Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@sdomagala

sdomagala/serverless-with-trust-policy-change.yml

Created February 3, 2020 09:05
Show Gist options
  • Star 11 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save sdomagala/a647a69f0dd87af545d7c45dfc7b0114 to your computer and use it in GitHub Desktop.
Save sdomagala/a647a69f0dd87af545d7c45dfc7b0114 to your computer and use it in GitHub Desktop.
Download ZIP
Change Trust Policy in Serverless IAM Role (or any other params other than policy)
Raw
serverless-with-trust-policy-change.yml
## all other serverless.yml configuration
functions:
# your functions
provider:
name: aws
# your provider config
resources:
Resources:
IamRoleLambdaExecution: # has to be this exact name, https://serverless.com/framework/docs/providers/aws/guide/resources/
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument: # OVERWRITE assume role policy, rest is populated by serverless
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
AWS:
- arn:aws:iam::123456789:root
- arn:aws:iam::012345678:root
Action: sts:AssumeRole
@KwanJunWen
Copy link

Thanks, this is really helpful.

@sverraest
Copy link

Anyone else getting "The role defined for the function cannot be assumed by Lambda" when using this template?

@henrymsiska
Copy link

Much appreciated, solved some of my headaches with building a pipeline spanning multiple services.

@omar-dulaimi
Copy link

Thanks a lot!

@prameshbajra
Copy link

Anyone else getting "The role defined for the function cannot be assumed by Lambda" when using this template?

Hi there,
I am facing this error too. Did you find a solution?

@prameshbajra
Copy link

Anyone else getting "The role defined for the function cannot be assumed by Lambda" when using this template?

So sorry to bother you.

For future readers. This worked for me. I took a 30 mins nap and it worked. SERIOUSLY.

Reference:
https://stackoverflow.com/a/37438525/5753035

@ezmiller
Copy link

ezmiller commented May 26, 2022
edited

Can someone explain this section of the above example?

 AWS:
   - arn:aws:iam::123456789:root
   - arn:aws:iam::012345678:root

@sdomagala
Copy link
Author

sdomagala commented May 26, 2022
edited

@ezmiller it means that those AWS accounts can assume roles, but it's not something required - this whole block of AssumeRolePolicyDocument is just an example of how you can overwrite trust policy, so change it to whatever you need. Here is the CloudFormation reference

@ezmiller
Copy link

ezmiller commented May 26, 2022
edited

Is this approach necessary if one is trying to set roles for a resource other than lambda that is created in custom resources? I'm trying to link an Eventbridge rule to other targets and running into what I think are permissions errors, but I have been unable to explicitly set the resource policies. See question here: https://forum.serverless.com/t/permissions-for-custom-resource-directing-eventbridge-events-to-targets/17241

@martinezpl
Copy link

bardzo dziękuję kolego!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment