2
votes

I am exploring CodeStar using a basic project created with the Python 3.7 Lambda template following the Serverless Project Tutorial in the AWS CodeStar documentation:

https://docs.aws.amazon.com/codestar/latest/userguide/sam-tutorial.html

My build and deploy are successful. However a see a warning in my CloudFormation event log:

The IAM user doesn't allow CloudFormation to call lambda:GetAlias, this could result in formulating a appspec file with stale CurrentVersion for CodeDeploy deployment. Please fix it to avoid any possible CodeDeploy deployment failures.

I am just using the AWS resources created automatically by the CodeStar console.

What do I do to fix this warning?

Details

The CodeDeploy step in the CodePipeline deploys the lambda function by updating a CloudFormation stack named: awscodestar-<codestar project name>-lambda.

When I looked in the event log for this stack, I noticed the above warning for the resource named HelloWorldAliaslive

1

1 Answers

2
votes

To fix this, add the lambda:GetAlias permission to the inline policy associated with the IAM role named CodeStarWorker-<project>-CloudFormation

  1. Open the AWS Console for CodeStar
  2. Click Project in the left navbar
  3. Find the Project Resources section. One of the AWS IAM resources will have a name CodeStarWorker-<project>-CloudFormation. Click the link in the ARN column of the table to open the role in IAM.
  4. Locate the inline policy named CodeStarWorkerCloudFormationRolePolicy and click the Edit button.
  5. Add the "lambda:GetAlias" action to this policy.

This policy is created automatically by CodeStar. In my account, the policy included several Statements. I chose to add the "lambda:GetAlias" action to the statement which already had "lambda:CreateAlias" action.

After making this change, the warning no longer appeared in my CloudFormation event logs.