1

I have a pipeline in one AWS account 123456789. I would like to deploy via serverless framework to the AWS account 234567890. On the server with the pipeline, there are only ~/.aws/credentials file and roles attached to it.

I have used a one-liner jq that allowed me to assume the role as found in this post AWS sts assume role in one command

The output is as following when aws sts get-caller-identity:

{
    "UserId": "xxxxxx:deploy_session",
    "Account": "234567890",
    "Arn": "arn:aws:sts::234567890:assumed-role/pipeline-role/deploy_session"
}

Then the executing deployment is sls deploy --verbose --stage qa with the following failure:

{"Ref":"ServerlessDeploymentBucket"}}}}',
  Tags: [ { Key: 'STAGE', Value: 'qa' }, [length]: 1 ],
  RoleARN:
   'arn:aws:sts::234567890:assumed-role/pipeline-role/deploy_session' })
 
 Serverless Error ----------------------------------------
 
  ServerlessError: ValidationError: Role arn:aws:sts::234567890:assumed-role/pipeline-role/deploy_session is invalid or cannot be assumed

The serverless file has:

...
provider:
  name: aws
  runtime: python3.7
  stage: ${opt:stage, 'dev'}
  region: ${self:custom.config.aws.region, 'us-east-1'}
  stackName: ${self:custom.stackName}
  cfnRole: ${self:custom.config.aws.cloudformationRole}

where the cloudformationRole was: arn:aws:sts::234567890:assumed-role/pipeline-role/deploy_session

I have also attempted to change the cloudformationRole to: arn:aws:sts::234567890:role/pipeline-role but would find the same type of error.

What would be the correct reference for the cfnRole so that the assumed role can work?

azngunit81
  • 1,574
  • 2
  • 20
  • 38
  • Hello - are you sure that the role you're using has the correct principal configured? It has to allow CloudFormation service to assume the role. – pgrzesik Jan 07 '22 at 23:53

0 Answers0