CloudFormation - CREATE_FAILED while using existing s3 bucket without `iam:CreateRole`

Hi,

I am trying to deploy a lambda function that gets triggered when an AVRO file is written to an existing s3 bucket. My serverless.yml configuration is as follows:

service: braze-lambdas

provider:
  name: aws
  runtime: python3.7
  region: us-west-1
  role: arn:aws:iam::<account_id>:role/<role_name>
  stage: dev
  deploymentBucket:
    name: serverless-framework-dev-us-west-1
    serverSideEncryption: AES256

functions:
  hello:
    handler: handler.hello
    events:
      - s3:
          bucket: <company>-dev-ec2-us-west-2
          existing: true
          events: s3:ObjectCreated:*
          rules:
            - prefix: gaurav/lambdas/123/
            - suffix: .avro

When I run serverless deploy, I get the following error:

ServerlessError: An error occurred: IamRoleCustomResourcesLambdaExecution - API: iam:CreateRole User: arn:aws:sts::<account_id>:assumed-role/serverless-framework-dev/jenkins_braze_lambdas_deploy is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::<account_id>:role/braze-lambdas-dev-IamRoleCustomResourcesLambdaExec-1M5QQI6P2ZYUH. 

I see some mentions of serverless needing iam:CreateRole because of how CloudFormation works but can anyone confirm if that is the only solution if I want to use existing: true? Is there another way around it except using the old serverless plugin that was used prior to the framework adding support for the existing: true configuration?

Also, what is 1M5QQI6P2ZYUH in arn:aws:iam::<account_id>:role/braze-lambdas-dev-IamRoleCustomResourcesLambdaExec-1M5QQI6P2ZYUH? Is it a random identifier? Does this mean that serverless will try to create a new role every time I try to deploy the function?

1 Like