Carrying on from Alleviating continuous headaches I’m trying to get my lambdas to deploy from a git push from the master branch using Travis CI.
However the user / policy I’m thinking that I need to setup for the CI via AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY seems to be quite over reaching (to say the least!), since it needs to be able to orchestrate any AWS resource IIUC from the IAM stanzas in serverless.yml
Short of specifying my own power user keys, why do you guys recommend I do? I think this is AWS’s response: http://docs.aws.amazon.com/lambda/latest/dg/automating-deployment.html but I couldn’t find serverless’s documentation on the matter.
With Apex.run, the following policy is sufficient I think, because the role that it runs in has the assigned permissions after the fact.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:*"
],
"Resource": [
"arn:aws:lambda:REGION:ACCOUNT_ID:function:*"
]
}
]
}
But with serverless I get:
ServerlessError: ServerlessError: User: arn:aws:iam::ACCOUNT_ID:user/travis-lambda-deploy
is not authorized to perform: cloudformation:DescribeStackResources
So what’s the right deployment policy for the sls framework?
Sidenote: One important element missing from sls deploy list is that I can’t see who uploaded a lambda change. It’s happened before and I’m sure it will happen again, when a deployment is corrupted since someone overwrote a working lambda with a bad node_modules state or something silly like that (node 8), and I want to root out those sort of issues.