AccessDenied when deploying serverless via aws-vault

Question

I am trying to deploy serverless with the credentials stored in my aws-vault keychain.

However when I run aws-vault exec myprofile -- sls deploy I receive the following error:

An error occurred: MyLambdaFunction - AccessDenied. User doesn't have permission to call iam:GetRole.

The user has AdministratorAccess and I also gave him IAMFullAccess (which should not be needed)

When I deploy with the same credentials stored in ~.aws/credentials with sls deploy it works.

Answer 1

According to the docs the session token generated by aws-vault has some restrictions:

• You cannot call any IAM API operations unless MFA authentication information is included in the request.
• You cannot call any AWS STS API except AssumeRole or GetCallerIdentity.

A work around is to use the --no-session

so aws-vault exec myprofile --no-session -- sls deploy works without any error.