According to the serverless documentation
it allows adding lambda trigger with an existing s3 bucket using the flag existing: true
. But, it would create additional resources as mentioned in the document
NOTE: Using the
existing
config will add an additional Lambda function and IAM Role to your stack. The Lambda function backs-up the Custom S3 Resource which is used to support existing S3 buckets.
I get an error which doesn’t allow to create such resources due to permission issue. This issue should be mainly because of the lack of permission boundary to the internally created resources.
For all the resources created, I need to attach a permission boundary.
service: my-service
custom: ${file(resources/configs.yml)}
package:
individually: true
plugins:
- serverless-bundle # Package our functions with Webpack
resources:
Resources:
IamFileReader:
Type: 'AWS::IAM::Role'
Properties:
RoleName: file-read-role
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- ${self:custom.executionPolicyArn}
- ${self:custom.vpcAccessPolicyArn}
PermissionsBoundary: ${self:custom.permissionBoundaryArn}
provider:
name: aws
endpointType: PRIVATE
runtime: nodejs12.x
stage: dev
region: us-east-1
role:
Fn::GetAtt :
- IamRoleLambdaExecution
- Arn
vpc:
securityGroupIds:
- !Ref LambdaSecurityGroup
subnetIds:
- ${self:custom.Subnet1}
- ${self:custom.Subnet2}
functions:
upload-controller:
handler: src/uploadHandler.uploadFiles
name: upload-controller
role:
Fn::GetAtt:
- IamFileReader
- Arn
events:
- s3:
bucket: existingBucketName
event: s3:ObjectCreated:*
existing: true
The error I am getting is
An error occurred: IamRoleCustomResourcesLambdaExecution - API: iam:CreateRole User: arn:aws:sts::xxx is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::yyy:role/xxx-IamRoleCustomResourcesLa-ZZZZ