API: iam:CreateRole User: arn:aws:iam::accountid:user/jenkins is not authorized to perform iam:CreateRole with an explicit deny

I was working for a client in a secure aws environment. where our account only has the policy boundary to perform certain task.

I was working for a serverless deployment by using Jenkins. Because of the environment, I was thinking the error was due to the permission boundary. But after checking it’s not a permission boundary issue.

The issue is serverless is try to create a role under the hood. And you cannot define the policy boundary. (btw, I was using serverless 1.62). The error I was getting is below:

API: iam:CreateRole User: arn:aws:iam::{account-number}:user/jenkins is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::{account-number}:role/lambdarole-10B6TEXZBIGSF with an explicit deny

So the way to fix it is to use sls 1.69 above and have the following plugin defined.

resources:
  extensions:
    IamRoleCustomResourcesLambdaExecution:
      Properties:
        PermissionsBoundary: !Sub arn:aws:iam::#{AWS::AccountId}:policy/permission-boundary

And that fix the existing bucket problem.