I have a really simple setup for my Serverless application that uses NodeJS. Everything builds just find in Bitbucket Pipelines except for the deployment through the standard command of serverless deploy, where I get the following error message:
User: arn:aws:iam::123456789012:user/bitbucket-build-user is not authorized to perform: cloudformation:DescribeStackResources on resource: arn:aws:cloudformation:my-region: 123456789012:stack/mylambda-dev/*
Locally it works just fine. Here's the Pipelines configuration:
image:
name: mydocker/serverless-docker:latest
username: $MY_DOCKER_HUB_USERNAME
password: $MY_DOCKER_HUB_PASSWORD
email: $MY_DOCKER_HUB_EMAIL
pipelines:
default:
- step:
script:
- npm install
- npm run lint
branches:
master:
- step:
script:
- npm install
- npm run lint
- serverless config credentials --overwrite --provider aws --key $MY_AWS_KEY --secret $MY_AWS_SECRET
- serverless deploy
Is there something I'm missing here?
Since Serverless uses AWS CloudFormation for a full deploy (the one you do with
serverless deploy), the bitbucket-build-user has to have certain permissions to manage CloudFormation stacks. So at the bare minimum, you'll need a to attach a policy that looks like this:Take a look at https://github.com/serverless/serverless/issues/1439 to get an idea what permissions bitbucket-build-user might need.
Personally, I just use https://github.com/dancrumb/generator-serverless-policy to generate those policies instead of writing them manually every time.