serverless-step-functions
serverless-step-functions copied to clipboard
serverless-operations
serverless-step-functions plugin is not using provider permissions Boundary when creating iam role
This is a (Bug Report)
Description
For bug reports:
-
When creating iam role ApigatewayToStepFunctionsRole the plugin is not using the permissionsBoundary specified in provider as a result creation of the role fails
-
The expected behavior was that like IAM role created for lambda functions it would use the permissions Boundary specified
-
What was the config you used? service: bulk-server frameworkVersion: 2
plugins:
- serverless-webpack
- serverless-pseudo-parameters
- serverless-step-functions
provider: name: aws runtime: nodejs12.x rolePermissionsBoundary: arn:aws:iam::#{AWS::AccountId}:policy/DeveloperBoundaryPolicy iamRoleStatements: - Effect: "Allow" Action: - "states:StartExecution" Resource: - "*" stage: ${opt:stage,'dev'} apiGateway: minimumCompressionSize: 1024 environment: AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1"
functions: writejob: handler: src/handlers.writejob events: - http: method: GET path: writejob mapjob: handler: src/handlers.mapjob events: - http: method: GET path: mapjob completejob: handler: src/handlers.completejob events: - http: method: GET path: completejob
stepFunctions: stateMachines: jobProcessor: name: JobProcessor events: - http: method: GET path: processjob
definition:
StartAt: writejob
States:
writejob:
Type: Pass
End: true
- What stacktrace or error message from your provider did you see?
API: iam:CreateRole User: arn:aws:sts::myacct:assumed-role/MYASSUMEDROLE/MYSUSERNAME is not authorized to perform: iam:CreateRole on resource:
Additional Data
- Serverless Framework Core Version you're using: 2.0
- The Plugin Version you're using: serverless-step-functions": "^2.29.0"
- Operating System: mac
- Stack Trace:
- Provider Error messages:
To work around the issue i created an iamRole and referenced it in the step function resources: Resources: myDefaultRole: ApigatewayToStepFunctionsRole: Type: 'AWS::IAM::Role' Properties: PermissionsBoundary: arn:aws:iam::#{AWS::AccountId}:policy/DeveloperBoundaryPolicy RoleName: myrole AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - states.amazonaws.com - apigateway.amazonaws.com Action: 'sts:AssumeRole'
See below the cloudformation template generated for the role that failed created. The role created for the Lambda works fine since it does have the boundary policy. I am attaching it
"ApigatewayToStepFunctionsRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "sts:AssumeRole" }] }, "Policies": [{ "PolicyName": "ApigatewayToStepFunctionsRole", "PolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["states:StartExecution"], "Resource": "*" }] } }] } } }
The lamda role succeeds and has the boundary policy "IamRoleLambdaExecution": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": ["lambda.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }] }, "Policies": [{ "PolicyName": { "Fn::Join": ["-", ["bulk-server", "dev", "lambda"]] }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["logs:CreateLogStream", "logs:CreateLogGroup"], "Resource": [{ "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/bulk-server-dev*:" }] }, { "Effect": "Allow", "Action": ["logs:PutLogEvents"], "Resource": [{ "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/bulk-server-dev::" }] }] } }], "Path": "/", "RoleName": { "Fn::Join": ["-", ["bulk-server", "dev", { "Ref": "AWS::Region" }, "lambdaRole"]] }, "PermissionsBoundary": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:policy/DeveloperBoundaryPolicy" } } },
