Integrate CodeDeploy Service Role into serverless.yml #7204
Description
If you have AWS Access Keys (~/.aws/credentials) on your machine, you assume a specific IAM User. That IAM User is granted specific IAM Roles. The IAM Role can be AdministrativeAccess or something else. If you deploy Serverless using this assumed IAM User with AdministrativeAccess, then your serverless.yml can perform any action on your AWS account.
However, when you perform automated deployments using the AWS CodeDeploy Service, this is a distinct service from the IAM User. The CodeDeploy Service will have its own IAM Roles independent of the IAM Roles of the IAM User. Consequently, if you create a Service Role for the CodeDeploy Service, you will not want that Role to have AdministrativeAccess. So you will have to individually add policies to this Role to deploy your Serverless Stack.
I use 'sls deploy' in the buildspec.yml of my CodeDeploy Service. I am forced to manually add new policies to the CodeDeploy Role of the CodeDeploy Service when the serverless.yml changes to require additional services. I want to automate this so that the CodeDeploy Service Roles can be modified in the serverless.yml file instead. This will allow me to automate AWS CI/CD. What is best practice to include a Service's Roles, such as AWS CodeBuild, in serverless.yml?