The Serverless Framework is used to create, manage, monitor and troubleshoot serverless infrastructure such as AWS Lambda, DynamoDB Tables, or API Gateway endpoints. Any infrastructure you provision using Serverless Framework requires credentials to that cloud service provider.
Providers enable you to securely manage the accounts to the cloud service providers like Azure, AWS, and GCP in the Serverless Framework Dashboard.
Your organization admin can add a provider to the organization in the Dashboard, either using static credentials like an AWS Access Key/Secret, or using AWS Access Roles to generate short-lived credentials per deployment. Developers in your organization can use the providers by linking them to their services and they will automatically use the credentials from the providers for deployments.
There are many benefits to using providers over managing accounts manually:
To use providers you must add the providers to your organization and then link the provider to a service. Optionally you can link the provider to an instance instead if you need to use different providers for different stages or regions.
To add a provider to your organization go the org section of the dashboard. Under the providers tab, click add and follow the instructions.
You’ll be able to select the provider, like AWS, Stripe, and Twilio, name the provider, and set the credentials.
It is recommended that you deploy your Serverless Framework apps to different accounts for each stage. To accomplish this we recommend adding a
prod provider to decouple the prod environment from all other environments.
Adding the providers to the organization alone will not be sufficient, you must also link that account with the service.
Go to the apps section of the dashboard, and select settings under the ... menu of the service for which you would like to use providers. On the service settings page navigate to the providers tab. From there you can click add provider which will allow you to add the providers from the organization into your service.
If your service is deployed to the same account for each stage and region, then you do not need to configure providers per instance. However, if you have multiple providers, like one for each stages or regions, then you can add a provider to each instance.
To add a provider to an instance navigate to the instance details page for that service instance. Navigate to the providers tab. From the add providers dropdown you can add any provider from the organization into the instance.
If you are deploying a traditional Serverless Framework app, an instance of the service is created for that stage and region. If you are using a Component-based service, then an instance is created for each stage of the service.
When you are performing a deployment the provider associated with the instance will be used. If no provider is associated with the instance, but one is associated with the service, then that provider will be used. In other words, the providers from the service are inherited at the instance level and they can be overridden on the instance.
This inheritance model is useful for deploying to different accounts for each stage. For example, if you have a
prod account, then you can setup providers to deploy to
dev by default, and use the
prod account for only the
To accomplish this, you can add the
dev provider to the service, and then add the
prod provider to the instances which deploy to the
If you deploy to a new stage, like
int, it will then use the
dev provider from the service.
If you are using the Serverless CI/CD service or any 3rd party CI/CD service, you may be deploying to unique stages to isolate the preview deployments from PRs from all other deployments.
To accomplish this, you can create two providers,
prod, for two different accounts. Add the
preview provider to the service, and add the
prod provider to the instances for the
Now if you deploy to a preview stage, like
feature-x it will automatically use the provider from the service,
preview. If you merge your changes and deploy them to the
prod stage, it will automatically use the
prod provider as it is associated with that stage.
To use providers with serverless.yml you do not need to do anything. Upon deployment the Serverless Framework will retrieve the necessary credentials from the provider associate with the instance or service, and it will use those credentials to deploy.
If the providers are not found, then the Serverless Framework will look for credentials locally.
Prior to the release of providers, deployment profiles supported setting AWS Access Role ARNs which could be associated with stages in apps. Providers also support AWS Access Role ARNs, as well as AWS secret/access keys, and in the future will also support other cloud service providers like Azure, GCP, Stripe, etc. As such, deployment profiles are no longer needed and will be replaced with providers.
AWS Access Roles in deployment profiles will be automatically migrated to providers and no immediate action is required. This automatic migration will be performed when you deploy using version 4.1.0 or higher of the Serverless Plugin on the CLI. You can check your plugin version by running
This migration will be fully automated and backwards compatible; however, there are a few things that will change as a result of the migration:
The automatic migration will replace deployment profiles with providers by performing the following:
app1links to the
devdeployment profile, then the
devprovider will be added to
service1. This is repeated for all services in all apps.
app1has a stage
prodlinked to the
proddeployment profile, then the
prodprovider will be added to the
service1instances deployed to the