Generated policy is missing certain IAM permissions


#1

In my serverless.yml file, I’ve got IAM statements that look like this:

iamRoleStatements:
   - Effect: Allow
     Action:
       - s3:ListBucket
       - dynamodb:DescribeStream
       - dynamodb:GetRecords
       - dynamodb:GetShardIterator
       - dynamodb:ListStreams
       - dynamodb:GetItem
       - dynamodb:PutItem
       - dynamodb:BatchWriteItem
       - dynamodb:Scan
       - logs:CreateLogGroup
       - logs:CreateLogStream
       - logs:PutLogEvents
     Resource: "*"

But I’m not seeing all of these reflected in the generated policy. Specifically, it seems to be missing:

    s3:ListBucket
    dynamodb:GetItem
    dynamodb:PutItem
    dynamodb:BatchWriteItem
    dynamodb:Scan

I suspect that I’m getting some sort of default policy instead of the custom one I’m trying to make inside serverless.yml. Am I doing this wrong?


#2

What IAM role did you check?

Did you wait for a while and check again? The role policy is not updated immediately, sometime you have to wait for several minutes.


#3

I actually worked around this issue by adding a role manually in the AWS console and then linking to it in the provider section of serverless.yml.