Problems deploying using a cross-account role in AWS

I’ve got a serverless config that deploys ok using my existing AWS credentials.

Version 1.9.0 introduced a provider.cfnRole key for AWS that allows you to specify a role to be assumed to perform deployment. We use this approach extensively for cloudfront etc. already.

However, when I put a role ARN in here I get the error:

Serverless Error ---------------------------------------

 Cross-account pass role is not allowed

I’m guessing this isn’t a bug, but I’ve missed some other step. Anyone got any idea?



The issue is that pass role is not intended to change accounts, just limit the permissions used when deploying (to a specific role).

You should be able to specify a profile that uses a cross-account role (see the CLI docs for more detail), as long as you don’t require MFA.

If you need MFA (like I do), you’ll need to do a “manual” STS assume role to set my local environment variables. The STS command is relatively quick, so I’ve just been wrapping my commands with this script (which requires jq):


CREDS=$(aws sts assume-role --role-arn \
  --role-session-name my-sls-session --out json)
export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r '.Credentials.SessionToken')

echo $@

This assumes the role you want to use, and runs the command you passed it (it’s not actually SLS specific) e.g. ./ sls deploy.


Thanks Rowan. I was hoping to avoid that, since it is a bit fugly, but if the pass role isn’t for this use case then I shall have to assume role manually.