Serverless Error ... Policy statement must contain resources

Hello Friends,

Googled my best and tried a fix that worked on a different serverless project, but getting this error on a new project and am stumped with a tight timeline. Would be grateful for your perspective.

Serverless Error ---------------------------------------

 An error occurred while provisioning your stack: myDefaultRole
 - Policy statement must contain resources..

The serverless.yml I’m using is a copy from another working project that deploys successfully to our dev and prod AWS accounts, with of course only the bits refering to the name of the new project being changed.
I checked the yaml with an online linter and it came back green.

This is the content of the serverless.yml:
service: WayCoolLambda
frameworkVersion: “=1.10.2”

custom:
stage: ${opt:stage, self:provider.stage}
version: ${env:BUILD_VERSION, env:RV, self:custom.stage}
aws_account:
dev:
accountid: 12345678910
securityGroupIds:
- sg-XXXXXXX #allow_all_http_in
- sg-XXXXXXX #allow_all_https_in
- sg-XXXXXXX #allow_all_out
subnetIds:
- subnet-XXXXXXX #private
- subnet-XXXXXXX #private
dev:
accountid: ${self:custom.aws_account.dev.accountid}
securityGroupIds: ${self:custom.aws_account.dev.securityGroupIds}
subnetIds: ${self:custom.aws_account.dev.subnetIds}
qa:
accountid: ${self:custom.aws_account.dev.accountid}
securityGroupIds: ${self:custom.aws_account.dev.securityGroupIds}
subnetIds: ${self:custom.aws_account.dev.subnetIds}
preprod:
accountid: ${self:custom.aws_account.dev.accountid}
securityGroupIds: ${self:custom.aws_account.dev.securityGroupIds}
subnetIds: ${self:custom.aws_account.dev.subnetIds}
production:
accountid: 12345678910
securityGroupIds:
- sg-XXXXXXX
subnetIds:
- subnet-XXXXXXX
- subnet-XXXXXXX

provider:
name: aws
runtime: java8
region: us-east-1
role: myDefaultRole
vpc:
securityGroupIds: ${self:custom.${self:custom.stage}.securityGroupIds}
subnetIds: ${self:custom.${self:custom.stage}.subnetIds}

package:
artifact: target/WayCoolLambda-${self:custom.version}.jar

functions:
handleRequest:
handler: com.manheim.waycool.WayCoolHandler::handleRequest
description: WayCool Lambda
environment: ${file(environment-${self:custom.stage}.yml)}

resources:
Resources:
myDefaultRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: ${self:service}-${self:custom.stage}
AssumeRolePolicyDocument:
Version: '2012-10-17’
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: defaultPolicy
PolicyDocument:
Version: '2012-10-17’
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: arn:aws:logs:::log-group:/aws/lambda/::*
- Effect: "Allow"
Action:
- "s3:PutObject"
Resource:
Fn::Join:
- “”
- - “arn:aws:s3:::”
- “Ref” : “ServerlessDeploymentBucket”
- Effect: Allow
Action:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DetachNetworkInterface
- ec2:DeleteNetworkInterface
Resource: “*”

It doesn’t look like the formatter for the forum preserves the yaml spacing, but as I said, I checked the yaml in an online linter and it came back OK.

If this is a total gooberhead easy question, please forgive me, but for the life of me, I can’t imagine what could be out of whack. Thank you for taking a moment to look at it with me.

I apologize for possibly wasting anyone’s time.

It turned out to not be a serverless error. Even though I had updated the file with the correct yaml formatting, I had to rebuild the pipeline so that the deploy job would check out the new revision with the yaml correction from github. Good grief.

1 Like