Problems deploying using a cross-account role in AWS

I’ve got a serverless config that deploys ok using my existing AWS credentials.

Version 1.9.0 introduced a provider.cfnRole key for AWS that allows you to specify a role to be assumed to perform deployment. We use this approach extensively for cloudfront etc. already.

However, when I put a role ARN in here I get the error:

Serverless Error ---------------------------------------

 Cross-account pass role is not allowed

I’m guessing this isn’t a bug, but I’ve missed some other step. Anyone got any idea?

Cheers,

Doug.

The issue is that pass role is not intended to change accounts, just limit the permissions used when deploying (to a specific role).

You should be able to specify a profile that uses a cross-account role (see the CLI docs for more detail), as long as you don’t require MFA.

If you need MFA (like I do), you’ll need to do a “manual” STS assume role to set my local environment variables. The STS command is relatively quick, so I’ve just been wrapping my commands with this script (which requires jq):

#!/bin/bash

CREDS=$(aws sts assume-role --role-arn \
  <YOUR_ROLE_ARN> \
  --role-session-name my-sls-session --out json)
export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r '.Credentials.SessionToken')

echo $@
$@

This assumes the role you want to use, and runs the command you passed it (it’s not actually SLS specific) e.g. ./script.sh sls deploy.

2 Likes

Thanks Rowan. I was hoping to avoid that, since it is a bit fugly, but if the pass role isn’t for this use case then I shall have to assume role manually.

Cheers,

Doug.