Serverless deploy doesn't work and no error to debug with --aws-profile

lambda

#1

I’m trying to deploy serverless with narrow IAM permission specified below.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:Describe*",
                "cloudformation:List*",
                "cloudformation:Get*",
                "cloudformation:CreateStack",
                "cloudformation:UpdateStack"
            ],
            "Resource": "arn:aws:cloudformation:eu-central-1:<accid>:stack/lambda-dev-dep-test*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:ValidateTemplate"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::lambda-dev-dep-test*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::lambda-dev-dep-test*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups"
            ],
            "Resource": "arn:aws:logs:eu-central-1:<accid>:log-group::log-stream:*"
        },
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:DeleteLogGroup",
                "logs:DeleteLogStream",
                "logs:DescribeLogStreams",
                "logs:FilterLogEvents",
                "logs:PutRetentionPolicy"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:PassRole",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:DetachRolePolicy",
                "iam:PutRolePolicy",
                "iam:AttachRolePolicy",
                "iam:DeleteRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::<accid>:role/lambda-dev-dep-test*-lambdaRole"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "apigateway:GET",
                "apigateway:POST",
                "apigateway:PUT",
                "apigateway:DELETE"
            ],
            "Resource": [
                "arn:aws:apigateway:eu-central-1::/restapis"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "apigateway:GET",
                "apigateway:POST",
                "apigateway:PUT",
                "apigateway:DELETE"
            ],
            "Resource": [
                "arn:aws:apigateway:eu-central-1::/restapis/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "lambda:GetFunction",
                "lambda:CreateFunction",
                "lambda:DeleteFunction",
                "lambda:UpdateFunctionConfiguration",
                "lambda:UpdateFunctionCode",
                "lambda:ListVersionsByFunction",
                "lambda:PublishVersion",
                "lambda:CreateAlias",
                "lambda:DeleteAlias",
                "lambda:UpdateAlias",
                "lambda:GetFunctionConfiguration",
                "lambda:AddPermission",
                "lambda:InvokeFunction"
            ],
            "Resource": [
                "arn:aws:lambda:*:<accid>:function:lambda-dev-dep-test*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "lambda:UpdateEventSourceMapping",
                "lambda:CreateEventSourceMapping",
                "lambda:GetEventSourceMapping"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "events:Put*",
                "events:Remove*",
                "events:Delete*",
                "events:Describe*"
            ],
            "Resource": "arn:aws:events::<accid>:rule/lambda-dev-dep-test*"
        }
    ]
}

When I run this with --aws-profile switch the process returns after “presumably” after assumeRole with no error or any other trace.
I do not see any events in Cloudwatch and Cloudtrail as well. So basically stuck at this point. any help appreciated

ssekar@NB279:~/ssa/data_engg/serverless/examples/lambda_dev_dep_test$ sls deploy -r eu-central-1 --aws-profile lambda-deployment
Serverless: Load command config
Serverless: Load command config:credentials
Serverless: Load command create
Serverless: Load command install
Serverless: Load command package
Serverless: Load command deploy
Serverless: Load command deploy:function
Serverless: Load command deploy:list
Serverless: Load command deploy:list:functions
Serverless: Load command invoke
Serverless: Load command invoke:local
Serverless: Load command info
Serverless: Load command logs
Serverless: Load command login
Serverless: Load command logout
Serverless: Load command metrics
Serverless: Load command print
Serverless: Load command remove
Serverless: Load command rollback
Serverless: Load command rollback:function
Serverless: Load command slstats
Serverless: Load command plugin
Serverless: Load command plugin
Serverless: Load command plugin:install
Serverless: Load command plugin
Serverless: Load command plugin:uninstall
Serverless: Load command plugin
Serverless: Load command plugin:list
Serverless: Load command plugin
Serverless: Load command plugin:search
Serverless: Load command config
Serverless: Load command config:credentials
Serverless: Load command rollback
Serverless: Load command rollback:function
Serverless: Invoke deploy
Serverless: Invoke package
Serverless: Invoke aws:common:validate
Serverless: Invoke aws:common:cleanupTempDir
Serverless: Packaging service...
Serverless: Invoke aws:package:finalize
Serverless: Invoke aws:common:moveArtifactsToPackage
Serverless: Invoke aws:common:validate
Serverless: Invoke aws:deploy:deploy
Serverless: [AWS sts 200 0.584s 0 retries] assumeRole({ RoleArn: 'arn:aws:iam::<acc id>:role/SLS_LAMBDA_DEPLOYMENT_ROLE',
  RoleSessionName: 'aws-sdk-js-1547472606934' })


#2

I’m experiencing the same issue.

I have export SLS_DEBUG=* and no additional data is displayed. the deploy ends with assumeRole.

I have a personal account (that doesn’t assumeRole) and it succeeds fine with full deployment details and launch of services. Using profile seems to cause it to stop-short.


#3

The same happens to me. It used to work when AWS_SDK_LOAD_CONFIG is set to true.


#4

We are seeing the same exact issue when trying serverless deploy and specifying any aws-profile.
This just works if the the only profile available is default and nothing is specified so that default is picked up automatically.

Same exact lack of debugging information.


#5

Adding my report to this as well. I have two profiles, one specified in by .profle (AWS_PROFILE=staging, and a production one (AWS_PROFILE=production) that uses AssumeRole with the same credentials.

Deploying to staging works fine:

$ sls deploy                           
Serverless: Building native Rust cloudwatch-logexporter func...
    Finished release [optimized] target(s) in 0.13s                                                                                                                                                                   
  adding: bootstrap (deflated 61%)
Serverless: Packaging service...
Serverless: Uploading CloudFormation file to S3...
Serverless: Uploading artifacts...
Serverless: Uploading service .zip file to S3 (1.16 MB)...
Serverless: Validating template...
Serverless: Updating Stack...
Serverless: Checking Stack update progress...
.........
Serverless: Stack update finished...
Service Information
service: cloudwatch-logexporter
stage: dev
region: us-east-1
stack: cloudwatch-logexporter-dev
api keys:
  None
endpoints:
  None
functions:
  logexport: cloudwatch-logexporter-dev-logexport
layers:
  None
Serverless: Removing old service artifacts from S3...

Trying to switch to the other profile just bails, no output, even with --verbose.

$ sls deploy --aws-profile production --verbose --force
Serverless: Building native Rust cloudwatch-logexporter func...
    Finished release [optimized] target(s) in 0.13s                                                                                                                                                                   
  adding: bootstrap (deflated 61%)
Serverless: Packaging service...

$

Other attempts to set the profile (AWS_PROFILE=production sls deploy, export AWS_PROFILE=production && sls deploy) fail in the same way.

Looks like there’s a bug reported with this version: https://github.com/serverless/serverless/issues/5755


#6

Downgraded to 1.35.1 and it works correctly!