Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

`provider.cfnRole` not assumed during deploy when value defined as a variable

See original GitHub issue

Bug Report

Description

1. What did you do?

Tried to deploy my serverless service to AWS using a custom cfnRole that references an env var (${env:CF_ROLE})

1. What happened?

Serverless did not assume the role defined in provider.cfnRole during the deployment phase. This role provides the permissions necessary to provision serverless resources via cloudformation.

I pass in the cfnRole as an environment variable inside an AWS Codebuild stage. The Codebuild environment is using a role different from the cfnRole, but I have confirmed that the Codebuild role is able to assume the cfnRole.

I have confirmed the Codebuild Role is able to assume the role defined in provider.cfnRole.

Seems like the cfnRole: "${env:CF_ROLE}" is never resolved.

1. What should’ve happened?

Serverless resolves the ${env:CF_ROLE} variable from the environment and assumes the role during the deployment step.

I have confirmed that the environment variable CF_ROLE is set in the Codebuild environment.

Additionally: If I hard-code the provider.cfnRole ARN into my serverless.yml file, the issue goes away and Serverless is able to assume the role.

1. What’s the content of your serverless.yml file?

service: directory-sync

# You can pin your service to only deploy with a specific Serverless version
# Check out our docs for more details
frameworkVersion: ">=1.3.4 <2.0.0"

provider:
  name: aws
  runtime: python3.6

  region: us-east-1
  stage: ${opt:stage, 'local'}
  timeout: 20
  memorySize: 1024
  endpointType: REGIONAL

  cfnRole: "${env:CF_ROLE}" # Role used to provision functions (see pipeline.yml)
  environment:
    SERVICE: ${self:service}
    STAGE: ${self:provider.stage}
    RELEASE_CODE: ${env:RELEASE_CODE, 'local'}


package:
  individually: true
  include:
    - "!./**"
    - "./functions/**"
  exclude:
    - "**"

plugins:
  - serverless-cf-vars
  - serverless-python-requirements
  - serverless-s3-local

########################## CUSTOM CONFIGURATION ##########################
custom:
  prefix: "${self:service}-${self:provider.stage}"
  
  pythonRequirements:
    dockerizePip: false # todo: enable when deploying dependencies w/native compilation
    slim: true
    slimPatterns:
      - "**/*.egg-info*"


######################## FUNCTION DEFINITIONS ###########################

functions:
  syncRunner:
    handler: handler.handle
    module: functions/sync_runner
    timeout: 900
    environment:
         # misc lambda env vars

    role:
      Fn::GetAtt:
        - DirectorySyncRole
        - Arn
    events:
      - schedule:
          name: ${self:custom.prefix}-monitor
          rate: cron(*/15 * * * ? *)
          enabled: ${self:custom.monitorEnabled.${self:provider.stage}, 'false'}

########################### RESOURCES ###########################

resources: ${file(resources.yml)}

1. What’s the output you get when you use the SLS_DEBUG=* environment variable (e.g. SLS_DEBUG=* serverless deploy)

Most relevant sections:


Serverless: Validating template...
--
190 | Serverless: [AWS cloudformation 200 0.276s 0 retries] validateTemplate({ TemplateURL:
191 | 'https://s3.amazonaws.com/****-serverlessdeploymentbucket-wefzeuv3q2l/serverless/***/prod/1583449248759-2020-03-05T23:00:48.759Z/compiled-cloudformation-template.json' })
192 | Serverless: Updating Stack...
193 | Serverless: [AWS cloudformation 200 0.414s 0 retries] updateStack({ StackName: '***',
194 | Capabilities: [ 'CAPABILITY_IAM', 'CAPABILITY_NAMED_IAM', [length]: 2 ],
195 | Parameters: [ [length]: 0 ],
196 | TemplateURL:
197 | 'https://s3.amazonaws.com/****-serverlessdeploymentbucket-wefzeuv3q2l/serverless/***/prod/1583449248759-2020-03-05T23:00:48.759Z/compiled-cloudformation-template.json',
198 | Tags:
199 | [ { Key: 'STAGE', Value: 'prod' },
200 | { Key: 'Name', Value: '*** },
201 | { Key: 'service', Value: '***' },
202 | { Key: 'environment', Value: 'prod' },
203 | { Key: 'owner', Value: '***' },
204 | [length]: 5 ] })
205 | Serverless: Checking Stack update progress...
206 | Serverless: [AWS cloudformation 200 0.079s 0 retries] describeStackEvents({ StackName:
207 | 'arn:aws:cloudformation:us-east-1:*****:stack/****/2c9a3a90-5f32-11ea-8990-12305fa4f4bd' })
208 | ....Serverless: [AWS cloudformation 200 0.065s 0 retries] describeStackEvents({ StackName:
209 | 'arn:aws:cloudformation:us-east-1:****:stack/****/2c9a3a90-5f32-11ea-8990-12305fa4f4bd' })
210 | .....
211 | Serverless: Operation failed!
212 | Serverless: View the full error output: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aus-east-1%*****%3Astack%2F****%2F2c9a3a90-5f32-11ea-8990-12305fa4f4bd
213 |  
214 | Serverless Error ---------------------------------------
215 |  
216 | ServerlessError: An error occurred: SyncDLQ - API: sqs:CreateQueue Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied..

........


Get Support --------------------------------------------
--
273 | Docs:          docs.serverless.com
274 | Bugs:          github.com/serverless/serverless/issues
275 | Issues:        forum.serverless.com
276 |  
277 | Your Environment Information ---------------------------
278 | Operating System:          linux
279 | Node Version:              10.14.0
280 | Framework Version:         1.61.2
281 | Plugin Version:            3.2.7
282 | SDK Version:               2.2.1
283 | Components Core Version:   1.1.2
284 | Components CLI Version:    1.4.0

Similar or dependent issues:

Issue Analytics

State:
Created 4 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

kumarasenthilcommented, Dec 15, 2020

@verkaufer were you able to resolve this issue? I am facing exactly the same issue that the cfnRole is never resolved and serverless assumes the instance profile role that is attached to the build agent.

Framework Core: 2.15.0
Plugin: 4.2.0
SDK: 2.3.2
Components: 3.4.3

0reactions

medikoocommented, Apr 21, 2020

Beside using environment variable for cfnRole, is there any way that we can manage on the serverless.yml file?

@hoang-innomizetech I have problems in understanding your question, to manage what on the servrless.yml file?

Top Results From Across the Web

class CfnRole (construct) · AWS CDK - AWS Documentation

Implements IConstruct , IConstruct , IDependable , IInspectable. A CloudFormation AWS::IAM::Role . Creates a new role for your AWS account .

Serverless Framework Deprecations

In order to deploy a single function, please use deploy function command ... when logged in, variable resolution will not function without plaintext...

AWS CDK Serverless Plugin - npm

Provider plugin for the Serverless Framework v1.x which adds support for AWS through the CDK. Latest version: 0.9.1, last published: a year ...

CodePipeline for Serverless Applications With ... - Levi9

IAM Roles — one role that CodePipeline will assume during its execution, in order to create/update/deploy the resources in our codebase.

Runway Config File — runway 1.3.7 documentation

A deployment defines modules and options that affect the modules. ... environment variables for the module (not logical # environment values like those...