https://serverless-stack.com/ logo
Join Slack
Powered by
Good day. Seeking help with the error `IamRoleLam...
# help
y
Good day. Seeking help with the error 
IamRoleLambdaExecution: Syntax error in policy
encountered while deploying a lambda function to AWS. (Additional info is added in the thread) serverless.yml:
Copy code
service: xxx-chat-api
provider:
  name: aws
  stackTags:
    Team: Chat
  runtime: go1.x
  stage: ${opt:stage, 'dev'}
  region: ap-southeast-1
  timeout: 200
  environment: ${file(env.yml)}
  iamRoleStatements:
    - ${file(models/chat.yml):consumerCognitoStatement}
    - ${file(models/chat.yml):userCognitoStatement}
    - ${file(models/chat.yml):adminTablePolicyStatement}
    - ${file(models/chat.yml):sesStatement}
:
:
:
models/chat.yml:
Copy code
consumerCognitoStatement:
  Effect: "Allow"
  Action:
    - "cognito-idp:ListUsers"
    - "lambda:InvokeFunction"
  Resource:
    - "${file(env.${self:provider.stage}.yml):COMPANY_COGNITO_RESOURCE_ARNS}"
    - !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:xxx-cognito-auth-api-${self:provider.stage}-cogtoken"

userCognitoStatement:
  Effect: "Allow"
  Action:
    - "cognito-idp:ListUsers"
    - "lambda:InvokeFunction"
  Resource: "${file(env.${self:provider.stage}.yml):USER_COGNITO_RESOURCE_ARNS}"

sesStatement:
  Effect: Allow
  Action:
    - ses:SendEmail
    - ses:SendRawEmail
  Resource: "arn:aws:ses:eu-west-1:${AWS::AccountId}:identity/noreply@xxx.my"
COMPANY_COGNITO_RESOURCE_ARNS
has multiple values:
Copy code
COMPANY_COGNITO_RESOURCE_ARNS:
  # CO_1
  - "arn:aws:cognito-idp:ap-southeast-1:xxx:userpool/ap-southeast-1_abc"
  # CO_2
  - "arn:aws:cognito-idp:ap-southeast-1:xxx:userpool/ap-southeast-1_xyz"
  # CO_3
  - "arn:aws:cognito-idp:ap-southeast-1:xxx:userpool/ap-southeast-1_jkl"
USER_COGNITO_RESOURCE_ARNS
has a single value:
Copy code
USER_COGNITO_RESOURCE_ARNS:
  # Secure:
  - "arn:aws:cognito-idp:ap-southeast-1:xxx:userpool/ap-southeast-1_def"
Error: 
IamRoleLambdaExecution: Syntax error in policy
The deployment works fine when we just use a single value for 
COMPANY_COGNITO_RESOURCE_ARNS
Copy code
COMPANY_COGNITO_RESOURCE_ARNS:
  # CO_1
  - "arn:aws:cognito-idp:ap-southeast-1:xxx:userpool/ap-southeast-1_abc"
So I'm suspecting there's something wrong with the multi values definition. Any help will be greatly appreciated.
In the past deployment worked when the 
model.yml
file was simpler without 
lambda:InvokeFunction
& 
sesStatement
(though now I realize these statements can be simplified)
Copy code
consumerCognitoStatement:
  Effect: "Allow"
  Action:
    - "cognito-idp:ListUsers"
  Resource:
    - "${file(env.${self:provider.stage}.yml):COMPANY_COGNITO_RESOURCE_ARNS}"

userCognitoStatement:
  Effect: "Allow"
  Action:
    - "cognito-idp:ListUsers"
  Resource: "${file(env.${self:provider.stage}.yml):USER_COGNITO_RESOURCE_ARNS}"
f
@yoges nsamy You are doing a lot of cross file referencing. I would create a new serverless service to debug this:
Copy code
service: xxx-chat-api
provider:
  name: aws
  stackTags:
    Team: Chat
  runtime: go1.x
  stage: ${opt:stage, 'dev'}
  region: ap-southeast-1
  timeout: 200
  environment: ${file(env.yml)}
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "cognito-idp:ListUsers"
        - "lambda:InvokeFunction"
      Resource:
        - "arn:aws:cognito-idp:ap-southeast-1:xxx:userpool/ap-southeast-1_abc"
        - "arn:aws:cognito-idp:ap-southeast-1:xxx:userpool/ap-southeast-1_xyz"
        - "arn:aws:cognito-idp:ap-southeast-1:xxx:userpool/ap-southeast-1_jkl"
Get it work work in the minimal form. And then start moving parts to different files.
I hope that makes sense
y
Okay yes, this helped. Thanks Frank!
I refactored the code to use a single cognito statement instead of multiple.
f
No worries! Glad u got it to work.
2 Views
Open in Slack
PreviousNext
Powered by