User Pool Event 'existing' parameter uses the CF deployment role

[pragma-ezekiel]

Are you certain it's a bug?

• Yes, it looks like a bug

Is the issue caused by a plugin?

• It is not a plugin issue

Are you using the latest v3 release?

• Yes, I'm using the latest v3 release

Is there an existing issue for this?

• I have searched existing issues, it hasn't been reported yet

Issue description

I'm currently using a custom CloudFormation role to allow my functions to be deployed by a pipeline to another AWS account. In the serverless yml file, I've created a PostConfirmation trigger for my existing Cognito user pool.

You've mentioned in the documentation that a backup lambda function is created when you declare the 'existing' parameter. However, this backup lambda function uses the CF deployment role by default and therefore I am getting this error:

CREATE_FAILED: CustomDashresourceDashexistingDashcupLambdaFunction (AWS::Lambda::Function)
Resource handler returned message: "The role defined for the function cannot be assumed by Lambda.

I have double checked the output CloudFormation template and this resource is using my deployment role.

"CustomDashresourceDashexistingDashcupLambdaFunction": {
            "Type": "AWS::Lambda::Function",
            "Properties": {
              "Code": {
                "S3Bucket": {
                  "Ref": "ServerlessDeploymentBucket"
                },
                "S3Key": "serverless/functions/dev/xxxxxxxxxx-2023-01-18Txx:xx:xx.xxxZ/custom-resources.zip"
              },
              "FunctionName": functions-dev-custom-resource-existing-cup",
              "Handler": "cognito-user-pool/handler.handler",
              "MemorySize": 1024,
              "Runtime": "nodejs16.x",
              "Timeout": 180,
              "Role": "arn:aws:iam::xxxxxxxxx:role/BackendCFExecutionRole"
            },
            "DependsOn": []
          }

I've even tried removing the role that is declare in my Serverless function and it still doesn't work and I've tried putting the forceDeploy: true parameter and it didn't worked as well.

The only way I got it to work was by removing the iam.deploymentRole parameter completely which isn't ideal since this is deployed via CI/CD.

Service configuration (serverless.yml) content

service: functions
frameworkVersion: '3'

custom: ${file(../../env.yml)}
provider:
  name: aws
  runtime: nodejs16.x
  stage: ${sls:stage}
  iam:
    deploymentRole: ${ssm:deploymentArn}
  region: ap-southeast-1

functions:
  resetPassword:
    handler: resetPassword/handler.main
    description: redacted
    memorySize: 128
    role: resetPasswordRole
    timeout: 30
    events:
      - cognitoUserPool:
          pool: xxxxxxxxxxxxxx
          trigger: PostConfirmation
          existing: true

resources:
  Resources:
    resetPasswordRole:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Version: "2012-10-17"
          Statement:
            - Effect: Allow
              Principal: 
                Service: lambda.amazonaws.com
              Action: sts:AssumeRole
        Description: redacted
        Policies: 
          - PolicyDocument: 
              Version: "2012-10-17"
              Statement:
                - Effect: Allow
                  Action: 
                    - ses:SendEmail
                    - ses:SendRawEmail
                  Resource: "*"
                - Effect: Allow
                  Action: 
                    - logs:CreateLogStream
                    - logs:PutLogEvents
                  Resource: "*"
            PolicyName: PostTrigger-${sls:stage}
  
  Outputs:
    resetPassword:
      Description: redacted
      Value: !GetAtt ResetPasswordLambdaFunction.Arn
      Export:
        Name: ${sls:stage}-ResetPasswordFunction
    resetPasswordRole:
      Description: redacted
      Value: !Ref resetPasswordRole
      Export:
        Name: ${sls:stage}-ResetPasswordLambdaRole

Command name and used flags

serverless deploy --stage dev --aws-profile xxxx

Command output

Deploying functions to stage dev (redacted)

× Stack functions-dev failed to deploy (31s)
Environment: win32, node 16.14.2, framework 3.25.1, plugin 6.2.2, SDK 4.3.2
Credentials: Local, "xxxxx" profile
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

Error:
CREATE_FAILED: CustomDashresourceDashexistingDashcupLambdaFunction (AWS::Lambda::Function)
Resource handler returned message: "The role defined for the function cannot be assumed by Lambda. (Service: Lambda, Status Code: 400, Request ID: xxxxx)" (RequestToken: xxxxx, HandlerErrorCode: InvalidRequest)

Environment information

Framework Core: 3.25.1
Plugin: 6.2.2
SDK: 4.3.2

[medikoo]

You've mentioned in the documentation that a backup lambda function is created when you declare the 'existing' parameter. However, this backup lambda function uses the CF deployment role by default and therefore I am getting this error

@pragma-ezekiel CF deployment role is used for all deployment tasks, and this backup lambda supplements the deployment process.

You can easily fix it by ensuring that CF deployment role lists Lambda services as one of it's principals

[AEsmerio]

Any news? I'm stuck on this issue.
Adding the lambda to my iamRolseStatements doesn't seem to work.
My deployment only works when I remove the "existing: true"

provider:
  name: aws
  iamRoleStatements:
    - Effect: Allow
      Action: 
        - lambda:*
      Resource: "*"

I'm getting this error

Error:
CREATE_FAILED: CustomDashresourceDashexistingDashcupLambdaFunction (AWS::Lambda::Function)
Resource handler returned message: "Function creation failed because the function already exists"