Example CloudFormation template missing acm:DescribeCertificate permission

[tibbe]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Bug Report

Error Description

sls create_domain fails trying to list some information about the certificate (which I assume serverless-domain-manager needs to know for its internal operation) after having created the require IAM policy using scripts/cloudformation/serverless-domain-manager-deploy-policy.yaml.

Command Run

sls create_domain --aws-profile serverless-backend-agent --region us-east-1

Console Output

(Note that I replaced my actual domain with example.com in the output below.)

Running "serverless" from node_modules
Environment: darwin, node 18.0.0, framework 3.14.0 (local) 3.10.2v (global), plugin 6.2.1, SDK 4.3.2
Credentials: Local, "serverless-backend-agent" profile
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

Error:
Error: Unable to create domain 'dev.example.com':
Could not search certificates in Certificate Manager.
User: arn:aws:iam::2271355XXXXX:user/serverless-backend-agent is not authorized to perform: acm:DescribeCertificate on resource: arn:aws:acm:us-east-1:2271355YYYYY:certificate/6b03d4e6-5ac6-498a-b6b3-11b0e12ZZZZZ
    at ServerlessCustomDomain.<anonymous> (/Users/tibbe/work/project/backend/node_modules/serverless-domain-manager/dist/src/index.js:193:23)
    at Generator.throw (<anonymous>)
    at rejected (/Users/tibbe/work/project/backend/node_modules/serverless-domain-manager/dist/src/index.js:6:65)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

Domain Manager Configuration

custom:
  customDomain:
    apiType: http
    autoDomain: true
    certificateName: '*.example.com'
    createRoute53Record: true
    domainName: ${sls:stage}.example.com
    endpointType: regional
    stage: "${sls:stage}"

Versions

• Domain Manager version(s): v6.0.3
• Node/npm version: Node v18.0.0/npm v8.6.0
• Serverless Version: v3.14.0
• Lambda Code: Python

Possible Solution

Probably add some more permissions to scripts/cloudformation/serverless-domain-manager-deploy-policy.yaml.