Deploy function from different IAM account that created the stack

,

Hi,

I deployed my first serverless app into AWS account and - as per docs suggestion - I created firstly IAM user with admin rights (https://serverless.com/framework/docs/providers/aws/guide/credentials#creating-aws-access-keys). All went well, I deployed my stack.

Now I would like to automate the deployment of only the lambda - with the " --function <func_name>" option. This - as from what I read - bypassess the creation of entire stack and just updates the lambda. I understand also that this operation requires much less iam privileges than creating entire stack.

That’s why I would have 2 Iam accounts:

  1. serverless-stack-deployer - the account with full set of permissions required to create/update/delete stack. Right now I’m using Administrator but I plan to work on narrowing the necessary permissions down
  2. the account that would run under CI process that has privileges only to update the lambda. I created another IAM user, also belonging to Admins group

Then I came to a problem: when I run the "serverless deploy --function " under the new administrator’s permissions, I’m getting the following output:

Serverless Error ---------------------------------------

The function “render” you want to update is not yet deployed. Please run “serverless deploy” to deploy your service. After that you can redeploy your services functions with the “serverless deploy function” command.

It looks like the entire stack is not visible for any other iam accounts than the one which was used to create it. Am I right or did I miss somehting? How can I work on the same serverless stack with different IAM users?

Or maybe I am just missing some key concepts here? Maybe it is a good pracitce to always run “serverless deploy” (with recreating entire stack) under CI process instead of just updating the lambda? I know that this doesn’t solve my main question but I’d appreciate your feedback on how should I approach CI automation here.

Thanks

1 Like