Does it work if you do it in that order? I ended up with a separate script that created the user as a once off and then just reference that role in serverless.yml:
iamRoleARN: arn:aws:iam::XXXXXXXX:role/MyLambdaVpcExecutionRole
I think if your way works, it’s less moving parts though, so I’d rather do that.