Custom Resources Lambda using deploymentRole?

Hello,

I’m running into an issue: I want to control the rights given to CloudFormation when it comes to deploying a Serverless API. So, I create a role with just the required permissions and add this to the serverless.yml:

iam:
deploymentRole: arn:aws:iam::${aws:accountId}:role/cloudformation-serverless-execution-role

When I run this, execution fails with the following message:

An error occurred: CustomDashresourceDashapigwDashcwDashroleLambdaFunction - Resource handler returned message: "The role defined for the function cannot be assumed by Lambda.

This confused me for a while as I failed to understand how a role applied to CloudFormation could give me that error. Things got even more confusing when I simply removed the deploymentRole from serverless.yml after which everything worked perfectly (with the role still being used by CloudFormation as the stack already existed and so the IAM role remained in place).

I eventually looked into the serverless-state.json where I found this:

“CustomDashresourceDashapigwDashcwDashroleLambdaFunction”: {
“Type”: “AWS::Lambda::Function”,
“Properties”: {
“Code”: {
“S3Bucket”: {
“Ref”: “ServerlessDeploymentBucket”
},
“S3Key”: “serverless/demo-api/dev/1633590891473-2021-10-07T07:14:51.473Z/custom-resources.zip”
},
“FunctionName”: “demo-api-dev-custom-resource-apigw-cw-role”,
“Handler”: “apiGatewayCloudWatchRole/handler.handler”,
“MemorySize”: 1024,
“Runtime”: “nodejs12.x”,
“Timeout”: 180,
“Role”: “arn:aws:iam::XXXXXXXXXXXX:role/cloudformation-serverless-execution-role”
},

Why is the deploymentRole being applied to a Lambda function while the Serverless.yml reference page clearly states that this role is used for CloudFormation?

Seems like a bug to me because when not using the deploymentRole, a custom resources Lambda execution role gets generated that, as expected, has a very different policy than the policy I created for CloudFormation.

Just a guess, but the deployerRole is probably assumed by Cloudfront to deploy the actual resources, only after the Cloudformation template has been synthesised using the role/profile that the serverless cli is running under.

The deploymentRole is indeed assumed by CloudFront to deploy the actual resources. That is also what I want so no problem there.

The problem is: why is a role created for CloudFront being applied to a Lambda function (that as I understand it is being auto-generated for the Dashboard functionality which I don’t even use)?

If deploymentRole is present, it should only be applied to CloudFront and not to some auto-generated Lambda. When not using deploymentRole another role is generated for that Lambda which is also what should continue to happen when deploymentRole is being used as that auto-generated role works just fine.