This is a (Bug Report)
Description
For bug reports:
-
When creating iam role ApigatewayToStepFunctionsRole the plugin is not using the permissionsBoundary specified in provider as a result creation of the role fails
-
The expected behavior was that like IAM role created for lambda functions it would use the permissions Boundary specified
-
What was the config you used?
service: bulk-server
frameworkVersion: 2
plugins:
- serverless-webpack
- serverless-pseudo-parameters
- serverless-step-functions
provider:
name: aws
runtime: nodejs12.x
rolePermissionsBoundary: arn:aws:iam::#{AWS::AccountId}:policy/DeveloperBoundaryPolicy
iamRoleStatements:
- Effect: "Allow"
Action:
- "states:StartExecution"
Resource:
- "*"
stage: ${opt:stage,'dev'}
apiGateway:
minimumCompressionSize: 1024
environment:
AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1"
functions:
writejob:
handler: src/handlers.writejob
events:
- http:
method: GET
path: writejob
mapjob:
handler: src/handlers.mapjob
events:
- http:
method: GET
path: mapjob
completejob:
handler: src/handlers.completejob
events:
- http:
method: GET
path: completejob
stepFunctions:
stateMachines:
jobProcessor:
name: JobProcessor
events:
- http:
method: GET
path: processjob
definition:
StartAt: writejob
States:
writejob:
Type: Pass
End: true
- What stacktrace or error message from your provider did you see?
API: iam:CreateRole User: arn:aws:sts::myacct:assumed-role/MYASSUMEDROLE/MYSUSERNAME is not authorized to perform: iam:CreateRole on resource:
Additional Data
- Serverless Framework Core Version you're using: 2.0
- The Plugin Version you're using: serverless-step-functions": "^2.29.0"
- Operating System: mac
- Stack Trace:
- Provider Error messages:
To work around the issue i created an iamRole and referenced it in the step function
resources:
Resources:
myDefaultRole:
ApigatewayToStepFunctionsRole:
Type: 'AWS::IAM::Role'
Properties:
PermissionsBoundary: arn:aws:iam::#{AWS::AccountId}:policy/DeveloperBoundaryPolicy
RoleName: myrole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- states.amazonaws.com
- apigateway.amazonaws.com
Action: 'sts:AssumeRole'
This is a (Bug Report)
Description
For bug reports:
When creating iam role ApigatewayToStepFunctionsRole the plugin is not using the permissionsBoundary specified in provider as a result creation of the role fails
The expected behavior was that like IAM role created for lambda functions it would use the permissions Boundary specified
What was the config you used?
service: bulk-server
frameworkVersion: 2
plugins:
provider:
name: aws
runtime: nodejs12.x
rolePermissionsBoundary: arn:aws:iam::#{AWS::AccountId}:policy/DeveloperBoundaryPolicy
iamRoleStatements:
- Effect: "Allow"
Action:
- "states:StartExecution"
Resource:
- "*"
stage: ${opt:stage,'dev'}
apiGateway:
minimumCompressionSize: 1024
environment:
AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1"
functions:
writejob:
handler: src/handlers.writejob
events:
- http:
method: GET
path: writejob
mapjob:
handler: src/handlers.mapjob
events:
- http:
method: GET
path: mapjob
completejob:
handler: src/handlers.completejob
events:
- http:
method: GET
path: completejob
stepFunctions:
stateMachines:
jobProcessor:
name: JobProcessor
events:
- http:
method: GET
path: processjob
API: iam:CreateRole User: arn:aws:sts::myacct:assumed-role/MYASSUMEDROLE/MYSUSERNAME is not authorized to perform: iam:CreateRole on resource:
Additional Data
To work around the issue i created an iamRole and referenced it in the step function
resources:
Resources:
myDefaultRole:
ApigatewayToStepFunctionsRole:
Type: 'AWS::IAM::Role'
Properties:
PermissionsBoundary: arn:aws:iam::#{AWS::AccountId}:policy/DeveloperBoundaryPolicy
RoleName: myrole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- states.amazonaws.com
- apigateway.amazonaws.com
Action: 'sts:AssumeRole'