I am trying to deploy a lambda function that gets triggered when an AVRO file is written to an existing s3 bucket. My serverless.yml configuration is as follows:
service: braze-lambdas provider: name: aws runtime: python3.7 region: us-west-1 role: arn:aws:iam::<account_id>:role/<role_name> stage: dev deploymentBucket: name: serverless-framework-dev-us-west-1 serverSideEncryption: AES256 functions: hello: handler: handler.hello events: - s3: bucket: <company>-dev-ec2-us-west-2 existing: true events: s3:ObjectCreated:* rules: - prefix: gaurav/lambdas/123/ - suffix: .avro
When I run
serverless deploy, I get the following error:
ServerlessError: An error occurred: IamRoleCustomResourcesLambdaExecution - API: iam:CreateRole User: arn:aws:sts::<account_id>:assumed-role/serverless-framework-dev/jenkins_braze_lambdas_deploy is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::<account_id>:role/braze-lambdas-dev-IamRoleCustomResourcesLambdaExec-1M5QQI6P2ZYUH.
I see some mentions of serverless needing
iam:CreateRole because of how CloudFormation works but can anyone confirm if that is the only solution if I want to use
existing: true? Is there another way around it except using the old serverless plugin that was used prior to the framework adding support for the
existing: true configuration?
Also, what is
arn:aws:iam::<account_id>:role/braze-lambdas-dev-IamRoleCustomResourcesLambdaExec-1M5QQI6P2ZYUH? Is it a random identifier? Does this mean that serverless will try to create a new role every time I try to deploy the function?