SLS not passing profile creds to AWS?

I have multiple named profiles in ~/.aws/credentials and specified one of them (copy/pasted to be sure) in my serverless.yml file. sls invoke local -f fnName works but sls invoke fnName does not. After inserting some log statements I am getting the following from AWS

{ Error: ENOENT: no such file or directory, open '/home/sbx_user1075/.aws/credentials', ... }

It seems that the credentials are not making their way to Amazon hence the error. My Lambda function is trying to save an object to S3 with code like:

let awsConfig = {
  credentials: new AWS.SharedIniFileCredentials({profile:'someProfile'})
}
const s3 = new AWS.S3(awsConfig);
  return s3.putObject({
  Bucket: bucket,
    Key: key,
    Body: body,
    ContentType: 'application/rss+xml'
 }).promise();

How does the AWS sandbox credentials file get updated by SLS?

1 Like

They don’t.

The sls invoke command is going to be run in Lambda, so it’s not going to have access to your local credentials. Your local credentials will not be (and should not be) uploaded in to the Lambda service.

Your functions take their permissions from the IAM Role that is created and assigned by Serverless when it generates your service. The default permissions includes access to do things like log to CloudWatch, etc. You can add permissions to the default role created, or you can create a custom role for your functions, but this is more complicated.

1 Like

Thanks @rowanu, that makes sense now. I originally reused some of my S3 code that I use a lot but outside of Lambda functions. The snippet included

let awsConfig = {
    credentials: new AWS.SharedIniFileCredentials({profile: 'someprofile'})   
}

which I habitually followed without considering the Lambda environment properly.

2 Likes