AWS IAM Roles getting altered

QAnders · August 31, 2021, 8:41am

We’ve recently noticed that IAM roles are getting altered when deploying to AWS using Deploy, e.g. serverless deploy -s qa.

The Roles are added in ´serverelss.yml` and have been in there (and working) in previous versions of the Lambda.

iam:
    role:
      statements:
        - Effect: Allow
          Action:
            - 'dynamodb:*'
            - 's3:*'
            - 'ec2:CreateNetworkInterface'
            - 'ec2:DescribeNetworkInterfaces'
            - 'ec2:DeleteNetworkInterface'
            - 'logs:CreateLogGroup'
            - 'logs:CreateLogStream'
            - 'logs:PutLogEvents'
            - 'lambda:*'
            - 'ssm:*'
            - 'sqs:*'
          Resource: '*'

What we’ve noticed is that sometimes the IAM role is altered and just now the above deploy’ed IAM role was missing the ssm:* permission all of a sudden.

Why could that be happening?

pgrzesik · September 8, 2021, 8:45am

Hello @QAnders - that is quite surprising and I’ve never run into it previously. Are you using any external plugins? Do you have the ability to provide a small reproducible case?

QAnders · September 29, 2021, 2:50pm

Thanks @pgrzesik !

Turns out that CloudFormation had done a rollback and added the previous, previous working version which didn’t have the IAM setup…

Topic		Replies	Views
V1.65.0 changed the naming of AWS IAM roles which might be breaking change Serverless Framework aws , lambda , iam	0	505	March 2, 2020
Reducing admin role for serverless deployment Serverless Framework aws , lambda , iam	3	2335	September 4, 2024
I am seeing that sls deploy is auto-creating an IAM role for my Lambda functions Serverless Framework lambda	1	1040	October 1, 2019
How it works iamRoleStatements configuration section? Serverless Framework aws	6	24854	November 19, 2019
IAM permissions wiped out Serverless Framework lambda , iam	0	518	August 26, 2019

AWS IAM Roles getting altered

Related Topics