Overides iamManagedPolicies even with iamRoleStatementsInherit flag

[arvurb]

Im trying to enable Lambda Insights. Insights needs CloudWatchLambdaInsightsExecutionRolePolicy, but it gets overridden even with iamRoleStatementsInherit flag. defaultInherit does not work as well.

....
provider: {
    name: 'aws',
    runtime: 'nodejs12.x',
    region: 'eu-west-2',
    iamManagedPolicies: ["arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"],
  },
  functions: {
    getSessions: {
      handler: 'build/getSessions.handler',
      timeout: 15,
      package: {
        include: ['build/getSessions*'],
      },
      events: [
        {
          httpApi: {
            method: 'get',
            path: '/sessions',
            authorizer: {
              name: 'customAuthorizer'
            },
          },
        },
      ],
      iamRoleStatementsInherit: true,
      iamRoleStatements: [
        {
          Effect: 'Allow',
          Action: ['ssm:GetParameters*'],
          Resource: {
            "Fn::Sub":'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${self:custom.stage}/*'
          }
        },
        {
          Effect: 'Allow',
          Action: ['kms:Decrypt'],
          Resource: {
            "Fn::Sub":'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/CMK'
          }
        },
      ],

      layers: [
        `arn:aws:lambda:eu-west-2:580247275435:layer:LambdaInsightsExtension:14`
      ]
    },

[Enase]

@arvurb Looks like you try to use deprecated serverless.yml notation that might not be supported.

see: https://www.serverless.com/framework/docs/deprecations#grouping-iam-settings-under-provideriam

[arvurb]

@Enase Thanks! I changed policy settings as advised and still get the same behavior.

...
provider: {
    name: 'aws',
    runtime: 'nodejs12.x',
    region: 'eu-west-2',
    iam: {
      role: {
        managedPolicies: ["arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy"]
      }
    }

I can confirm that managedPolicies are defined correctly because I can see it in AWS when I remove iamRoleStatements from my code. When I put it back again, I can only see what was defined in iamRoleStatements. Adding inherit flags did not work.

[Enase]

@arvurb It'a a bug, you can create a patch from this code block or wait for PR.

[stephenbawks]

Ran into this issue myself this morning. Using the managed policies in the provider.iam block does not inherit down to the function.