iam:PutRolePolicy needed when using custom iam role - wjhy?

hi,

I was quite excited to see that we can now specify existing roles for the lambdas: https://serverless.com/framework/docs/providers/aws/guide/iam/

Our developers (and jenkins) do not have an AWS role with iam, so currently when deploying a stage for the first time, it has to be done by an admin (like me) who has iam rights. After the initial deploy, the devs can now deploy (without iam rights). However this is tedious and we’d like to not have to have serverless need iam rights at all.

Because our developers are not allowed to have IAM permissions. However, when I try to deploy using custom role like this:

provider:
  name: aws
  runtime: nodejs4.3
  role: arn:aws:iam::531840447582:role/uca-api-chrisd-IamRoleLambdaExecution-JTSXKY12ZTEC

using serverless with no iam permissions, I get errors that it requires iam:PutRolePolicy

This is probably valid, but can anyone help me understand why?

cheers,
Chris.

The update stack command that Serverless uses to deploy your service requires IAM privileges, even if there’s no actual change to the IAM resources.

Actually @rowanu I’ve since found that if you have a clean slate (i.e. deploying a new service), then you do not need IAM rights at all - as long as you reference an existing role.

I think the PutRolePolicy was because I had an existing service which I changed to reference an existing role.