Policy creation works ... but does it?

I am intending to create a role per function in an serverless app that I’m creating but for now all functions are using the default role for the set of functions. In the mean time I’ve added as resources a number of Policies that I am assigning to this default role. Here’s an example of one of these policies:

logging:
  Type: AWS::IAM::Policy
  Properties:
    PolicyName: serverless-event-logging 
    PolicyDocument:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:PutLogEvents
          Resource: arn:aws:logs:${self:provider.region}:*:log-group:/aws/lambda/*:*:*
        - Effect: "Allow"
          Action:
            - "s3:PutObject"
          Resource:
            Fn::Join:
              - ""
              - - "arn:aws:s3:::"
                - "Ref" : "ServerlessDeploymentBucket" 
    Roles: 
      - serverless-event-${self:custom.stage}-${self:provider.region}-lambdaRole
      - serverless-event-${self:custom.stage}-receiver
      - serverless-event-${self:custom.stage}-reporter
      - serverless-event-${self:custom.stage}-aggregator

When I look at the role definition for the default role it indeed shows that it has the “serverless-event-logging” policy attached to it. Great. Here’s the problem, when I look at the other roles which I’ve created (aka, “receiver”, “reporter”, “aggregator”) these roles exist but the role has not been assigned.

Furthermore, to my surprise, when I use AWS’s IAM console and look at the “Policies” tab none of the Policies I’ve created show up (that might be ok, not sure, but it wasn’t what I was expecting).

It’s not obvious what’s going wrong here.

I think you need to run a sls deploy --noDeploy and look at the contents of the update CloudFormation template file in .serverless/ and see where/if there are the references to the policies in the roles (or vice versa).

I’m a bit lost in the CloudFormation template but from my standpoint it appears that it’s ok too:

"logging": {
  "Type": "AWS::IAM::Policy",
  "Properties": {
    "PolicyName": "serverless-event-logging",
    "PolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
          ],
          "Resource": "arn:aws:logs:eu-west-1:*:log-group:/aws/lambda/*:*:*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "s3:PutObject"
          ],
          "Resource": {
            "Fn::Join": [
              "",
              [
                "arn:aws:s3:::",
                {
                  "Ref": "ServerlessDeploymentBucket"
                }
              ]
            ]
          }
        }
      ]
    },
    "Roles": [
      "serverless-event-dev-eu-west-1-lambdaRole",
      "serverless-event-dev-receiver",
      "serverless-event-dev-reporter",
      "serverless-event-dev-aggregator"
    ]
  }
},

Well, i just checked again and for reasons unknown to me all the roles ARE now getting updated.