serverless: Deploy with VPC and custom role fails
This is a Bug Report
Description
Deploy fails on Requires capabilities : [CAPABILITY_NAMED_IAM]. I want to deploy functions to a VPC so my serverless.yml looks like this:
provider:
role: developerPortalLambdaRole
vpc:
securityGroupIds:
- ${file(./env.yml):VPC_SECURITY_GROUP}
subnetIds:
- ${file(./env.yml):VPC_SUBNET1}
- ${file(./env.yml):VPC_SUBNET2}
resources:
Resources:
developerPortalLambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: DeveloperPortalLambdaRole
AssumeRolePolicyDocument:
Version: '2017'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: DeveloperPortalLambdaPolicy
PolicyDocument:
Version: '2017'
Statement:
- Effect: Allow
Action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:PutLogEvents
Resource: "arn:aws:logs:${file(./env.yml):REGION}:${file(./env.yml):ACCOUNT_ID}:log-group:/aws/lambda/*:*:*"
- Effect: Allow
Action:
- ec2:CreateNetworkInterface
- ec2:DescribeNetworkInterfaces
- ec2:DetachNetworkInterface
- ec2:DeleteNetworkInterface
- ses:SendEmail
Resource: "*"
- Effect: Allow
Action:
- "s3:*"
Resource:
- "arn:aws:s3:::${file(./env.yml):S3_BUCKET}/*"
- Effect: Allow
Action:
- "cognito-identity:*"
- "cognito-idp:*"
Resource:
- "arn:aws:cognito-idp:${file(./env.yml):REGION}:${file(./env.yml):ACCOUNT_ID}:userpool/${file(./env.yml):COGNITO_POOL_ID}"
(Complete file is here: https://github.com/keboola/developer-portal/blob/68b88cb7f0fa088235f7d8e887176f75921d757b/serverless.yml)
Originally I had all policies in iamRoleStatements but putting ec2.CreateNetworkInterface there (https://github.com/keboola/developer-portal/blob/4c3be3b73de511e121dc55e2050d26c661eec546/serverless.yml#L37) didn’t work, deploy was failing on Your access has been denied by EC2, please make sure your function execution role have permission to CreateNetworkInterface. So I rewrote it to use custom role according to https://serverless.com/framework/docs/providers/aws/guide/iam#provide-a-default-role-for-all-lambdas-except-those-overriding-the-default but it doesn’t work either.
Additional Data
- Serverless Framework Version you’re using: 1.1.0
- Operating System: macOS 10.12.1
- Stack Trace:
- Provider Error messages:
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Comments: 22 (18 by maintainers)
For anyone else who might run into this, the problem was
Versionof the customPolicyDocumentin ourserverless.ymlwasn’t wrapped in quotes.When defined like
Version: 2012-10-17, Serverless parsed the value as a date and tried to set it as2012-10-17T00:00:00.000Zin the cloud formation template. Changing the value toVersion: "2012-10-17"fixed the issue.Here is the relevant section:
@jeremydaly Could you share your serverless config? Because I do expect one issue with a missing DependsOn. Working on https://github.com/serverless/serverless/pull/2743 which should fix some of the default issues.