I know this is an old thread, but Google leads here so I’m replying for other people.
The reason the role assignment is failing is because it’s trying to assign the default lambda role to the Firehose, and the permissions on that role are not set up for assignment. Serverless Framework does not expose the AssumeRolePolicyDocument on the default role, so you have to create a new role specifically for your Firehose and then assign it.
There might be an easier way to do this, but the example below works.
resources:
Resources:
FirehoseRole:
Type: AWS::IAM::Role
Properties:
RoleName: ${self:service}-${self:provider.stage}-FirehoseRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- firehose.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: root
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: s3:*
Resource:
Fn::Sub: arn:aws:s3:::${self:service}-${self:provider.stage}-data
MyFirehose:
Type: AWS::KinesisFirehose::DeliveryStream
Properties:
DeliveryStreamName: ${self:service}-${self:provider.stage}-MyFirehose
S3DestinationConfiguration:
BucketARN:
Fn::Sub: arn:aws:s3:::${self:service}-${self:provider.stage}-data
BufferingHints:
IntervalInSeconds: 300
SizeInMBs: 5
CompressionFormat: UNCOMPRESSED
RoleARN:
Fn::GetAtt: [FirehoseRole, Arn]