Help regarding VPC and other external resource

Serverless Framework
1

Hi, I’m trying to deploy a serverless API (based on v1.x) whose functions should be in a given vpc with a given security group but my deployment attempts are all failing.

The VPC, Subnets and security groups are all previously created. When I reference a vpc region under provider section at my serververless.yml, the stack creation/update procecess fails with an error: Your access has been denied by EC2, please make sure your function execution role have permission to CreateNetworkInterface. EC2 Error Code: UnauthorizedOperation. EC2 Error Message: You are not authorized to perform this operation.

If do ommit the vpc section and try to manually re-configure the functions in AWS web-console to be in the vpc/subnet/sg I got another error: Your role does not have VPC permissions. Please go back and select “Basic with VPC” under the role dropdown to add these permissions.

How should I do deploy my services with this required configuration? Is there a sample that anyone could share?

Thanks in advance,

Eric

2

Ok, just found the answer on a github issue. In the end I had to declare the vpc under provider and delcare a managed-policy in the resource section to update the IAM role.

provider:
  name: aws
  runtime: nodejs4.3
  vpc:
    securityGroupIds:
      - sg-xxxxxx
    subnetIds: 
      - subnet-xxxxxx

resources:
  Resources:
    AWSLambdaVPCAccessExecutionRole:
      Type: AWS::IAM::ManagedPolicy
      Properties:
        Description: Policy for allowing vpc connection.
        Roles:
          - {"Ref" : "IamRoleLambda"}
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            Effect: Allow
            Action:
                - "logs:CreateLogGroup"
                - "logs:CreateLogStream"
                - "logs:PutLogEvents"
                - "ec2:CreateNetworkInterface"
                - "ec2:DescribeNetworkInterfaces"
                - "ec2:DeleteNetworkInterface"
            Resource: "*"
3

This is also something we’re going to fix in the future. For now you can also add the statement to your provider config as outlined here: https://github.com/serverless/serverless/blob/master/docs/guide/custom-provider-resources.md#adding-custom-iam-role-statements

This means you can remove the managed Policy completely and the IamRoleLambda will be extended

4

Looks like that link is broken! I think this is the equivalent new content: https://github.com/serverless/serverless/blob/master/docs/02-providers/aws/02-iam.md

Here’s the example from that link:

# serverless.yml

service: new-service
provider:
  name: aws
  iamRoleStatements:
      -  Effect: "Allow"
         Action:
           - "s3:ListBucket"
         Resource: { "Fn::Join" : ["", ["arn:aws:s3:::", { "Ref" : "ServerlessDeploymentBucket"} ] ] }
      -  Effect: "Allow"
         Action:
           - "s3:PutObject"
         Resource:
           Fn::Join:
             - ""
             - - "arn:aws:s3:::"
               - "Ref" : "ServerlessDeploymentBucket"
5

Now that link is broken. I think this is where it lives now: https://serverless.com/framework/docs/providers/aws/guide/iam/#the-default-iam-role