Newbie: trying to deploy I get "not authorized to perform: iam:CreateRole"

Serverless Framework
1

Hi, I’m trying to deploy a hello world Serverless Application for the first time in an enterprise environment. I do not have access to create or modify IAM policies or Roles.

I can assume a role however and I’m able to get permissions to use the AWS services as needed.

When I try to deploy my hello world application I get this error:

 ServerlessError: An error occurred: IamRoleLambdaExecution - API: iam:CreateRole User: arn:aws:sts::blahid:assumed-role/CloudCoreEng/aws-sdk-js-1570648874142 is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::blahid:role/lambda-hello-dev-us-east-1-lambdaRole with an explicit deny.

Why is serverless trying to create a Role? Is there a way around this?

Thanks,
Phil

2 Likes
2

Same error and question here. Why is a role to be created?

3

Serverless creates a role for lambda execution using iamRoleStatements. I think your assumed role has some permission boundary set by your organization. you can create a custom role with the permission boudary set and then use the role in the function you define…

1 Like
4

Is it possible to use a predefined role? Allowing role creation is a security concern.