We are trying to create an IAM Role with Serverless Framework but the Role used by our CICD Process uses a Role With AdministratorAccess Policy and a Permissions boiundary that restricts iam:*. however it allows a few iam permissions when a specific resourceTag is applied to the iam resource being managed.
{
"Condition": {
"StringEquals": {
"aws:ResourceTag/managedby": [
"terraform",
"gitlab"
]
}
},
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:TagRole",
"iam:DeleteRolePolicy",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"iam:UnTagRole"
],
"Resource": "*",
"Effect": "Allow"
}
It seems like serverless is trying to create the role, and then apply tags to it after creation instead of as part of the CreateRole API Call
This is an example of the iamrole.yaml file from our project
Resources:
MyAppSyncCustomRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: MyAppSyncCustomRole-${opt:stage}
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "appsync.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: "MyAppSyncCustomPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "LambdaFunction1"
Effect: "Allow"
Action:
- "lambda:InvokeFunction"
Resource:
- ${file(shared/${opt:stage}_env.yml):LambdaWildCardArn}
Tags:
- Key: managedby
Value: gitlab
the Sanitized Error we get is
User: arn:aws:sts:::assumed-role/ is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::******:role/MyAppSyncCustomRole-prod because no permissions boundary allows the iam:CreateRole action (Service: Iam, Status Code: 403, Request ID: *********)