Serverless error creating or assuming a service linked role

[gabmontes]

The following error is consistently showing up, even when the AWS account seems to have full permissions:

  An error occurred: WebsiteDistribution - The user is not authorized to create or assume a service linked role. (Service: AmazonCloudFront; Status Code: 403; Error Code: AccessDenied; Request ID: [xxxxx]).

In order to track the problem, I tried with just a slightly modified version of the CloudFront static site config in the README:

service: lambdaedge-deploy-test

provider:
  name: aws
  runtime: nodejs10.x
  stage: staging
  region: us-east-1

functions:
  viewerRequestTest:
    handler: index.handler
    memorySize: 128
    timeout: 5
    lambdaAtEdge:
      distribution: "WebsiteDistribution"
      eventType: "viewer-request"

resources:
  Resources:
    WebsiteBucket:
      Type: "AWS::S3::Bucket"
      Properties:
        BucketName: "${self:service}-${self:provider.stage}"
        AccessControl: "PublicRead"
        WebsiteConfiguration:
          IndexDocument: "index.html"
          ErrorDocument: "error.html"
    WebsiteDistribution:
      Type: "AWS::CloudFront::Distribution"
      Properties:
        DistributionConfig:
          DefaultCacheBehavior:
            TargetOriginId: "WebsiteBucketOrigin"
            ViewerProtocolPolicy: "redirect-to-https"
            DefaultTTL: 600 # ten minutes
            MaxTTL: 600 # ten minutes
            Compress: true
            ForwardedValues:
              QueryString: false
              Cookies:
                Forward: "none"
          DefaultRootObject: "index.html"
          Enabled: true
          PriceClass: "PriceClass_100"
          HttpVersion: "http2"
          ViewerCertificate:
            CloudFrontDefaultCertificate: true
          Origins:
            - Id: "WebsiteBucketOrigin"
              DomainName: { "Fn::GetAtt": ["WebsiteBucket", "DomainName"] }
              S3OriginConfig: {}

plugins:
  - "@silvermine/serverless-plugin-cloudfront-lambda-edge"

The repository only has a few files:

.
├── index.js
├── node_modules
├── package.json
└── serverless.yml

The complete execution log is:

$ sls deploy --verbose

Serverless: Packaging service...
Serverless: Excluding development dependencies...
Serverless: Updated Lambda assume role policy to allow Lambda@Edge to assume the role
Serverless: Added "viewer-request" Lambda@Edge association for version "[xxxxx]" to distribution "WebsiteDistribution"
Serverless: Creating Stack...
Serverless: Checking Stack create progress...
CloudFormation - CREATE_IN_PROGRESS - AWS::CloudFormation::Stack - lambdaedge-deploy-test-staging
CloudFormation - CREATE_IN_PROGRESS - AWS::S3::Bucket - ServerlessDeploymentBucket
CloudFormation - CREATE_IN_PROGRESS - AWS::S3::Bucket - ServerlessDeploymentBucket
CloudFormation - CREATE_COMPLETE - AWS::S3::Bucket - ServerlessDeploymentBucket
CloudFormation - CREATE_IN_PROGRESS - AWS::S3::BucketPolicy - ServerlessDeploymentBucketPolicy
CloudFormation - CREATE_IN_PROGRESS - AWS::S3::BucketPolicy - ServerlessDeploymentBucketPolicy
CloudFormation - CREATE_COMPLETE - AWS::S3::BucketPolicy - ServerlessDeploymentBucketPolicy
CloudFormation - CREATE_COMPLETE - AWS::CloudFormation::Stack - lambdaedge-deploy-test-staging
Serverless: Stack create finished...
Serverless: Uploading CloudFormation file to S3...
Serverless: Uploading artifacts...
Serverless: Uploading service lambdaedge-deploy-test.zip file to S3 (66.88 KB)...
Serverless: Validating template...
Serverless: Updating Stack...
Serverless: Checking Stack update progress...
CloudFormation - UPDATE_IN_PROGRESS - AWS::CloudFormation::Stack - lambdaedge-deploy-test-staging
CloudFormation - CREATE_IN_PROGRESS - AWS::S3::Bucket - WebsiteBucket
CloudFormation - CREATE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - CREATE_IN_PROGRESS - AWS::Logs::LogGroup - ViewerRequestTestLogGroup
CloudFormation - CREATE_IN_PROGRESS - AWS::Logs::LogGroup - ViewerRequestTestLogGroup
CloudFormation - CREATE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - CREATE_IN_PROGRESS - AWS::S3::Bucket - WebsiteBucket
CloudFormation - CREATE_COMPLETE - AWS::Logs::LogGroup - ViewerRequestTestLogGroup
CloudFormation - CREATE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - CREATE_COMPLETE - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - CREATE_IN_PROGRESS - AWS::Lambda::Function - ViewerRequestTestLambdaFunction
CloudFormation - CREATE_IN_PROGRESS - AWS::Lambda::Function - ViewerRequestTestLambdaFunction
CloudFormation - CREATE_COMPLETE - AWS::Lambda::Function - ViewerRequestTestLambdaFunction
CloudFormation - CREATE_IN_PROGRESS - AWS::Lambda::Version - [xxxxx]
CloudFormation - CREATE_IN_PROGRESS - AWS::Lambda::Version - [xxxxx]
CloudFormation - CREATE_COMPLETE - AWS::Lambda::Version - [xxxxx]
CloudFormation - CREATE_COMPLETE - AWS::S3::Bucket - WebsiteBucket
CloudFormation - CREATE_IN_PROGRESS - AWS::CloudFront::Distribution - WebsiteDistribution
CloudFormation - CREATE_FAILED - AWS::CloudFront::Distribution - WebsiteDistribution
CloudFormation - UPDATE_ROLLBACK_IN_PROGRESS - AWS::CloudFormation::Stack - lambdaedge-deploy-test-staging
CloudFormation - UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS - AWS::CloudFormation::Stack - lambdaedge-deploy-test-staging
CloudFormation - DELETE_COMPLETE - AWS::CloudFront::Distribution - WebsiteDistribution
CloudFormation - DELETE_IN_PROGRESS - AWS::S3::Bucket - WebsiteBucket
CloudFormation - DELETE_SKIPPED - AWS::Lambda::Version - [xxxxx]
CloudFormation - DELETE_IN_PROGRESS - AWS::Lambda::Function - ViewerRequestTestLambdaFunction
CloudFormation - DELETE_COMPLETE - AWS::S3::Bucket - WebsiteBucket
CloudFormation - DELETE_COMPLETE - AWS::Lambda::Function - ViewerRequestTestLambdaFunction
CloudFormation - DELETE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - DELETE_IN_PROGRESS - AWS::Logs::LogGroup - ViewerRequestTestLogGroup
CloudFormation - DELETE_FAILED - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - DELETE_COMPLETE - AWS::Logs::LogGroup - ViewerRequestTestLogGroup
CloudFormation - DELETE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - DELETE_FAILED - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - DELETE_IN_PROGRESS - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - DELETE_FAILED - AWS::IAM::Role - IamRoleLambdaExecution
CloudFormation - UPDATE_ROLLBACK_COMPLETE - AWS::CloudFormation::Stack - lambdaedge-deploy-test-staging
Serverless: Operation failed!
Serverless: View the full error output: https://us-east-1.console.aws.amazon.com/[xxxxx]

  Serverless Error ---------------------------------------

  An error occurred: WebsiteDistribution - The user is not authorized to create or assume a service linked role. (Service: AmazonCloudFront; Status Code: 403; Error Code: AccessDenied; Request ID: [xxxxx]).

  Get Support --------------------------------------------
     Docs:          docs.serverless.com
     Bugs:          github.com/serverless/serverless/issues
     Issues:        forum.serverless.com

  Your Environment Information ---------------------------
     Operating System:          darwin
     Node Version:              10.17.0
     Framework Version:         1.67.0
     Plugin Version:            3.6.2
     SDK Version:               2.3.0
     Components Version:        2.22.3

What could be happening?

[jthomerson]

It has to do with the permissions that you're using to deploy the stack. IAM has a specific permission you need in order to create a service-linked role. You can read more about it in a comment I left here: https://github.com/amplify-education/serverless-domain-manager/issues/112#issuecomment-377032301

[gabmontes]

@jthomerson thanks a lot! Taking a look at that.

[gabmontes]

FYI the problem was indeed with permissions of the user executing the deploy.