AccessDeniedException: Caller does not have permissions to create a Service Linked Role

[candlerb]

I am trying to use serverless-domain-manager to create an endpoint of type "regional". I have created an IAM policy as per this info

Now when I try to deploy with this config:

  customDomain:
    domainName: myapp-${opt:stage, self:provider.stage}.apps.XXXX.com
    createRoute53Record: true
    certificateName: "*.apps.XXXX.com"
    certificateRegion: eu-west-1
    endpointType: regional

I get the following error:

  Error: 'myapp-dev.apps.XXXX.com' was not created in API Gateway.
AccessDeniedException: Caller does not have permissions to create a Service Linked Role.

It looks like I need "iam:CreateServiceLinkedRole" but I'm not sure on what resource (and giving out iam permissions is not something I take lightly!)

This is the policy I have added for serverless-domain-manager:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "acm:ListCertificates",
                "cloudfront:UpdateDistribution"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "route53:GetHostedZone",
                "route53:ChangeResourceRecordSets",
                "route53:ListResourceRecordSets"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/XXXX"
            ]
        },
        {
            "Sid": "VisualEditor1a",
            "Effect": "Allow",
            "Action": "apigateway:GET",
            "Resource": "arn:aws:apigateway:eu-west-1::/domainnames/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "apigateway:DELETE",
            "Resource": "arn:aws:apigateway:eu-west-1::/domainnames/*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": "apigateway:POST",
            "Resource": "arn:aws:apigateway:eu-west-1::/domainnames"
        },
        {
            "Sid": "VisualEditor4",
            "Effect": "Allow",
            "Action": "apigateway:POST",
            "Resource": "arn:aws:apigateway:eu-west-1::/domainnames/*/basepathmappings"
        }
    ]
}

To be clear: I have created this as a policy in IAM, and have attached it as a managed policy to a group called devops, and the user whose API key I'm using to deploy is a member of that group. This approach has worked fine for me before when running serverless.

[candlerb]

Should have added the backtrace from SLS_DEBUG=*, although I can't see anything useful in it.

  Stack Trace --------------------------------------------

Error: Error: 'myapp-dev.apps.XXXX.com' was not created in API Gateway.
AccessDeniedException: Caller does not have permissions to create a Service Linked Role.
    at createDomainName.catch (/usr/lib/node_modules/serverless-domain-manager/index.js:97:15)
    at process._tickDomainCallback (internal/process/next_tick.js:135:7)
From previous event:
    at PluginManager.invoke (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:372:22)
    at PluginManager.run (/usr/lib/node_modules/serverless/lib/classes/PluginManager.js:403:17)
    at variables.populateService.then (/usr/lib/node_modules/serverless/lib/Serverless.js:102:33)
    at runCallback (timers.js:672:20)
    at tryOnImmediate (timers.js:645:5)
    at processImmediate [as _immediateCallback] (timers.js:617:5)
From previous event:
    at Serverless.run (/usr/lib/node_modules/serverless/lib/Serverless.js:89:74)
    at serverless.init.then (/usr/lib/node_modules/serverless/bin/serverless:42:50)

[candlerb]

Checking in CloudTrail:

AWS access key: ....
AWS region: eu-west-1
Error code: AccessDeniedException
Event ID: ....
Event name: CreateDomainName
Event source: apigateway.amazonaws.com
Event time: 2018-03-07, 09:59:36 PM
Request ID: ....
Source IP address: X.X.X.X
User name: brian-dev

This does look like a regular permissions error, so I've probably just done something silly, but I can't see it!

[candlerb]

As a workaround, I added my deployment user temporarily to the "Administrators" group and it was able to create the domain with "sls create_domain". Subsequent "sls deploy" didn't need the admin privileges.

[blaffoy]

Hi @candlerb , I'm seeing this exact problem when running serverless create_domain from an instance with an attached instance profile.

I believe that you're right, the IAM permission iam:CreateServiceLinkedRole is the key, but I don't know what resource to allow it on (and I don't like giving wildcard permissions on anything iam:).

Did you get any further with this?

[candlerb]

I'm afraid not. If I get the same problem again, I'll just use temporary admin rights again to run create_domain.

But oddly, the next time I used serverless create_domain it didn't need it. That time I was creating a different subdomain for different stage, under the same wildcard cert:

  customDomain:
    domainName: myapp-${opt:stage, self:provider.stage}.apps.example.com
    createRoute53Record: true
    endpointType: regional

Actually deploying new versions of the lambda with sls deploy have not had any problems.

[jthomerson]

This happens because when you use the SDK to create an API Gateway custom domain, AWS will automatically create a service-linked role for you (see this blog post). There's two ways I know of to solve this:

1. Make sure that the role that you're creating the domain with has the iam:CreateServiceLinkedRole permission, or
2. Manually create a custom domain in your account before using the SDK (serverless-domain-manager) to create one. Manually creating one ends up creating the service-linked role behind the scenes and means that when the SDK tries to create a custom domain, it doesn't need to create the service-linked role. Of course, most of us are here because we don't think it's a good idea to manually create things or configure an AWS account ... but just mentioning this in case you prefer that method.

I recommend reading this blog post: https://aws.amazon.com/blogs/security/introducing-an-easier-way-to-delegate-permissions-to-aws-services-service-linked-roles/

[captainsidd]

Hey there! @candlerb , did the solution that @jthomerson posted solve your problem? If not, we'll reopen this issue.

[candlerb]

did the solution that @jthomerson posted solve your problem? If not, we'll reopen this issue.

I'm afraid it didn't help me: it said to grant the "iam:CreateServiceLinkedRole" permission, but not what target resource to grant that permission on. I hate granting permissions on "*", especially IAM permissions, without being sure of the consequences.

For now, I run "sls deploy" the first time on a new application using an Administrator account, and then after that updates are fine.

[captainsidd]

@candlerb Have you tried granting the iam:CreateServiceLinkedRole permission to the user creating the lambda? Seems as though the user would be the resource to make the most sense.

[candlerb]

I'm afraid I don't understand that. To grant permissions to that user, I would create an inline policy something like this:

        {
            "Sid": "example123",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:XXXX:YYYY:ZZZZ"   << WHAT GOES HERE?
        },

The question is, what resource am I granting the CreateServiceLinkedRole action on? I could put "Resource": "*" but I would be wary of the security implications of doing that.

[aoskotsky-amplify]

Looks like the role that's created is AWSServiceRoleForAPIGateway. Maybe try adding arn:aws:iam::<account number>:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway for the resource

[zoellner]

Was just able to confirm that the permission mentioned is sufficient

- Effect: Allow
  Action:
    - iam:CreateServiceLinkedRole
  Resource:
    - !Sub arn:aws:iam::${AWS::AccountId}:role/aws-service-role/ops.apigateway.amazonaws.com/AWSServiceRoleForAPIGateway