I have a serverless definition, that is working, when deploying to existing stages:
service: appcode-graphql
frameworkVersion: "3"
variablesResolutionMode: 20210326
useDotenv: true
unresolvedVariablesNotificationMode: error
provider:
name: aws
runtime: nodejs20.x
architecture: arm64
region: ${opt:region, 'eu-central-1'}
stage: ${opt:stage, 'app-dev'}
stackTags:
foo: bar
tags:
foo: bar
logRetentionInDays: ${env:LOGRETENTION_IN_DAYS, 14}
iam:
deploymentRole: ${env:CFN_ROLE_ARN}
role:
permissionsBoundary: ${env:ROLEPERMISSIONS_BOUNDARY_ARN}
ROLEPERMISSIONS_BOUNDARY_ARN
is defined as ROLEPERMISSIONS_BOUNDARY_ARN = arn:aws:iam::${self:custom.accountId}:policy/acs/acs-boundary-policy
Now I want to deploy that application to a new intermediate stage using a github workflow and receive the following error:
Error:
CREATE_FAILED: IamRoleLambdaExecution (AWS::IAM::Role)
Resource handler returned message: "Scope ARN: arn:aws:iam::xxxxxxxx46559:policy/acs/acs-boundary-policy does not exist or is not attachable. (Service: Iam, Status Code: 404, Request ID: a3757afa-ed23-4b47-b959-893facec0558)" (RequestToken: 740e9309-b72c-6568-dfc9-340073e13fd8, HandlerErrorCode: NotFound)
Deploying to an already existing stage works. So here are my problems:
- What is the permissionsBoundary explained in simple terms?
- The policy/acs/acs-boundary-policy has not existed on that account according to my Cloudtrails lookups
- Why is it failing and how can I fix it?
1