Assign an specific IAM role for each lambda function using a role defined in aws account

aws

#1

I’m trying to apply an IAM Role defined in my aws account for each lambda function.
Serverless docs example is something like this:

service: new-service

provider:
  name: aws
  ... # does not define role

functions:
  func0:
role: myCustRole0
...
  func1:
role: myCustRole1
...

resources:
  Resources:
myCustRole0:
  Type: AWS::IAM::Role
  Properties:
    Path: /my/cust/path
    RoleName: MyCustRole0
    AssumeRolePolicyDocument:
      Version: '2017'
      Statement:
        - Effect: Allow
          Principal:
            Service:
              - lambda.amazonaws.com
          Action: sts:AssumeRole
    Policies:
      - PolicyName: myPolicyName
        PolicyDocument:
          Version: '2017'
          Statement:
            - Effect: Allow
              Action:
                - logs:CreateLogGroup
                - logs:CreateLogStream
                - logs:PutLogEvents
              Resource: arn:aws:logs:${region}:${accountId}:log-group:/aws/lambda/*:*:*
            - Effect: Allow
              Action:
                - ec2:CreateNetworkInterface
                - ec2:DescribeNetworkInterfaces
                - ec2:DetachNetworkInterface
                - ec2:DeleteNetworkInterface
              Resource: "*"
myCustRole1:
  Type: AWS::IAM::Role
  Properties:
    Path: /my/cust/path
    RoleName: MyCustRole1
    AssumeRolePolicyDocument:
      Version: '2017'
      Statement:
        - Effect: Allow
          Principal:
            Service:
              - lambda.amazonaws.com
          Action: sts:AssumeRole
    Policies:
      - PolicyName: myPolicyName
        PolicyDocument:
          Version: '2017'
          Statement:
            - Effect: Allow # note that these rights are given in the default policy and are required if you want logs out of your lambda(s)
              Action:
                - logs:CreateLogGroup
                - logs:CreateLogStream
                - logs:PutLogEvents
              Resource: arn:aws:logs:${region}:${accountId}:log-group:/aws/lambda/*:*:*
            -  Effect: "Allow"
               Action:
                 - "s3:PutObject"
               Resource:
                 Fn::Join:
                   - ""
                   - - "arn:aws:s3:::"
                     - "Ref" : "ServerlessDeploymentBucket"

The difference between this code and what I want to do is the fact they’re creating the IAM role in the .yml, what I want to do is to assign an existing role from my aws acount to my functions.

I also found the way it should be to assing an existin role using the Role ARN:

service: new-service

provider:
  name: aws
  ... # does not define role

functions:
  func0:
    role: arn:aws:iam::0123456789:role//my/default/path/roleInMyAccount
    ...

This way isn’t working for me, serverless ends up creating a new default IAM role for my functions anyway.

My .yml is:

# Welcome to Serverless!
#
# This file is the main config file for your service.
# It's very minimal at this point and uses default values.
# You can always add more config options for more control.
# We've included some commented out config examples here.
# Just uncomment any of them to get that config option.
#
# For full config options, check the docs:
#    docs.serverless.com
#
# Happy Coding!

service: content-create # NOTE: update this with your service name

# You can pin your service to only deploy with a specific Serverless version
# Check out our docs for more details
# frameworkVersion: "=X.X.X"

provider:
  name: aws
  runtime: nodejs4.3
  deploymentBucket: libelios.lambda-storage

# you can overwrite defaults here
  stage: beta
  region: eu-west-1

# you can add statements to the Lambda function's IAM Role here
#  iamRoleStatements:
#    - Effect: "Allow"
#      Action:
#        - "s3:ListBucket"
#      Resource: { "Fn::Join" : ["", ["arn:aws:s3:::", { "Ref" : "ServerlessDeploymentBucket" } ] ]  }
#    - Effect: "Allow"
#      Action:
#        - "s3:PutObject"
#      Resource:
#        Fn::Join:
#          - ""
#          - - "arn:aws:s3:::"
#            - "Ref" : "ServerlessDeploymentBucket"

# you can add packaging information here
#package:
#  exclude:
#    - exclude-me.js
#  artifact: my-service-code.zip

functions:
##############################################################
  createPano:
    handler: createPano.handler
    role: arn:aws:iam::447474556351:role/God

#    The following are a few example events you can configure
#    NOTE: Please make sure to change your handler code to work with those events
#    Check the event documentation for details
#    events:
#      - http:
#          path: users/create
#          method: get
#      - s3: ${env:BUCKET}
#      - schedule: rate(10 minutes)
#      - sns: greeter-topic
#      - stream: arn:aws:dynamodb:region:XXXXXX:table/foo/stream/1970-01-01T00:00:00.000

###############################################################
  createVideo:
    handler: createVideo.handler
    role: arn:aws:iam::447474556351:role/God

###############################################################
  createdbItem:
    handler: createdbItem.handler
    role: arn:aws:iam::447474556351:role/God

###############################################################

# you can add CloudFormation resource templates here
#resources:
#  Resources:
#    NewResource:
#      Type: AWS::S3::Bucket
#      Properties:
#        BucketName: my-new-bucket
#  Outputs:
#     NewOutput:
#       Description: "Description for the output"
#       Value: "Some output value"

#2

The documentation https://serverless.com/framework/docs/providers/aws/guide/iam/ mentions allowing directly specifying the role as you are trying. Is the role getting created with the name that you provided or some other default name?