Serverless Framework error Policy statement must contain actions

Question

I have a IAM policy which fails to deploy using the Serverless Framework. The error message is (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument;). The policy looks like this:

DtcServiceFunctionRole:
Type: AWS::IAM::Role
Properties:
  Path: "/"
  RoleName: DtcServiceFunctionRole
  AssumeRolePolicyDocument:
    Version: '2012-10-17'
    Statement:
      - Effect: Allow
        Principal:
          Service:
            - lambda.amazonaws.com
        Action: sts:AssumeRole
  Policies:
    - PolicyName: dtc-invoke-policy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - "lambda:InvokeFunction"
            Resource:
              - "arn:aws:lambda:us-east-1:xxxxxxxxxxxxx:function:NotificationServiceFunction"
    - PolicyName: dtc-dynamodb-policy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
            - "dynamodb:BatchGetItem"
            - "dynamodb:BatchWriteItem"
            - "dynamodb:DeleteItem"
            - "dynamodb:GetItem"
            - "dynamodb:PutItem"
            - "dynamodb:Query"
            - "dynamodb:Scan"
            - "dynamodb:UpdateItem"
            Resource:
              - "arn:aws:dynamodb:us-east-1:xxxxxxxxxxxxx:table/VehicleDtcTable"
              - "arn:aws:dynamodb:us-east-1:xxxxxxxxxxxxx:table/DtcTable"
          - Effect: Allow

Any help to point me in the right direction is appreciated. Thanks.

Answer 1

It looks like your yaml is not correctly indented at :

        Statement:
      - Effect: Allow
        Action:
        - "dynamodb:BatchGetItem"
        - "dynamodb:BatchWriteItem"
        - "dynamodb:DeleteItem"
        - "dynamodb:GetItem"
        - "dynamodb:PutItem"
        - "dynamodb:Query"
        - "dynamodb:Scan"
        - "dynamodb:UpdateItem"

it should be:

DtcServiceFunctionRole:
Type: AWS::IAM::Role
Properties:
  Path: "/"
  RoleName: DtcServiceFunctionRole
  AssumeRolePolicyDocument:
    Version: '2012-10-17'
    Statement:
      - Effect: Allow
        Principal:
          Service:
            - lambda.amazonaws.com
        Action: sts:AssumeRole
  Policies:
    - PolicyName: dtc-invoke-policy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - "lambda:InvokeFunction"
            Resource:
              - "arn:aws:lambda:us-east-1:xxxxxxxxxxxxx:function:NotificationServiceFunction"
    - PolicyName: dtc-dynamodb-policy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - "dynamodb:BatchGetItem"
              - "dynamodb:BatchWriteItem"
              - "dynamodb:DeleteItem"
              - "dynamodb:GetItem"
              - "dynamodb:PutItem"
              - "dynamodb:Query"
              - "dynamodb:Scan"
              - "dynamodb:UpdateItem"
            Resource:
              - "arn:aws:dynamodb:us-east-1:xxxxxxxxxxxxx:table/VehicleDtcTable"
              - "arn:aws:dynamodb:us-east-1:xxxxxxxxxxxxx:table/DtcTable"
          - Effect: Allow