serverless-next.js
serverless-next.js copied to clipboard
serverless-nextjs
roleArn doesn't work. serverless nextjs creates IAM role every time when deploying
Issue Summary
I specify roleArn inside serverless.yml like below. However, somehow, serverless nextjs always create IAM role.
- serverless.yml
myApp:
component: "@sls-next/[email protected]"
inputs:
roleArn: 'roleArn: "arn:aws:iam::123456789012:role/MyCustomLambdaRole"'
:
Actual behavior
Serveless nextjs creates IAM role every time when deploying.
Expected behavior
Serveless nextjs doesn't create IAM role, just uses the IAM role I specify inside serverless.yml.
Steps to reproduce
- Specify IAM role inside serverless.yml
- Deploy
Screenshots/Code/Configuration/Logs
Nothing.
Versions
- OS/Environment: on Github Actions
- @sls-next/serverless-component version: @sls-next/[email protected]
- Next.js version: 10.0.1
Additional context
The content of IAM roles serverless nextjs always creates is this.
- Inline policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": "arn:aws:s3:::hogehoge/*",
"Action": [
"s3:GetObject",
"s3:PutObject"
]
}
]
}
- Trust relations
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com",
"edgelambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
Checklist
- [x] You have reviewed the README and FAQs, which answers several common questions.
- [x] You have reviewed our DEBUGGING wiki and have tried your best to include complete information and reproduction steps (including your configuration) as is possible.
- [ ] You have first tried using the most recent
latestoralpha@sls-next/serverless-componentrelease version, which may have already fixed your issue or implemented the feature you are trying to use. Note that the oldserverless-next.jscomponent and theserverless-next.jsplugin are deprecated and no longer maintained.
+1 We're seeing the same thing. It looks like it's creating a new role for each lambda (Default, API, Image), and so with each deployment, we see 3 new IAM roles created.
Versions:
- next:11.1.2
- sls-next
latest - Github Actions
Do we have any updates on this issue? I'm struggling with the same thing
Hi, with the latest stable version v3.6.0, I got the following config:
myNextApplication:
component: "@sls-next/[email protected]"
inputs:
bucketName: ui-test
roleArn: "arn:aws:iam::xxx:role/service-role/nextjs-role-xxx"
policy: "arn:aws:iam::xxx:policy/service-role/AWSLambdaBasicExecutionRole-xxx"
it does not create IAM roles anymore.
Workaround that seems to work is upon 1st deployment, let it create the new IAM roles. Then identify the roleArn and specify it in the serverless.yml file like what @erdemy has. Specifying a roleArn prevents new IAM roles from being created.
So is there no other fix for this aside from manually specifying the role ARN?
Also, which role ARN should be specified? I'm going through the json files in .serverless/ and each lambda has their role. Would this be the one in defaultEdgeLambda.json?
Also, if we have multiple environments, do we use the same role for each one? Or do I need to make the role arn an env var? Ugh..
Also - I noticed I'm only having this on deploys from CI. If I deploy from my computer, I do not have this issue (in both cases I am not changing existing data in the .serverless dir). Why would this be? Does this component depend on some global data stored on my system?
Not sure if this applies to your case, @patricktyndall, but when using the Serverless Component for Next JS, new roles will be created on each deploy if you don't store the .serverless directory and it's files somewhere, where you can get it before each deploy.
The .serverless files will be and are meant to be different for each machine.
The recommended way of storing these .serverless files (with CI/CD) is with S3. This is what I did and after that I have not been having any problems with new roles being created, instead we are simply reusing the ones specified. Followed this article in order to get everything set up correctly. This article also goes over dealing with different environments.
Once again, not sure if this is what you were looking for, but this is what I found out.
Thanks @tornvallalexander
I have already been committing the .serverless files to source control, and doing multi-env deploys without issues* across multiple "machines" (*except for the present issue of roles being created).
What is new to me is your mention of "meant to be different for each machine" -- do you mean this? You mean if I deploy to the same env but from different places, each "build server" also needs to have its own version of the files? If true, this seems like it would be really unfortunate design.
I could be wrong, but I do not think the .serverless dir is our issue here. @dphang can you provide any insight here? I am still on v3.5.3.
Hmmm. This is what I seem to remember from the research I did a while back. Unfortunately, I can't seem to be able to verify that what I said is true. That being said, I will try and see if I can find something later this day.
Can confirm this still happens unless you assign "policy" and "roleArn" in the yml file(s) on 3.7.0-alpha.10. I spent yesterday setting up my app and when I went to check my roles, I had 32 haha, now I specified them in the yml and deleted the extra roles, it's working and the bug is gone, but it'd be nice if it just deleted the previous roles instead of just leaving them there right?
Same issue here! after using serverless component for 1 year I just reached 1000 roles :D this is crazy
