deploymentRole not being assumed

[gael-donat]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Bug Report

We are using a deployment Role in our serverless.yml :

provider:
  name: aws
  deploymentMethod: direct
  runtime: python3.9
  stage: ${opt:stage, 'local'}
  region: ${opt:region, 'eu-west-1'}
  stackName: ${self:service}-${sls:stage}
  memorySize: 512
  iam:
    deploymentRole: arn:aws:iam::xxxxxxxxx:role/${self:custom.shared.workload}-${sls:stage}-CloudFormationExecutionRole

the role is indeed use by servlerss as we can see it in cloudformation stack deployment :

IAM role arn:aws:iam::xxxxx:role/common-dev-CloudFormationExecutionRole

Error Description

The terminal output show an error where it's the user role that it is used and not the deployment for this plugin.

Command Run sls deploy --stage=dev Console Output

Error: Unable to create domain 'xxx-dev.xxx.com':
Failed to UPSERT A Alias for 'xxx-dev.xxx.com':

                    User: arn:aws:sts::xxx:assumed-role/SSO-Lead/firstname.lastname@xxx.com is not authorized to perform: route53:ChangeResourceRecordSets on resource: arn:aws:route53:::
hostedzone/xxxxxxx because no identity-based policy allows the route53:ChangeResourceRecordSets action
    at ServerlessCustomDomain.<anonymous> (/srv/node_modules/serverless-domain-manager/dist/src/index.js:256:23)
    at Generator.throw (<anonymous>)
    at rejected (/srv/node_modules/serverless-domain-manager/dist/src/index.js:6:65)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

Domain Manager Configuration

customDomain:
    domainName: ${self:custom.domainName.${sls:stage}}
    stage: ${sls:stage}
    certificateName: '*.xxx.com'
    endpointType: EDGE
    securityPolicy: tls_1_2
    apiType: rest
    hostedZoneId: ABCDEFGHIJK
    hostedZonePrivate: false
    createRoute53Record: true
    createRoute53IPv6Record: false
    autoDomain: true

Versions

• Domain Manager version(s): ^7.0.4
• Node/npm version: Node 19.6.0 / npm 9.4.0
• Serverless Version: ^3.2.6
• Lambda Code : Python

[rddimon]

Hi @gael-donat

Does it work for you with the v6.4.4 ?