components: Role already exists -> deleted role -> policy AWSLambdaFullAccess does not exist or is not attachable

The issue still occurs to me using the aws-lambda component

Hey all, thanks for the heads up. Will publish a fix for this today.

The fix has been published 🚀

@conversun Thanks so much for sharing that. Yes, it looks like serverless just needs to add an underscore.

https://docs.aws.amazon.com/lambda/latest/dg/security_iam_troubleshoot.html#security_iam_troubleshoot-admin-deprecation

The AWSLambda_FullAccess policy grants full access to Lambda, Lambda console features, and other related AWS services. This policy was created by scoping down the previous policy AWSLambdaFullAccess.

Hoping someone with an SLA agreement has this issue so it will get taken care of immediately. I have different stages but can’t deploy to any of them, so I’m thinking I will need a backup api I can point my domain to in case something like this happens again.

Probably because of this https://docs.aws.amazon.com/lambda/latest/dg/access-control-identity-based.html

This is now fixed in the aws-lambda component as well.

the plugin that I used it called: https://github.com/davidgf/serverless-plugin-canary-deployments It supports the default codeDeploy role override.

Default configurations

You can set default values for all functions in a top-level custom
deploymentSettings section. E.g.:

custom:
  deploymentSettings:
    codeDeployRole: some_arn_value
    codeDeployRolePermissionsBoundary: some_arn_value
    stages:
      - dev
      - prod
functions:
  ...

I also raised a issue in the repo and the author fixed it yesterday.

I was able to find “AWSLambdaFullAccess” in his repo but now it is fixed. You may try to find it in your plugin repo and also contact the author to fix it.

Thanks, Jason Tsai

On Thu, Apr 1, 2021 at 3:13 AM mdmjsh @.***> wrote:

In my case, I was using a plugin that uses this role AWSLambdaFullAccess. I was able to override the default role used by the plugin and the issue goes away.

@jastsai https://github.com/jastsai thanks for the steer, that seemed to be it for me as I disabled the plugin as a test and the deployment succeeded. I’m unaware of how to manage the default role for the plugin, for posterity, if you have any resources that helped you here could you share the link please? 😃

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/serverless/components/issues/918#issuecomment-811806673, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJKOLB22PQGRZGDLR3N7LLTGRBNFANCNFSM4Z43G3DQ .

For Visual Studio / .NET folks

In serverless.template file I’ve replaced AWSLambdaFullAccess wtih AWSLambda_FullAccess I have also tried to update template in CloudFormation. Not sure which one fixed it but I was able to publish again after doing those two things.

Thanks for reporting and all your input! I’ve opened up a PR that fixes this here: (You can try it out now with express@dev) https://github.com/serverless-components/express/pull/70

@markrawls I’ve looked into the new _FullAccess policy and it seems that it doesn’t grant access to write logs, which is why I’ve switched to AWSLambdaBasicExecutionRole instead. For more permissions, folks could just use a custom role. You’re right about it being a breaking change, which is why I’ll be publishing v3.0.0 of the express component.

@jpgupta interesting that we are both experiencing this error for the first time at the same time…leads me to believe it could be an issue with an update that was made to the serverless components engine in the last 24 hours, because I made multiple deployments yesterday to multiple stages with no issues.

I’m getting the exact same issue, using the express component in what seems like an identical fashion to @nectarcode

Deleted the role and now getting the AWSLambdaFullAccess does not exist

Tried deleting and creating a new provider but no avail