S3 create bucket fails

Question

I'm trying to create a serverless project which deploys a CloudFormation and as a part of that it tries to create an S3 bucket. But this fails due to following error:

15:23:25 UTC+0550   CREATE_FAILED       AWS::S3::Bucket ServerlessDeploymentBucket  API: s3:CreateBucket Access Denied
15:23:24 UTC+0550   CREATE_IN_PROGRESS  AWS::S3::Bucket ServerlessDeploymentBucket  

I've tried to create an S3 bucket with command aws s3api create-bucket --bucket my-bucket --region us-west-2 which successfully creates the bucket. I'm not sure why I'm getting access denied while creating the S3 bucket via serverless. What could be the issue here?

Here's my serverless.yml file

service: auth-service-gs

provider:
  name: aws
  runtime: python2.7
  stage: dev2-gs-1
  region: us-west-2
  profile: mfa
  environment:
    DB_HOST: "DB_HOST"
    DB_USER: "root"
    DB_PASS: "<password>"
    LOG_LEVEL: "DEBUG"


functions:
  login:
    handler: handler.login
    events:
       - http:
           path: /api/v1/login
           method: post
           cors: true

I deploy the service using $serverless deploy Also, content of ~/.aws/credentials

[mfa]
aws_access_key_id = <ACESS_KEY>
aws_secret_access_key = <SECRET_KEY>
aws_session_token = <SESSION ID>

Which I got by running

$ aws sts get-session-token --serial-number arn:aws:iam::<number>:mfa/<username> --token-code 123456

Answer 1

Your process role will need IAM permission, either at the role or at the user level, depending on your implementation.

Assuming you want the process to create and have all permisions to the bucket, you would need something like this:

{
  "Statement": [
    {
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}