serverless: An error occurred: CustomApiGatewayAccountCloudWatchRole - Modifying service token is not allowed..

Error

Serverless: Checking Stack update progress...
.......................................................
Serverless: Operation failed!
Serverless: View the full error output: https://ap-southeast-1.console.aws.amazon.com/cloudformation/home?region=ap-southeast-1#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aap-southeast-1%3A676534811615%3Astack%2Fpython-serverless-prod%2Ff1654d80-62db-11eb-b754-02c69f0ddb0a
Serverless: Publishing service to the Serverless Dashboard...
Serverless: Successfully published your service to the Serverless Dashboard: https://app.serverless.com/yeukfei02/apps/python-serverless/python-serverless/prod/ap-southeast-1
 
  Serverless Error ---------------------------------------
 
  An error occurred: CustomApiGatewayAccountCloudWatchRole - Modifying service token is not allowed..
 
  Get Support --------------------------------------------
     Docs:          docs.serverless.com
     Bugs:          github.com/serverless/serverless/issues
     Issues:        forum.serverless.com
 
  Your Environment Information ---------------------------
     Operating System:          linux
     Node Version:              12.21.0
     Framework Version:         2.21.1 (local)
     Plugin Version:            4.4.2
     SDK Version:               2.3.2
     Components Version:        3.6.0

serverless.yml

org: yeukfei02
app: python-serverless
service: python-serverless

frameworkVersion: "2"
useDotenv: true

provider:
  name: aws
  runtime: python3.8
  stage: prod
  region: ap-southeast-1
  apiName: python-serverless-prod
  tracing:
    apiGateway: true
    lambda: true
  environment:
    PYTHON_ENV: production
    MY_AWS_ACCESS_KEY: ${param:MY_AWS_ACCESS_KEY}
    MY_AWS_SECRET_ACCESS_KEY: ${param:MY_AWS_SECRET_ACCESS_KEY}
    JWT_SECRET: ${param:JWT_SECRET}
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "xray:PutTraceSegments"
        - "xray:PutTelemetryRecords"
      Resource:
        - "*"
    - Effect: "Allow"
      Action:
        - "dynamodb:Query"
        - "dynamodb:Scan"
        - "dynamodb:GetItem"
        - "dynamodb:PutItem"
        - "dynamodb:UpdateItem"
        - "dynamodb:DeleteItem"
        - "dynamodb:DescribeTable"
      Resource:
        - "*"
  apiGateway:
    shouldStartNameWithService: true
    description: python serverless prod
  lambdaHashingVersion: 20201221

functions:
  main:
    handler: src/main/handler.main
    events:
      - http:
          path: /
          method: get
          cors: true

  signup:
    handler: src/signup/handler.signup
    events:
      - http:
          path: /signup
          method: post
          cors: true

  login:
    handler: src/login/handler.login
    events:
      - http:
          path: /login
          method: post
          cors: true

  authorize:
    handler: src/authorize/handler.authorize

  createNotes:
    handler: src/createNotes/handler.createNotes
    events:
      - http:
          path: /notes/create-notes
          method: post
          cors: true
          authorizer:
            name: authorize

  getNotes:
    handler: src/getNotes/handler.getNotes
    events:
      - http:
          path: /notes
          method: get
          cors: true
          authorizer:
            name: authorize

  getNoteById:
    handler: src/getNoteById/handler.getNoteById
    events:
      - http:
          path: /notes/{id}
          method: get
          cors: true
          authorizer:
            name: authorize

  updateNoteById:
    handler: src/updateNoteById/handler.updateNoteById
    events:
      - http:
          path: /notes/{id}
          method: patch
          cors: true
          authorizer:
            name: authorize

  deleteNoteById:
    handler: src/deleteNoteById/handler.deleteNoteById
    events:
      - http:
          path: /notes/{id}
          method: delete
          cors: true
          authorizer:
            name: authorize

plugins:
  - serverless-python-requirements
  - serverless-prune-plugin
  - serverless-offline
  # - serverless-plugin-split-stacks

custom:
  pythonRequirements:
    dockerizePip: true
    pythonBin: python3
  prune:
    automatic: true
    number: 3

I am using github actions to deploy python serverless to aws lambda…have this error… nodejs lambda func use with serverless-plugin-split-stacks also same… anyway can fix this?

Thanks a lot.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 30 (7 by maintainers)

Most upvoted comments

I’m seeing this error in version 3.34.0 and unfortunately, none of the things mentioned in this thread have resolved it.

Version information:

Framework Core: 3.34.0 (local) 3.33.0 (global)
Plugin: 6.2.3
SDK: 4.3.2

What I’m doing: Trying to deploy a stage named prod after deploying the default dev stage for an app. The stages are in the same provider. I set up a project, then ran sls deploy, which was successful, followed by sls deploy --stage prod which is where I encountered the error.

The message I’m getting:

Error:
UPDATE_FAILED: CustomApiGatewayAccountCloudWatchRole (Custom::ApiGatewayAccountRole)
Modifying service token is not allowed.

What I’ve tried:

  1. Using different stage names. E.g. main.
  2. Using a custom provider.logs.restApi.role and setting provider.logs.restApi.roleManagedExternally to true as suggested by @Zambonilli.
  3. Deploying the “prod” stage to a separate “service” in Serverless.

Whatever I do, anything but the default dev stage results in that error. Has this still not been resolved?

+1
bjornhansen on Aug 9, 2023
Read more comments on GitHub
← serverless: After Version 1.60.2 Serverless fails to deploy with Error "The CloudFormation template is invalid: Template format error: Unresolved resource dependencies [WebsocketsApiParameter] in the Resources block of the template"
serverless: An error occurred: ServerlessDeploymentBucket - API: s3:SetBucketEncryption Access Denied. →