serverless-step-functions plugin is not using provider permissions Boundary when creating iam role

[kandeshwarath]

This is a (Bug Report)

Description

For bug reports:

• When creating iam role ApigatewayToStepFunctionsRole the plugin is not using the permissionsBoundary specified in provider as a result creation of the role fails

• The expected behavior was that like IAM role created for lambda functions it would use the permissions Boundary specified

• What was the config you used? service: bulk-server frameworkVersion: 2

plugins:

• serverless-webpack
• serverless-pseudo-parameters
• serverless-step-functions

provider: name: aws runtime: nodejs12.x rolePermissionsBoundary: arn:aws:iam::#{AWS::AccountId}:policy/DeveloperBoundaryPolicy iamRoleStatements:

• Effect: "Allow" Action:
  • "states:StartExecution" Resource:
  • "*" stage: ${opt:stage,'dev'} apiGateway: minimumCompressionSize: 1024 environment: AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1"

functions: writejob: handler: src/handlers.writejob events:

• http: method: GET path: writejob mapjob: handler: src/handlers.mapjob events:
• http: method: GET path: mapjob completejob: handler: src/handlers.completejob events:
• http: method: GET path: completejob

stepFunctions: stateMachines: jobProcessor: name: JobProcessor events:

• http: method: GET path: processjob

  definition: StartAt: writejob States: writejob: Type: Pass End: true

  • What stacktrace or error message from your provider did you see?

API: iam:CreateRole User: arn:aws:sts::myacct:assumed-role/MYASSUMEDROLE/MYSUSERNAME is not authorized to perform: iam:CreateRole on resource:

Additional Data

• Serverless Framework Core Version you're using: 2.0
• The Plugin Version you're using: serverless-step-functions": "^2.29.0"
• Operating System: mac
• Stack Trace:
• Provider Error messages:

To work around the issue i created an iamRole and referenced it in the step function resources: Resources: myDefaultRole: ApigatewayToStepFunctionsRole: Type: 'AWS::IAM::Role' Properties: PermissionsBoundary: arn:aws:iam::#{AWS::AccountId}:policy/DeveloperBoundaryPolicy RoleName: myrole AssumeRolePolicyDocument: Version: '2012-10-17' Statement:

• Effect: Allow Principal: Service:
  • states.amazonaws.com
  • apigateway.amazonaws.com Action: 'sts:AssumeRole'

[kandeshwarath]

See below the cloudformation template generated for the role that failed created. The role created for the Lambda works fine since it does have the boundary policy. I am attaching it

"ApigatewayToStepFunctionsRole": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": "apigateway.amazonaws.com" }, "Action": "sts:AssumeRole" }] }, "Policies": [{ "PolicyName": "ApigatewayToStepFunctionsRole", "PolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["states:StartExecution"], "Resource": "*" }] } }] } } }

The lamda role succeeds and has the boundary policy "IamRoleLambdaExecution": { "Type": "AWS::IAM::Role", "Properties": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Service": ["lambda.amazonaws.com"] }, "Action": ["sts:AssumeRole"] }] }, "Policies": [{ "PolicyName": { "Fn::Join": ["-", ["bulk-server", "dev", "lambda"]] }, "PolicyDocument": { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": ["logs:CreateLogStream", "logs:CreateLogGroup"], "Resource": [{ "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/bulk-server-dev:" }] }, { "Effect": "Allow", "Action": ["logs:PutLogEvents"], "Resource": [{ "Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/bulk-server-dev::*" }] }] } }], "Path": "/", "RoleName": { "Fn::Join": ["-", ["bulk-server", "dev", { "Ref": "AWS::Region" }, "lambdaRole"]] }, "PermissionsBoundary": { "Fn::Sub": "arn:aws:iam::${AWS::AccountId}:policy/DeveloperBoundaryPolicy" } } },

[cqcmdwym]

👀

[clawsl]

We are facing the same issue here