I was working for a client in a secure aws environment. where our account only has the policy boundary to perform certain task.
I was working for a serverless deployment by using Jenkins. Because of the environment, I was thinking the error was due to the permission boundary. But after checking it’s not a permission boundary issue.
The issue is serverless is try to create a role under the hood. And you cannot define the policy boundary. (btw, I was using serverless 1.62). The error I was getting is below:
API: iam:CreateRole User: arn:aws:iam::{account-number}:user/jenkins is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::{account-number}:role/lambdarole-10B6TEXZBIGSF with an explicit deny
So the way to fix it is to use sls 1.69 above and have the following plugin defined.
resources:
extensions:
IamRoleCustomResourcesLambdaExecution:
Properties:
PermissionsBoundary: !Sub arn:aws:iam::#{AWS::AccountId}:policy/permission-boundary
And that fix the existing bucket problem.
