Serverless deploy doesn't work and no error to debug with --aws-profile

I’m trying to deploy serverless with narrow IAM permission specified below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:Describe*",
                "cloudformation:List*",
                "cloudformation:Get*",
                "cloudformation:CreateStack",
                "cloudformation:UpdateStack"
            ],
            "Resource": "arn:aws:cloudformation:eu-central-1:<accid>:stack/lambda-dev-dep-test*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:ValidateTemplate"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::lambda-dev-dep-test*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::lambda-dev-dep-test*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups"
            ],
            "Resource": "arn:aws:logs:eu-central-1:<accid>:log-group::log-stream:*"
        },
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DeleteLogGroup",
                "logs:DeleteLogStream",
                "logs:DescribeLogStreams",
                "logs:FilterLogEvents",
                "logs:PutRetentionPolicy"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:PassRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DetachRolePolicy",
                "iam:PutRolePolicy",
                "iam:AttachRolePolicy",
                "iam:DeleteRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::<accid>:role/lambda-dev-dep-test*-lambdaRole"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "apigateway:GET",
                "apigateway:POST",
                "apigateway:PUT",
                "apigateway:DELETE"
            ],
            "Resource": [
                "arn:aws:apigateway:eu-central-1::/restapis"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "apigateway:GET",
                "apigateway:POST",
                "apigateway:PUT",
                "apigateway:DELETE"
            ],
            "Resource": [
                "arn:aws:apigateway:eu-central-1::/restapis/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunction",
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:UpdateFunctionConfiguration",
                "lambda:UpdateFunctionCode",
                "lambda:ListVersionsByFunction",
                "lambda:PublishVersion",
                "lambda:CreateAlias",
                "lambda:DeleteAlias",
                "lambda:UpdateAlias",
                "lambda:GetFunctionConfiguration",
                "lambda:AddPermission",
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:*:<accid>:function:lambda-dev-dep-test*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "lambda:UpdateEventSourceMapping",
                "lambda:CreateEventSourceMapping",
                "lambda:GetEventSourceMapping"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:Put*",
                "events:Remove*",
                "events:Delete*",
                "events:Describe*"
            ],
            "Resource": "arn:aws:events::<accid>:rule/lambda-dev-dep-test*"
        }
    ]
}

When I run this with --aws-profile switch the process returns after “presumably” after assumeRole with no error or any other trace.
I do not see any events in Cloudwatch and Cloudtrail as well. So basically stuck at this point. any help appreciated

ssekar@NB279:~/ssa/data_engg/serverless/examples/lambda_dev_dep_test$ sls deploy -r eu-central-1 --aws-profile lambda-deployment
Serverless: Load command config
Serverless: Load command config:credentials
Serverless: Load command create
Serverless: Load command install
Serverless: Load command package
Serverless: Load command deploy
Serverless: Load command deploy:function
Serverless: Load command deploy:list
Serverless: Load command deploy:list:functions
Serverless: Load command invoke
Serverless: Load command invoke:local
Serverless: Load command info
Serverless: Load command logs
Serverless: Load command login
Serverless: Load command logout
Serverless: Load command metrics
Serverless: Load command print
Serverless: Load command remove
Serverless: Load command rollback
Serverless: Load command rollback:function
Serverless: Load command slstats
Serverless: Load command plugin
Serverless: Load command plugin
Serverless: Load command plugin:install
Serverless: Load command plugin
Serverless: Load command plugin:uninstall
Serverless: Load command plugin
Serverless: Load command plugin:list
Serverless: Load command plugin
Serverless: Load command plugin:search
Serverless: Load command config
Serverless: Load command config:credentials
Serverless: Load command rollback
Serverless: Load command rollback:function
Serverless: Invoke deploy
Serverless: Invoke package
Serverless: Invoke aws:common:validate
Serverless: Invoke aws:common:cleanupTempDir
Serverless: Packaging service...
Serverless: Invoke aws:package:finalize
Serverless: Invoke aws:common:moveArtifactsToPackage
Serverless: Invoke aws:common:validate
Serverless: Invoke aws:deploy:deploy
Serverless: [AWS sts 200 0.584s 0 retries] assumeRole({ RoleArn: 'arn:aws:iam::<acc id>:role/SLS_LAMBDA_DEPLOYMENT_ROLE',
  RoleSessionName: 'aws-sdk-js-1547472606934' })

I’m experiencing the same issue.

I have export SLS_DEBUG=* and no additional data is displayed. the deploy ends with assumeRole.

I have a personal account (that doesn’t assumeRole) and it succeeds fine with full deployment details and launch of services. Using profile seems to cause it to stop-short.

The same happens to me. It used to work when AWS_SDK_LOAD_CONFIG is set to true.

We are seeing the same exact issue when trying serverless deploy and specifying any aws-profile.
This just works if the the only profile available is default and nothing is specified so that default is picked up automatically.

Same exact lack of debugging information.

Adding my report to this as well. I have two profiles, one specified in by .profle (AWS_PROFILE=staging, and a production one (AWS_PROFILE=production) that uses AssumeRole with the same credentials.

Deploying to staging works fine:

$ sls deploy                           
Serverless: Building native Rust cloudwatch-logexporter func...
    Finished release [optimized] target(s) in 0.13s                                                                                                                                                                   
  adding: bootstrap (deflated 61%)
Serverless: Packaging service...
Serverless: Uploading CloudFormation file to S3...
Serverless: Uploading artifacts...
Serverless: Uploading service .zip file to S3 (1.16 MB)...
Serverless: Validating template...
Serverless: Updating Stack...
Serverless: Checking Stack update progress...
.........
Serverless: Stack update finished...
Service Information
service: cloudwatch-logexporter
stage: dev
region: us-east-1
stack: cloudwatch-logexporter-dev
api keys:
  None
endpoints:
  None
functions:
  logexport: cloudwatch-logexporter-dev-logexport
layers:
  None
Serverless: Removing old service artifacts from S3...

Trying to switch to the other profile just bails, no output, even with --verbose.

$ sls deploy --aws-profile production --verbose --force
Serverless: Building native Rust cloudwatch-logexporter func...
    Finished release [optimized] target(s) in 0.13s                                                                                                                                                                   
  adding: bootstrap (deflated 61%)
Serverless: Packaging service...

$

Other attempts to set the profile (AWS_PROFILE=production sls deploy, export AWS_PROFILE=production && sls deploy) fail in the same way.

Looks like there’s a bug reported with this version: https://github.com/serverless/serverless/issues/5755

Downgraded to 1.35.1 and it works correctly!