AWS IAM Roles getting altered

We’ve recently noticed that IAM roles are getting altered when deploying to AWS using Deploy, e.g. serverless deploy -s qa.

The Roles are added in ´serverelss.yml` and have been in there (and working) in previous versions of the Lambda.

iam:
    role:
      statements:
        - Effect: Allow
          Action:
            - 'dynamodb:*'
            - 's3:*'
            - 'ec2:CreateNetworkInterface'
            - 'ec2:DescribeNetworkInterfaces'
            - 'ec2:DeleteNetworkInterface'
            - 'logs:CreateLogGroup'
            - 'logs:CreateLogStream'
            - 'logs:PutLogEvents'
            - 'lambda:*'
            - 'ssm:*'
            - 'sqs:*'
          Resource: '*'

What we’ve noticed is that sometimes the IAM role is altered and just now the above deploy’ed IAM role was missing the ssm:* permission all of a sudden.

Why could that be happening?

Hello @QAnders - that is quite surprising and I’ve never run into it previously. Are you using any external plugins? Do you have the ability to provide a small reproducible case?

Thanks @pgrzesik !

Turns out that CloudFormation had done a rollback and added the previous, previous working version which didn’t have the IAM setup…

1 Like