execute serverless deploy with aws role

Question

I am trying to deploy a simple lambda funtcion with the serverless framework. My IAM user doesn't have the necessary permissions to run cloudformation:

User: arn:aws:iam::xxx:user/xxx is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:us-east-1:xxx:stack/xx

That's more or less intended, since our setup is using IAM roles to perform certain tasks. I have configured those roles in my ~/.aws/config file, and for aws cli operations I can e.g. call

aws s3 ls --profile myrole

in that way I attach all policies from the role 'myrole' to my IAM user to execute the aws-cli command.

Is there any way of doing something similar for serverless, i.e. attaching a role (not a different user) to the

serverless depoly

statement?

If I change the role via export

AWS_PROFILE=myrole

or call

serverless deploy --aws-profile myrole

I get Error: Profile myrole does not exist even though the role is defined in /.aws/credentials and ~/.aws/config

You will need one IAM user or role with all the permissions needed todo the deployment. — WaltDe, Aug 28 '19 at 14:40
Thanks @WaltDe but how cal I attach that role to my deployment command? — Stefan M, Aug 28 '19 at 14:58
You will need assume your deployment role before running serverless which you can do through the environment variable AWS_PROFILE For details https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html#cli-role-prepare — WaltDe, Aug 28 '19 at 15:08
no success, I get `Error: Profile myrole does not exist` . I just found a similar issue described here: [https://github.com/serverless/serverless/issues/5474] — Stefan M, Aug 29 '19 at 07:33

score 17 · Answer 1 · answered Aug 29 '19 at 09:24

17

OK, I found a solution to get this working. Apparently you need to set AWS_SDK_LOAD_CONFIG to a truthy value, such that the Session will be created from the configuration values from the shared config (~/.aws/config) and shared credentials (~/.aws/credentials) files.

export AWS_SDK_LOAD_CONFIG=1

then execute with

serverless deploy --aws-profile myrole

answered Aug 29 '19 at 09:24

Stefan M

354
2
9

yes, yes, yes! I was fighting with policies and roles and the problem was within environmental variable. Stefan, you made my day. Thank you! – Sielu Jun 08 '20 at 15:01
Can you get that to work for EKS with a pod running in a fargate profile? – chaws Jun 08 '20 at 22:16
Thx for saving 2h of my times dude ;) – felicienb Sep 09 '20 at 13:33

execute serverless deploy with aws role

1 Answers1

Linked