Generated policy is missing certain IAM permissions

jacobrharris · November 10, 2017, 3:33pm

In my serverless.yml file, I’ve got IAM statements that look like this:

iamRoleStatements:
   - Effect: Allow
     Action:
       - s3:ListBucket
       - dynamodb:DescribeStream
       - dynamodb:GetRecords
       - dynamodb:GetShardIterator
       - dynamodb:ListStreams
       - dynamodb:GetItem
       - dynamodb:PutItem
       - dynamodb:BatchWriteItem
       - dynamodb:Scan
       - logs:CreateLogGroup
       - logs:CreateLogStream
       - logs:PutLogEvents
     Resource: "*"

But I’m not seeing all of these reflected in the generated policy. Specifically, it seems to be missing:

    s3:ListBucket
    dynamodb:GetItem
    dynamodb:PutItem
    dynamodb:BatchWriteItem
    dynamodb:Scan

I suspect that I’m getting some sort of default policy instead of the custom one I’m trying to make inside serverless.yml. Am I doing this wrong?

bill · November 12, 2017, 1:18am

What IAM role did you check?

Did you wait for a while and check again? The role policy is not updated immediately, sometime you have to wait for several minutes.

jacobrharris · November 12, 2017, 1:50pm

I actually worked around this issue by adding a role manually in the AWS console and then linking to it in the provider section of serverless.yml.

Topic		Replies	Views
How it works iamRoleStatements configuration section? Serverless Framework aws	6	24559	November 19, 2019
How do I attach BatchWriteItem Permission to my IAM role policy? Serverless Framework iam	1	2251	June 3, 2023
SES Resource not added in created iAM role for Lambda functions, iamRoleStatements Serverless Framework	1	3545	September 8, 2018
IAM Policy + Role for ElasticSearch Serverless Framework iam	0	1335	May 14, 2019
AWS IAM Roles getting altered Serverless Framework aws , lambda , iam	2	614	September 29, 2021

Generated policy is missing certain IAM permissions

Related Topics