I’m running into an issue: I want to control the rights given to CloudFormation when it comes to deploying a Serverless API. So, I create a role with just the required permissions and add this to the serverless.yml:
When I run this, execution fails with the following message:
An error occurred: CustomDashresourceDashapigwDashcwDashroleLambdaFunction - Resource handler returned message: "The role defined for the function cannot be assumed by Lambda.
This confused me for a while as I failed to understand how a role applied to CloudFormation could give me that error. Things got even more confusing when I simply removed the deploymentRole from serverless.yml after which everything worked perfectly (with the role still being used by CloudFormation as the stack already existed and so the IAM role remained in place).
I eventually looked into the serverless-state.json where I found this:
Why is the deploymentRole being applied to a Lambda function while the Serverless.yml reference page clearly states that this role is used for CloudFormation?
Seems like a bug to me because when not using the deploymentRole, a custom resources Lambda execution role gets generated that, as expected, has a very different policy than the policy I created for CloudFormation.