Problem deploying serverless when using non admin credentials


#1

Hello all,
I am trying to use serverless with my CI tool (codeship) however I do not wish to give codeship admin credentials, and for that reason I am trying to create a more restrictive permission set, which I am trying to create by myself.
After a lot of trial and error, I almost made it. However I get an error on almost the last part. The error is “Access Denied” and it doesn’t mean much to me, in previous steps I was able to “guess” the missing permissions and solve it, however now I don’t really know what I’m missing.

I tried it with admin access to see the difference, and I am really close.
I get to: Serverless: Stack update finished…
And then get “Access Denied”.
The next step is supposed to be: Serverless: Removing old service versions…
However that line is never printed.
Anyone can suggest the actions that serverless takes after the Stack update finished part, so I can add the right permissions for the user?

Thanks a lot!!


#2

It sounds like the CI system doesn’t have access to your AWS credentials.

Those will need to be exposed as env variables in codeship.

export AWS_ACCESS_KEY_ID=<your-key-here>
export AWS_SECRET_ACCESS_KEY=<your-secret-key-here>

#3

Hey David,
The credentials are loaded and work.
I get very far in the process, the function is created and the stack is updated.
The problem is that I didn’t give “*” permissions to the AWS user, but I gave it restrictive permissions.
It fails on something after the stack is updated. And I am trying to find out what it can be

Omer


#4

The framework runs a number of different aws sdk calls and will need those permissions.

We don’t have a comprehensive list of this handy but this search should show most/all of the services that the framework calls https://github.com/serverless/serverless/search?utf8=✓&q=this.provider.request&type=Code


#5

Hi David,
Your suggestion helped a lot, as I added a console log for every aws request that comes out.
Thus I was able to get the correct IAM restrictive access permissions that let me use serverless deploy, and serverless deploy show, without admin access. Only giving the deployer the exact access he needs, to the resources and actions needed.
Of course this is without extra resources only a simple function deployment, but adding permissions for exact resources is much easier later I assume.
I will later try and make serverless remove work as well (Missing some actions I guess)
I suggest this restrictive access permission policy to be used by anyone who doesn’t want to give his deployment machine AMI admin access, which is extremely permissive.
I will post it later after I get the remove to work


#6

In case anyone is interested, here’s a pretty restrictive IAM access permission policy, that will let you deploy and remove simple functions (To add resources, you will need to add specific permissions for each resources) but this let’s you create/remove/update functions, create the s3 bucket for the deployment zips. This uses a custom role for the functions, but can be changed to include the autocreated roles, if you change to their names instead.

The policy: http://pastebin.com/6af4f6RF

I suggest moving in general to the minimal access permission for the deployer, and increase it as needed, and also put something in the serverless docs about this.
A lot of companies can not give their deployment machines (which can be a cloud CI for example) admin access to AWS


#7

The fact that you need to go potentially read code to understand how to address this issue is a bug in serverless’ error messages IMO. The error message printed should really be more informative than just “Access Denied”. Access to what was denied?


#8

this was a good start but its missing
cloudformation:ValidateTemplate

I agree that this should just be in the serverless docs.


#9

Is there an update to this? 11 months later and in version 1.27.3 ? I still get the same error.


#10

My error was that the user did not have permissions to S3 buckets where the zip files are uploaded I had to give full Access, error should say what permission exactly are needed.