Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AccessDeniedException: Caller does not have permissions to create a Service Linked Role

See original GitHub issue

I am trying to use serverless-domain-manager to create an endpoint of type “regional”. I have created an IAM policy as per this info

Now when I try to deploy with this config:

  customDomain:
    domainName: myapp-${opt:stage, self:provider.stage}.apps.XXXX.com
    createRoute53Record: true
    certificateName: "*.apps.XXXX.com"
    certificateRegion: eu-west-1
    endpointType: regional

I get the following error:

  Error: 'myapp-dev.apps.XXXX.com' was not created in API Gateway.
AccessDeniedException: Caller does not have permissions to create a Service Linked Role.

It looks like I need “iam:CreateServiceLinkedRole” but I’m not sure on what resource (and giving out iam permissions is not something I take lightly!)

This is the policy I have added for serverless-domain-manager:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "acm:ListCertificates",
                "cloudfront:UpdateDistribution"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "route53:GetHostedZone",
                "route53:ChangeResourceRecordSets",
                "route53:ListResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/XXXX"
            ]
        },
        {
            "Sid": "VisualEditor1a",
            "Effect": "Allow",
            "Action": "apigateway:GET",
            "Resource": "arn:aws:apigateway:eu-west-1::/domainnames/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "apigateway:DELETE",
            "Resource": "arn:aws:apigateway:eu-west-1::/domainnames/*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": "apigateway:POST",
            "Resource": "arn:aws:apigateway:eu-west-1::/domainnames"
        },
        {
            "Sid": "VisualEditor4",
            "Effect": "Allow",
            "Action": "apigateway:POST",
            "Resource": "arn:aws:apigateway:eu-west-1::/domainnames/*/basepathmappings"
        }
    ]
}

To be clear: I have created this as a policy in IAM, and have attached it as a managed policy to a group called devops, and the user whose API key I’m using to deploy is a member of that group. This approach has worked fine for me before when running serverless.

Issue Analytics

State:
Created 6 years ago
Comments:12 (3 by maintainers)

Top GitHub Comments

18reactions

aoskotsky-amplifycommented, Jul 25, 2018

Looks like the role that’s created is AWSServiceRoleForAPIGateway. Maybe try adding arn:aws:iam::<account number>:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway for the resource

8reactions

zoellnercommented, Jan 17, 2019

Was just able to confirm that the permission mentioned is sufficient

- Effect: Allow
  Action:
    - iam:CreateServiceLinkedRole
  Resource:
    - !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway