serverless-step-functions plugin is not using provider permissions Boundary when creating iam role

[kandeshwarath]

This is a (Bug Report)

Description

For bug reports:

• When creating iam role ApigatewayToStepFunctionsRole the plugin is not using the permissionsBoundary specified in provider as a result creation of the role fails

• The expected behavior was that like IAM role created for lambda functions it would use the permissions Boundary specified

• What was the config you used?
  service: bulk-server
  frameworkVersion: 2

plugins:

• serverless-webpack
• serverless-pseudo-parameters
• serverless-step-functions

provider:
name: aws
runtime: nodejs12.x
rolePermissionsBoundary: arn:aws:iam::#{AWS::AccountId}:policy/DeveloperBoundaryPolicy
iamRoleStatements:
- Effect: "Allow"
Action:
- "states:StartExecution"
Resource:
- "*"
stage: ${opt:stage,'dev'}
apiGateway:
minimumCompressionSize: 1024
environment:
AWS_NODEJS_CONNECTION_REUSE_ENABLED: "1"

functions:
writejob:
handler: src/handlers.writejob
events:
- http:
method: GET
path: writejob
mapjob:
handler: src/handlers.mapjob
events:
- http:
method: GET
path: mapjob
completejob:
handler: src/handlers.completejob
events:
- http:
method: GET
path: completejob

stepFunctions:
stateMachines:
jobProcessor:
name: JobProcessor
events:
- http:
method: GET
path: processjob

  definition:
    StartAt: writejob
    States:
      writejob:
        Type: Pass
        End: true

• What stacktrace or error message from your provider did you see?

API: iam:CreateRole User: arn:aws:sts::myacct:assumed-role/MYASSUMEDROLE/MYSUSERNAME is not authorized to perform: iam:CreateRole on resource:

Additional Data

• Serverless Framework Core Version you're using: 2.0
• The Plugin Version you're using: serverless-step-functions": "^2.29.0"
• Operating System: mac
• Stack Trace:
• Provider Error messages:

To work around the issue i created an iamRole and referenced it in the step function
resources:
Resources:
myDefaultRole:
ApigatewayToStepFunctionsRole:
Type: 'AWS::IAM::Role'
Properties:
PermissionsBoundary: arn:aws:iam::#{AWS::AccountId}:policy/DeveloperBoundaryPolicy
RoleName: myrole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- states.amazonaws.com
- apigateway.amazonaws.com
Action: 'sts:AssumeRole'

[kandeshwarath]

See below the cloudformation template generated for the role that failed created. The role created for the Lambda works fine since it does have the boundary policy. I am attaching it

"ApigatewayToStepFunctionsRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
},
"Policies": [{
"PolicyName": "ApigatewayToStepFunctionsRole",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["states:StartExecution"],
"Resource": "*"
}]
}
}]
}
}
}

The lamda role succeeds and has the boundary policy
"IamRoleLambdaExecution": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["lambda.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
"Policies": [{
"PolicyName": {
"Fn::Join": ["-", ["bulk-server", "dev", "lambda"]]
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["logs:CreateLogStream", "logs:CreateLogGroup"],
"Resource": [{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/bulk-server-dev*:"
}]
}, {
"Effect": "Allow",
"Action": ["logs:PutLogEvents"],
"Resource": [{
"Fn::Sub": "arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/bulk-server-dev::"
}]
}]
}
}],
"Path": "/",
"RoleName": {
"Fn::Join": ["-", ["bulk-server", "dev", {
"Ref": "AWS::Region"
}, "lambdaRole"]]
},
"PermissionsBoundary": {
"Fn::Sub": "arn:aws:iam::${AWS::AccountId}:policy/DeveloperBoundaryPolicy"
}
}
},

[cqcmdwym]

👀

[clawsl]

We are facing the same issue here