Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Change Trust Policy in Serverless IAM Role (or any other params other than policy)
## all other serverless.yml configuration
functions:
# your functions
provider:
name: aws
# your provider config
resources:
Resources:
IamRoleLambdaExecution: # has to be this exact name, https://serverless.com/framework/docs/providers/aws/guide/resources/
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument: # OVERWRITE assume role policy, rest is populated by serverless
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
AWS:
- arn:aws:iam::123456789:root
- arn:aws:iam::012345678:root
Action: sts:AssumeRole
@KwanJunWen
Copy link

KwanJunWen commented Jun 18, 2020

Thanks, this is really helpful.

@sverraest
Copy link

sverraest commented Jul 7, 2020

Anyone else getting "The role defined for the function cannot be assumed by Lambda" when using this template?

@henrymsiska
Copy link

henrymsiska commented Nov 6, 2020

Much appreciated, solved some of my headaches with building a pipeline spanning multiple services.

@omar-dulaimi
Copy link

omar-dulaimi commented Apr 7, 2021

Thanks a lot!

@prameshbajra
Copy link

prameshbajra commented Aug 31, 2021

Anyone else getting "The role defined for the function cannot be assumed by Lambda" when using this template?

Hi there,
I am facing this error too. Did you find a solution?

@prameshbajra
Copy link

prameshbajra commented Aug 31, 2021

Anyone else getting "The role defined for the function cannot be assumed by Lambda" when using this template?

So sorry to bother you.

For future readers. This worked for me. I took a 30 mins nap and it worked. SERIOUSLY.

Reference:
https://stackoverflow.com/a/37438525/5753035

@ezmiller
Copy link

ezmiller commented May 26, 2022

Can someone explain this section of the above example?

 AWS:
   - arn:aws:iam::123456789:root
   - arn:aws:iam::012345678:root

@sdomagala
Copy link
Author

sdomagala commented May 26, 2022

@ezmiller it means that those AWS accounts can assume roles, but it's not something required - this whole block of AssumeRolePolicyDocument is just an example of how you can overwrite trust policy, so change it to whatever you need. Here is the CloudFormation reference

@ezmiller
Copy link

ezmiller commented May 26, 2022

Is this approach necessary if one is trying to set roles for a resource other than lambda that is created in custom resources? I'm trying to link an Eventbridge rule to other targets and running into what I think are permissions errors, but I have been unable to explicitly set the resource policies. See question here: https://forum.serverless.com/t/permissions-for-custom-resource-directing-eventbridge-events-to-targets/17241

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment