starsnow_request icon indicating copy to clipboard operation
starsnow_request copied to clipboard

Published 20 hours ago verified publisher icon starschema

iam:CreateRole fails with an explicit deny

Open sfc-gh-rfehrmann opened this issue 4 years ago • 1 comments

When you deploy the project into an environment that uses AWS permissions boundaries (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) it fails with a role creation error. In my case, Roles could only be created with permissions boundaries applied. Since permissions boundaries are specific to the customer environment, I am not sure if this can be fixed in a generic sense. In my case I was able to fix the problem by setting the rolePermissionsBoundary attribute for the provider in the serverless yaml configuration file:

provider: ... RolePermissionsBoundary: ....

Maybe it would be a good idea just to mention this in the documentation.

Another suggestion for a documentation enhancement is to mention the AWS permissions needed for this project:

  • IAM
  • S3
  • CloudFormation
  • APIGateway

BTW, this is an excellent post. Really enjoyed it.

sfc-gh-rfehrmann avatar Jan 25 '21 13:01 sfc-gh-rfehrmann

Hi Robert, I will include it in the documentation. Also, I will link this Serverless policy generator as well: https://open-sl.github.io/serverless-permission-generator/ , probably that will be enough.

tfoldi avatar Jan 25 '21 15:01 tfoldi