serverless-step-functions plugin is not using provider.iam.role.path

Question

serverless-step-functions plugin is not using provider.iam.role.path

Opened this issue 5 months ago · 1 comments

stavros-liaskos commented 5 months ago

Bug report

Issue

Generated step functions roles are ignoring the path defined under provider.iam.role.path.

How to reproduce

Create a serverless.yml with lambdas and step functions
Set provider.iam.role.path: /teamA/ to streamline access management
Deploy cloudformation stack
Engineers outside teamA cannot update Cloudformation stack.

Lambda iam role is generated with path:

"IamRoleLambdaExecution": {
  "Type": "AWS::IAM::Role",
  "Properties": {
    "AssumeRolePolicyDocument": {
      ...
    },
    "Policies": [
      ...
    ],
    "Path": "/teamA/",
    "RoleName": "...",
    "ManagedPolicyArns": []
  }
}

Step function role is generated without path:

{
  "Type": "AWS::IAM::Role",
  "Properties": {
    "AssumeRolePolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "events.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    },
    "Policies": [
      {
        "PolicyName": "some-name",
        "PolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "states:StartExecution"
              ],
              "Resource": {
                "Ref": "some-ref"
              }
            }
          ]
        }
      }
    ]
  }
}

The fix likely is in updating the IAM role templates e.g. here, here, etc.

What are your thoughts? Would that be a breaking change?

Thank you for this great plugin!

Answer 1 · 2025-06-27T05:36:33.000Z

HI @stavros-liaskos

thanks for opening this issue. It's honestly the first time I heard about IAM paths 😅 would you be interested in submitting a fix?