I’ve got a serverless config that deploys ok using my existing AWS credentials.
Version 1.9.0 introduced a provider.cfnRole key for AWS that allows you to specify a role to be assumed to perform deployment. We use this approach extensively for cloudfront etc. already.
However, when I put a role ARN in here I get the error:
Serverless Error ---------------------------------------
Cross-account pass role is not allowed
I’m guessing this isn’t a bug, but I’ve missed some other step. Anyone got any idea?
The issue is that pass role is not intended to change accounts, just limit the permissions used when deploying (to a specific role).
You should be able to specify a profile that uses a cross-account role (see the CLI docs for more detail), as long as you don’t require MFA.
If you need MFA (like I do), you’ll need to do a “manual” STS assume role to set my local environment variables. The STS command is relatively quick, so I’ve just been wrapping my commands with this script (which requires
CREDS=$(aws sts assume-role --role-arn \
--role-session-name my-sls-session --out json)
export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r '.Credentials.SessionToken')
This assumes the role you want to use, and runs the command you passed it (it’s not actually SLS specific) e.g.
./script.sh sls deploy.
Thanks Rowan. I was hoping to avoid that, since it is a bit fugly, but if the pass role isn’t for this use case then I shall have to assume role manually.