My serverless.yml file looks like this
service: ham-services-elasticsearch custom: # Our stage is based on what is passed in when running serverless # commands. Or fallsback to what we have set in the provider section. stage: ${opt:stage, self:provider.stage} provider: name: aws runtime: nodejs8.10 stage: dev region: eu-west-1 iamRoleStatements: - Effect: Allow Action: - es:* Resource: 'arn:aws:es:#{AWS::Region}:#{AWS::AccountId}:domain/*' resources: Resources: HamElasticSearch: Type: "AWS::Elasticsearch::Domain" Properties: ElasticsearchVersion: "6.5" DomainName: "ham-management" ElasticsearchClusterConfig: DedicatedMasterEnabled: false InstanceCount: "1" ZoneAwarenessEnabled: false InstanceType: "t2.small.elasticsearch" EBSOptions: EBSEnabled: true Iops: 0 VolumeSize: 10 VolumeType: "gp2" AccessPolicies: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: AWS: "arn:aws:iam::#{AWS::AccountId}:user/ts-hga" Action: "es:*" Resource: "arn:aws:es:#{AWS::Region}:#{AWS::AccountId}:domain/*" AdvancedOptions: rest.action.multi.allow_explicit_index: "true" Outputs: HamElasticSearchArn: Value: Fn::GetAtt: - HamElasticSearch - DomainArn Export: Name: ${self:provider.stage}-HamElasticSearchArn HamElasticSearchEndPoint: Value: Fn::GetAtt: - HamElasticSearch - DomainEndpoint Export: Name: ${self:provider.stage}-HamElasticSearchEndPoint plugins: - serverless-pseudo-parameters
When I do serverless deploy I am getting below error in the terminal
An error occurred: HamElasticSearch - User: arn:aws:iam::**{AccountID}**:user/ts-hga is not authorized to perform: es:AddTags on resource: arn:aws:es:eu-west-1:**{AccountID}**:domain/* (Service: AWSElasticsearch; Status Code: 403; Error Code: AccessDeniedException; Request ID: dfd4f4a0-8603-11e9-86db-ff5f56201154).
What could be the potential reason for the same?. Any help would be greatly appreciated.