serverless-appsync-plugin icon indicating copy to clipboard operation
serverless-appsync-plugin copied to clipboard
verified publisher icon sid88in

not able to use existing logging role

Open droger88 opened this issue 1 year ago • 1 comments

we would like to use an existing role for logging configuration because our permission setup, but when the attribute is set, it is still trying to create a new role appsync configuration

appSync:
  name: demo-post-api
  logging:
    level: ALL
    retentionInDays: 14
    enabled: true
    roleArn: "arn:aws:iam::12345:role/appsync-datasource"
....

here is the output

✖ Stack test-api failed to deploy (46s)
Environment: darwin, node 18.12.1, framework 3.39.0, plugin 7.2.3, SDK 4.5.1
Credentials: Local, environment variables
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

Error:
CREATE_FAILED: GraphQlApiLogGroupRole (AWS::IAM::Role)
Resource handler returned message: "Encountered a permissions error performing a tagging operation,

droger88 avatar Nov 08 '24 16:11 droger88

Same here.

Works fine with v1 but currently upgrading to v2 and I have to comment logging part as cause an error:

...
  logging:
    roleArn: !Sub arn:aws:iam::${AWS::AccountId}:role/${self:service}-${self:provider.stage}-appsync-cloudwatch-role
    enable: true
    level: ALL # Logging Level: NONE | ERROR | ALL
...

Getting error

CREATE_FAILED: GraphQlApiLogGroupRole (AWS::IAM::Role)
Resource handler returned message: "Encountered a permissions error performing a tagging operation, please add required tag permissions. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve. Resource handler returned message: "User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/serverless-cloudformation-execution-role/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::xxxxxxxxxxx:role/app-GraphQlApiLogGroupRole-MJ5cSpD5M4a7 because no identity-based policy allows the iam:CreateRole action

For some reasons try to create a new role name.

zjawol avatar Feb 12 '25 13:02 zjawol

In the serverless-appsync-plugin 2.10.0, this issue is not present. Switch to a newer version to solve the issue.

AlexHladin avatar Sep 26 '25 21:09 AlexHladin

The issue still exists and can be invisible when in your AWS account your serverless deployment is not limited like for example in my organisation. Problem is not to attach the custom roleArn to your appsync config only problem is that you still create a additional role that is never used. @AlexHladin if you verify your IAM roles your serverless deployment create role like app-GraphQlApiLogGroupRole-XXXXXXXXX even you attached custom roleArn into your configuration.

zjawol avatar Sep 30 '25 10:09 zjawol