Policy to describe ec2 instances

Hello, I have the following serverless.yaml

service: ebs
provider:
  name: aws
  runtime: python2.7

iamRoleStatements:
  - Effect: "Allow"
    Action:
      - "logs:*"
    Resource: "arn:aws:logs:*:*:*"
  - Effect: "Allow"
    Action:
      - "ec2:Describe*"
    Resource: "*"
  - Effect: "Allow"
    Action:
      - "ec2:CreateSnapshot"
      - "ec2:ModifySnapshotAttribute"
      - "ec2:ResetSnapshotAttribute"
    Resource: ["*"]

when I try to invoke it, i get the following error:

"errorType": "ClientError",
"errorMessage": "An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation."

looking at the lambda role being created, these policies are not being added. if i manually modify the Role policy, the function executes.

what am i missing?

any advice is much appreciated

The iamRoleStatements property (and its children) need to be indented another level i.e. they need to be under the provider property:

service: ebs
provider:
  name: aws
  runtime: python2.7

  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - ["logs:*"]
      Resource: "arn:aws:logs:*:*:*"
    - Effect: "Allow"
      Action:
        - "ec2:Describe*"
      Resource: "*"
    - Effect: "Allow"
      Action:
        - "ec2:CreateSnapshot"
        - "ec2:ModifySnapshotAttribute"
        - "ec2:ResetSnapshotAttribute"
      Resource: ["*"]

thanks @rowanu, this fixed it

No worries! I did exactly the same thing 4 days ago… :smiley: