Unresolved resource dependencies IamRoleLambdaExecution

Hello.

I have strange problem with IAM resource: https://serverless.com/framework/docs/providers/aws/guide/iam/

I have a function and for this func I adding the role: ddbElasticsearchBridge
Below in the “resources > Resources” section I’ve added this role.

functions:
  DDBtoES:
    handler: dynamodb.lambda_handler
    role: ddbElasticsearchBridge
    ...

resources:
  Resources:
    ddbElasticsearchBridge:
      Type: AWS::IAM::Role
      Properties:
        Path: /
        RoleName: ddb-elasticsearch-bridge
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Effect: Allow
              Principal:
                Service:
                  - lambda.amazonaws.com
              Action: sts:AssumeRole
        ManagedPolicyArns:
          - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        Policies:
          - PolicyName: DynamoRead
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Effect: Allow
                  Action:
                    - dynamodb:DescribeStream
                    - dynamodb:GetRecords
                    - dynamodb:GetShardIterator
                  Resource: arn:aws:dynamodb:us-east-1:12345678:table/mytablename/stream/2017-04-04T23:34:00.359

But I always getting this error:

Template format error: Unresolved resource dependencies
[IamRoleLambdaExecution] in the Resources block of the template

What I’m doing wrong? The same problem I have if I placing ‘role’ reference to the ‘provider’ section.

Just ran into the same thing, did you ever find a resolution?

I haven’t had the error personally, but sounds like you need to give it the old sls deploy --noDeploy and check out the generated template and see what’s doing.

Do you have other functions in your service? Ones that use the default role (i.e. IamRoleLambdaExecution)? Maybe because it’s not being used it’s not appearing in the generated template, but it is still being referenced as a dependency?

For me this happened adding a custom role to a function with a kinesis event.

The EventSourceMapping has a dependency on the baked-in role, which is causing the error.

“PopEventSourceMappingKinesisKinesis”: {
“Type”: “AWS::Lambda::EventSourceMapping”,
“DependsOn”: “IamRoleLambdaExecution”,
… etc etc
}

It might be a bug in the mapping generation.

Is the IamRoleLambdaExecution resource still present in the template?

It looks like the dependency on IamRoleLambdaExecution is hard-coded.

Open an issue?

Yep.

Will open.

Issue and PR.

https://github.com/serverless/serverless/issues/3499
https://github.com/serverless/serverless/pull/3500