diff --git a/src/deployRole.js b/src/deployRole.js
index 1f6be87..109a9be 100644
--- a/src/deployRole.js
+++ b/src/deployRole.js
@@ -48,19 +48,6 @@ const updateRole = async (config, params = {}) => {
 
   const res = await iam.getRole({ RoleName: params.roleName }).promise()
 
-  if (!params.assumeRolePolicyDocument) {
-    params.assumeRolePolicyDocument = {
-      Version: '2012-10-17',
-      Statement: {
-        Effect: 'Allow',
-        Principal: {
-          Service: params.service
-        },
-        Action: 'sts:AssumeRole'
-      }
-    }
-  }
-
   await iam
     .updateAssumeRolePolicy({
       RoleName: params.roleName,
@@ -76,19 +63,6 @@ const updateRole = async (config, params = {}) => {
 const createRole = async (config, params = {}) => {
   const iam = new AWS.IAM(config)
 
-  if (!params.assumeRolePolicyDocument) {
-    params.assumeRolePolicyDocument = {
-      Version: '2012-10-17',
-      Statement: {
-        Effect: 'Allow',
-        Principal: {
-          Service: params.service
-        },
-        Action: 'sts:AssumeRole'
-      }
-    }
-  }
-
   const res = await iam
     .createRole({
       RoleName: params.roleName,
@@ -111,12 +85,20 @@ module.exports = async (config, params = {}) => {
     throw new Error(`Missing "roleName" param.`)
   }
 
-  params.service = params.service || 'lambda.amazonaws.com'
   params.policy = params.policy || 'arn:aws:iam::aws:policy/AdministratorAccess'
 
   // assumeRolePolicyDocument should cancel out "service"
-  if (params.assumeRolePolicyDocument) {
-    params.service = null
+  if (!params.assumeRolePolicyDocument) {
+    params.assumeRolePolicyDocument = {
+      Version: '2012-10-17',
+      Statement: {
+        Effect: 'Allow',
+        Principal: {
+          Service: params.service || 'lambda.amazonaws.com'
+        },
+        Action: 'sts:AssumeRole'
+      }
+    }
   }
 
   try {