Permission bounday for internally created resources

,

According to the serverless documentation
it allows adding lambda trigger with an existing s3 bucket using the flag existing: true. But, it would create additional resources as mentioned in the document

NOTE: Using the existing config will add an additional Lambda function and IAM Role to your stack. The Lambda function backs-up the Custom S3 Resource which is used to support existing S3 buckets.

I get an error which doesn’t allow to create such resources due to permission issue. This issue should be mainly because of the lack of permission boundary to the internally created resources.
For all the resources created, I need to attach a permission boundary.

service: my-service

custom: ${file(resources/configs.yml)}

package:
  individually: true

plugins:
  - serverless-bundle # Package our functions with Webpack

resources:
  Resources:
    IamFileReader:
      Type: 'AWS::IAM::Role'
      Properties:
        RoleName: file-read-role
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
              Action:
                - 'sts:AssumeRole'
        ManagedPolicyArns:
          - ${self:custom.executionPolicyArn}
          - ${self:custom.vpcAccessPolicyArn}
        PermissionsBoundary: ${self:custom.permissionBoundaryArn}

provider:
  name: aws
  endpointType: PRIVATE
  runtime: nodejs12.x
  stage: dev
  region: us-east-1
  role:
    Fn::GetAtt :
      - IamRoleLambdaExecution
      - Arn
  vpc:
    securityGroupIds:
      - !Ref LambdaSecurityGroup
    subnetIds:
      - ${self:custom.Subnet1}
      - ${self:custom.Subnet2}

functions:
  upload-controller:
    handler: src/uploadHandler.uploadFiles
    name: upload-controller
    role:
      Fn::GetAtt:
        - IamFileReader
        - Arn
    events:
      - s3:
          bucket: existingBucketName
          event: s3:ObjectCreated:*
          existing: true

The error I am getting is

An error occurred: IamRoleCustomResourcesLambdaExecution - API: iam:CreateRole User: arn:aws:sts::xxx is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::yyy:role/xxx-IamRoleCustomResourcesLa-ZZZZ

Best way so far found is the upgrade to the latest version of SLS. 1.72 (tested)

Use extensions something like the below. Extensions are used to override the stack CF resources, Just get the name of the resource right and you are all good .

resources:
  extensions:
     IamRoleCustomResourcesLambdaExecution:
       Properties:
          PermissionsBoundary: !Sub arn:aws:iam::#{AWS::AccountId}:policy/{name_of_ur_policy}
1 Like

The complete example would be

service:
  name: one5
provider:
  name: aws
  runtime: python3.8
  region: us-west-2

functions:
  importFPGroupDataToGA3:
    handler: handler.hello1
    role:
      Fn::GetAtt:
        - myDefaultRole
        - Arn

resources:
  Resources:
    myDefaultRole:
      Type: 'AWS::IAM::Role'
      Properties:
        RoleName: myrole
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
              Action: 'sts:AssumeRole'
  extensions:
    myDefaultRole:
      Properties:
        PermissionsBoundary: 'arn:aws:iam::xxxxxxxxxxxx:policy/PermissionBoundary'