serverless: Deploy fails with S3 bucket error

This is a Bug Report

Description

  • What went wrong? When I try to deploy my serverless application via serverless deploy I get following error An error occurred: ServerlessDeploymentBucket - API: s3:CreateBucket Access Denied.

  • Configuration This is my serverless.yml

service: xyz

provider:
  name: aws
  runtime: python2.7
  stage: dev2-gs-1
  region: us-west-2
  profile: mfa
  environment:
    DB_HOST: "hostname"
    DB_USER: "root"
    DB_PASS: "<password>"
    LOG_LEVEL: "DEBUG"

functions:
  login:
    handler: handler.login
    events:
       - http:
           path: /api/v1/login
           method: post
           cors: true
...
  • Detailed stack trace.
Serverless: Invoke aws:deploy:deploy
Serverless: Creating Stack...
Serverless: Checking Stack create progress...
....
Serverless: Operation failed!
 
  Serverless Error ---------------------------------------
 
  An error occurred: ServerlessDeploymentBucket - API: s3:CreateBucket Access Denied.
 
  Stack Trace --------------------------------------------
 
ServerlessError: An error occurred: ServerlessDeploymentBucket - API: s3:CreateBucket Access Denied.
    at provider.request.then (/usr/lib/node_modules/serverless/lib/plugins/aws/lib/monitorStack.js:114:33)
From previous event:
    at AwsDeploy.monitorStack (/usr/lib/node_modules/serverless/lib/plugins/aws/lib/monitorStack.js:26:12)
    at provider.request.then (/usr/lib/node_modules/serverless/lib/plugins/aws/deploy/lib/createStack.js:41:29)
From previous event:
    at AwsDeploy.create (/usr/lib/node_modules/serverless/lib/plugins/aws/deploy/lib/createStack.js:41:7)
From previous event:
    at AwsDeploy.BbPromise.bind.then.catch (/usr/lib/node_modules/serverless/lib/plugins/aws/deploy/lib/createStack.js:71:14)
From previous event:
    at AwsDeploy.createStack (/usr/lib/node_modules/serverless/lib/plugins/aws/deploy/lib/createStack.js:64:13)
From previous event:
    at Object.aws:deploy:deploy:createStack [as hook] (/usr/lib/node_modules/serverless/lib/plugins/aws/deploy/index.js:98:10)
    at BbPromise.reduce (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:360:55)
From previous event:
    at PluginManager.invoke (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:360:22)
    at PluginManager.spawn (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:378:17)
    at AwsDeploy.BbPromise.bind.then (/usr/lib/node_modules/serverless/lib/plugins/aws/deploy/index.js:91:48)
From previous event:
    at Object.deploy:deploy [as hook] (/usr/lib/node_modules/serverless/lib/plugins/aws/deploy/index.js:87:10)
    at BbPromise.reduce (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:360:55)
From previous event:
    at PluginManager.invoke (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:360:22)
    at PluginManager.run (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:391:17)
    at variables.populateService.then (/usr/lib/node_modules/serverless/lib/Serverless.js:99:33)
    at runCallback (timers.js:672:20)
    at tryOnImmediate (timers.js:645:5)
    at processImmediate [as _immediateCallback] (timers.js:617:5)
From previous event:
    at Serverless.run (/usr/lib/node_modules/serverless/lib/Serverless.js:86:74)
    at serverless.init.then (/usr/lib/node_modules/serverless/bin/serverless:39:50)
 
  Get Support --------------------------------------------
     Docs:          docs.serverless.com
     Bugs:          github.com/serverless/serverless/issues
     Forums:        forum.serverless.com
     Chat:          gitter.im/serverless/serverless
 
  Your Environment Information -----------------------------
     OS:                     linux
     Node Version:           7.8.0
     Serverless Version:     1.22.0
  • What was the config you used?

Also, if I try to deploy the application again I get different error saying Missing required key 'Bucket' in params

  • Detailed stacktrace
Serverless: Invoke aws:deploy:deploy
 
  Serverless Error ---------------------------------------
 
  Missing required key 'Bucket' in params
 
  Stack Trace --------------------------------------------
 
ServerlessError: Missing required key 'Bucket' in params
    at Response.req.send (/usr/lib/node_modules/serverless/lib/plugins/aws/provider/awsProvider.js:187:20)
    at Request.<anonymous> (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:364:18)
    at Request.callListeners (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
    at Request.emit (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
    at Request.emit (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:35:11)
    at Request.<anonymous> (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
    at callNextListener (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:95:12)
    at /usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/event_listeners.js:85:9
    at finish (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/config.js:315:7)
    at /usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/config.js:333:9
    at EnvironmentCredentials.get (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/credentials.js:126:7)
    at getAsyncCredentials (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/config.js:327:24)
    at Config.getCredentials (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/config.js:347:9)
    at Request.VALIDATE_CREDENTIALS (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/event_listeners.js:80:26)
    at Request.callListeners (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:101:18)
    at Request.emit (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at Request.runTo (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:403:15)
    at Request.send (/usr/lib/node_modules/serverless/node_modules/aws-sdk/lib/request.js:367:10)
    at BbPromise (/usr/lib/node_modules/serverless/lib/plugins/aws/provider/awsProvider.js:175:13)
    at persistentRequest (/usr/lib/node_modules/serverless/lib/plugins/aws/provider/awsProvider.js:174:14)
    at doCall (/usr/lib/node_modules/serverless/lib/plugins/aws/provider/awsProvider.js:153:9)
    at BbPromise (/usr/lib/node_modules/serverless/lib/plugins/aws/provider/awsProvider.js:164:14)
From previous event:
    at persistentRequest (/usr/lib/node_modules/serverless/lib/plugins/aws/provider/awsProvider.js:151:38)
    at AwsProvider.request (/usr/lib/node_modules/serverless/lib/plugins/aws/provider/awsProvider.js:167:12)
    at AwsDeploy.getMostRecentObjects (/usr/lib/node_modules/serverless/lib/plugins/aws/deploy/lib/checkForChanges.js:33:26)
From previous event:
    at AwsDeploy.checkForChanges (/usr/lib/node_modules/serverless/lib/plugins/aws/deploy/lib/checkForChanges.js:20:8)
From previous event:
    at Object.aws:deploy:deploy:checkForChanges [as hook] (/usr/lib/node_modules/serverless/lib/plugins/aws/deploy/index.js:102:10)
    at BbPromise.reduce (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:360:55)
From previous event:
    at PluginManager.invoke (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:360:22)
    at PluginManager.spawn (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:378:17)
    at AwsDeploy.BbPromise.bind.then (/usr/lib/node_modules/serverless/lib/plugins/aws/deploy/index.js:91:48)
From previous event:
    at Object.deploy:deploy [as hook] (/usr/lib/node_modules/serverless/lib/plugins/aws/deploy/index.js:87:10)
    at BbPromise.reduce (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:360:55)
From previous event:
    at PluginManager.invoke (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:360:22)
    at PluginManager.run (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:391:17)
    at variables.populateService.then (/usr/lib/node_modules/serverless/lib/Serverless.js:99:33)
    at runCallback (timers.js:672:20)
    at tryOnImmediate (timers.js:645:5)
    at processImmediate [as _immediateCallback] (timers.js:617:5)
From previous event:
    at Serverless.run (/usr/lib/node_modules/serverless/lib/Serverless.js:86:74)
    at serverless.init.then (/usr/lib/node_modules/serverless/bin/serverless:39:50)

Also, with the same profile using AWS command line, I can successfully create the S3 bucket.

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 5
  • Comments: 22 (11 by maintainers)

Most upvoted comments

API: s3:CreateBucket Access Denied seems to hide deeper permission issues.

By looking at the S3 section of the cloudformation template that is created by sls deploy (in the ./serverless dir) you can get an idea of what other S3 permissions might be needed.

In my case, I was creating and setting up a S3 bucket for a static website, and the Access Denied was due to the IAM role also needing (as revealed in the template above):

  • s3:PutBucketPolicy
  • s3:PutBucketWebsite
  • s3:PutBucketAcl

Hope this helps someone else!

+7
seba-i on Apr 2, 2020

I’m still having this issue with Serverless 1.41.1.

+6
jextrevor on Apr 29, 2019

I met the same scenario like this issue.

Scenario I have a IAM user with mfa-required policy and if I use the access key credential of this user to deploy my service, I will encounter error An error occurred: ServerlessDeploymentBucket - API: s3:CreateBucket Access Denied.

but I can successfully use aws cli to create the S3 bucket by this credential .

Solution I follow this tutorial and use the temporary credential created by mfa to deploy my service. Everything seems to be working fine.

+3
j2hongming on Oct 20, 2017

AWS CloudFormation Event Log: screen shot 2017-09-20 at 14 27 43

+3
o-s-a-m-a-k-h-a-n on Sep 20, 2017

Thanks for reporting issue @ghsatpute.

It seems that your IAM permissions are insufficient. Are you sure that you’re using correct IAM credentials?

You can check that by running following command. If this command succeeds:

aws s3api create-bucket --bucket someuniquebucketname12323123

Then the problem might be somewhere in Serverless framework.

+2
RafalWilinski on Sep 19, 2017

I had the same issue when my user’s IAM policy had IP whiltelist, below is example of Administrator IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": [
                        "192.168.0.10",
                        "34.1.2.3"
                    ]
                }
            }
        }
    ]
}

Removing Condition from the IAM policy fixes the issue. (Creating bucket using aws-cli always works).

+1
dimkir on Sep 17, 2019

@ghsatpute thanks for getting back 👍

It looks like you deploy with a profile called mfa. Can you confirm that the mfa profile is used for deployment? Serverless will default to the AWS default profile if the specific profile cannot be found.

+1
pmuens on Sep 25, 2017
Read more comments on GitHub
← serverless: Deploy fails with error 'An error occurred: ServerlessDeploymentBucketPolicy - The bucket policy already exists on bucket...''
serverless: deploy lambda function with vpc apparently fails silently →