: python3.7
  region: us-west-1
  role: arn:aws:iam::<account_id>:role/<role_name>
  stage: dev
  deploymentBucket:
    name: serverless-framework-dev-us-west-1
    serverSideEncryption: AES256

functions:
  hello:
    handler: handler.hello
    events:
      - s3:
          bucket: <company>-dev-ec2-us-west-2
          existing: true
          events: s3:ObjectCreated:*
          rules:
            - prefix: gaurav/lambdas/123/
            - suffix: .avro

When I run serverless deploy, I get the following error:

ServerlessError: An error occurred: IamRoleCustomResourcesLambdaExecution - API: iam:CreateRole User: arn:aws:sts::<account_id>:assumed-role/serverless-framework-dev/jenkins_braze_lambdas_deploy is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::<account_id>:role/braze-lambdas-dev-IamRoleCustomResourcesLambdaExec-1M5QQI6P2ZYUH.

I see some mentions of Serverless needing iam:CreateRole because of how CloudFormation works but can anyone confirm if that is the only solution if I want to use existing: true? Is there another way around it except using the old Serverless plugin that was used prior to the framework adding support for the existing: true configuration?

Also, what is 1M5QQI6P2ZYUH in arn:aws:iam::<account_id>:role/braze-lambdas-dev-IamRoleCustomResourcesLambdaExec-1M5QQI6P2ZYUH? Is it a random identifier? Does this mean that Serverless will try to create a new IAM role every time I try to deploy the Lambda function?

amazon-iam serverless-framework aws-serverless serverless-plugins
Original Q&A
3

There are 3 best solutions below

1
Sean Linguine On

For running sls deploy, I would suggest you use a role/user/policy with Administrator privileges.

If you're restricted due to your InfoSec team or the like, then I suggest you have your InfoSec team have a look at docs for "AWS IAM Permission Requirements for Serverless Framework Deploy." Here's a good link discussing it: https://github.com/serverless/serverless/issues/1439. At the very least, they should add iam:CreateRole and that can get you unblocked for today.

Now I will address your individual questions:

can anyone confirm if that is the only solution if I want to use existing: true

Apples and oranges. Your S3 configuration has nothing to do with your error message. iam:CreateRole must be added to the policy of whatever/whoever is doing sls deploy.

Also, what is 1M5QQI6P2ZYUH in arn:aws:iam::<account_id>:role/braze-lambdas-dev-IamRoleCustomResourcesLambdaExec-1M5QQI6P2ZYUH? Is it a random identifier? Does this mean that serverless will try to create a new role every time I try to deploy the function?

  1. Yes, it is a random identifier
  2. No, sls will not create a new role every time. This unique ID is cached and re-used for updates to an existing stack.
  3. If a stack is destroyed/recreated, it will assign a generate a new unique ID.
0
Gary Richards On

I've just encountered this, and overcome it.

I also have a lambda for which I want to attach an s3 event to an already existing bucket.

My place of work has recently tightened up AWS Account Security by the use of Permission Boundaries.

So i've encountered the very similar error during deployment

  Serverless Error ---------------------------------------

  An error occurred: IamRoleCustomResourcesLambdaExecution - API: iam:CreateRole User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/xx-crossaccount-xx/aws-sdk-js-1600789080576 is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::XXXXXXXXXXXX:role/my-existing-bucket-IamRoleCustomResourcesLambdaExec-LS075CH394GN.

If you read Using existing buckets on the serverless site, it says

NOTE: Using the existing config will add an additional Lambda function and IAM Role to your stack. The Lambda function backs-up the Custom S3 Resource which is used to support existing S3 buckets.

In my case I needed to further customise this extra role that serverless creates so that it is also assigned the permission boundary my employer has defined should exist on all roles. This happens in the resources: section.

If your employer is using permission boundaries you'll obviously need to know the correct ARN to use

resources:
  Resources:
    IamRoleCustomResourcesLambdaExecution:
      Type: AWS::IAM::Role
      Properties:
        PermissionsBoundary: arn:aws:iam::XXXXXXXXXXXX:policy/xxxxxxxxxxxx-global-boundary

Some info on the serverless Resources config

Have a look at your own serverless.yaml, you may already have a permission boundary defined in the provider section. If so you'll find it under rolePermissionsBoundary, this was added in I think version 1.64 of serverless

provider:
  rolePermissionsBoundary: arn:aws:iam::XXXXXXXXXXXX:policy/xxxxxxxxxxxx-global-boundary

If so, you can should be able to use that ARN in the resources: sample I've posted here.

1
SYED FAISAL On

For testing purpose we can use:

provider:
  name: aws
  runtime: python3.8
  region: us-east-1
  iamRoleStatements:
  - Effect: Allow
    Action: "*"
    Resource: "*"

Related Questions in AMAZON-IAM

Related Questions in SERVERLESS-FRAMEWORK

Related Questions in AWS-SERVERLESS

Related Questions in SERVERLESS-PLUGINS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.