When I deploy using this component, I get an access denied error from AWS. This was expected because I'm running it as a user with very restrictive permissions. Do you have any information regarding what permissions are required?
These are the permissions that I've determined are necessary so far:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:HeadBucket",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutAccelerateConfiguration",
"s3:CreateBucket",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
However, then I come across the following error:
AccessDenied: User: <user_arn> is not authorized to perform: iam:GetRole on resource: role mzppeul-0a646kc
Because this is an auto-generated name with no way of configuring the name, I can't give very fine-grained permissions for this.
The best that I could do was the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"iam:GetRole",
"lambda:GetFunction",
"iam:CreateRole",
"iam:AttachRolePolicy",
"lambda:GetFunctionConfiguration",
"cloudfront:CreateDistribution",
"cloudfront:CreateCloudFrontOriginAccessIdentity",
"lambda:EnableReplication",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"cloudfront:UpdateDistribution",
"lambda:PublishVersion",
"cloudfront:GetDistributionConfig",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutAccelerateConfiguration",
"s3:PutBucketPolicy",
"s3:CreateBucket",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
Being able to specify names for the stuff that's currently auto-generated would help, although some of the iam permissions might be quite powerful still even if the role has a fixed name.
I have Administrator access but still getting an Access Denied error.
error:
AccessDenied: Access Denied
at Request.extractError (/home/a2chan/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/services/s3.js:816:35)
at Request.callListeners (/home/a2chan/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/home/a2chan/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/home/a2chan/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/home/a2chan/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/home/a2chan/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /home/a2chan/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/home/a2chan/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/home/a2chan/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/home/a2chan/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
message: 'Access Denied',
code: 'AccessDenied',
region: null,
time: 2020-01-22T08:55:11.042Z,
requestId: 'D60AFE7320376549',
extendedRequestId: 'wKTH2rBnPgZWgOWJ51AykB2wxJzAyJyl3vwzfyWEfIQ/7s0jBiiowP+YZP+muDMrKFybzM+j66c=',
cfId: undefined,
statusCode: 403,
retryable: false,
retryDelay: 2.8536156206340646
}
18s โบ nextApp โบ AccessDenied: Access Denied
Hi,
I got the same issue, it looks like it breaks when trying to set up acceleration on bucket:
$ serverless --debug
DEBUG โ Resolving the template's static variables.
DEBUG โ Collecting components from the template.
DEBUG โ Downloading any NPM components found in the template.
DEBUG โ Analyzing the template's components dependencies.
DEBUG โ Creating the template's components graph.
DEBUG โ Syncing template state.
DEBUG โ Executing the template's components graph.
DEBUG โ Deploying bucket 19u5uaa-1uzccvd in region us-east-1.
DEBUG โ Checking if bucket 19u5uaa-1uzccvd exists.
DEBUG โ Bucket 19u5uaa-1uzccvd does not exist. Creating...
DEBUG โ Bucket 19u5uaa-1uzccvd created. Confirming it's ready...
DEBUG โ Bucket 19u5uaa-1uzccvd creation confirmed.
DEBUG โ Setting acceleration to "true" for bucket 19u5uaa-1uzccvd.
error:
AccessDenied: Access Denied
at Request.extractError (/Users/vincent/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/services/s3.js:816:35)
at Request.callListeners (/Users/vincent/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/Users/vincent/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/Users/vincent/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/Users/vincent/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/Users/vincent/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /Users/vincent/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/Users/vincent/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/Users/vincent/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/Users/vincent/.serverless/components/registry/npm/[email protected]/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
I tried with an administrator account ans also tried with a new IAM user account with the following policies but still have this issue:
AmazonS3FullAccess
AWSLambdaFullAccess
GlobalAcceleratorFullAccess
If anyone got it working, some clues would really be appreciated :)
Thanks!
In my case the error arose because AWS was denying enabling transfer acceleration on my buckets.
I think the issue lies with AWS. I tried to manually enable it on my buckets, using the console, but it still errored with Access Denied.
@a2chan I was having the same issue, pulling my hair out. I have administrator * access on everything. FullAccess! Well, I also had a custom policy to force MultiFactor Auth. Removing that allowed me to deploy! I haven't had time to dig too far into what the exact permission causing this was (although I have a suspicion that it's because everything is denied without MFA and an Access token is not MFA), but here is the policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
@cameron-martin This is how far I got:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"iam:GetRole",
"lambda:GetFunction",
"iam:CreateRole",
"iam:AttachRolePolicy",
"lambda:GetFunctionConfiguration",
"cloudfront:CreateDistribution",
"cloudfront:CreateCloudFrontOriginAccessIdentity",
"lambda:EnableReplication",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"cloudfront:UpdateDistribution",
"lambda:PublishVersion",
"cloudfront:GetDistributionConfig",
"s3:HeadBucket",
"s3:GetAccelerateConfiguration",
"s3:PutAccelerateConfiguration",
"s3:PutBucketPolicy",
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutObject",
"route53:ListHostedZonesByName"
],
"Resource": "*"
}
]
}
Thanks @dvanwinkle! Had to add few more permissions if you are adding domain name:
``yaml
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"iam:GetRole",
"lambda:GetFunction",
"iam:CreateRole",
"iam:AttachRolePolicy",
"lambda:GetFunctionConfiguration",
"cloudfront:CreateDistribution",
"cloudfront:CreateCloudFrontOriginAccessIdentity",
"lambda:EnableReplication",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"cloudfront:UpdateDistribution",
"lambda:PublishVersion",
"cloudfront:GetDistributionConfig",
"s3:HeadBucket",
"s3:GetAccelerateConfiguration",
"s3:PutAccelerateConfiguration",
"s3:PutBucketPolicy",
"s3:CreateBucket",
"s3:ListBucket",
"s3:PutObject",
"route53:ListHostedZonesByName",
"acm:ListCertificates",
"acm:DescribeCertificate",
"route53:ListResourceRecordSets"
],
"Resource": "*"
}
]
}
Hi
I have the exact same issue. Nothing works, wether with a key authorized by admin group or @dvanwinkle / @hnprashanth inline strategies. It doesn't work programmaticaly from the SDK or manually from the console either which makes me think that it's more an AWS issue...
There are similar unanswered threads in AWS S3 forum on the same topic. I filed an issue in AWS support. I'll keep you posted.
This makes the component virtually unusable for me at this point, unfortunately. Any hint or advice would be really appreciated...
EDIT
The problem occured yesterday on Sunday.
We are Monday now and since the support told me nothing useful (check the bucket ownership...), I gave it another try and it works with an admin ACCESS_KEY. Without anything new in my configuration. Strange isn't it ?
So my advice if you encounter the same problem : wait until tomorrow... o_O
cloudfront:CreateInvalidation was also added as a required permission a couple of weeks ago. I think this list of permissions should live in the README.
edit: also acm:RequestCertificate and route53:ChangeResourceRecordSets
Most helpful comment
@cameron-martin This is how far I got: