Skip to content

Unclear error when missing permissions to validate allowed account #362

Open
@liamdawson

Description

@liamdawson

When running stack_master, and the current account's ID isn't in the (non-empty) list of allowed_account values, it attempts to fetch account aliases to check if these match. If the current principal isn't permitted to iam:ListAccountAliases, this results in the following error:

$ stack_master validate ap-southeast-2
Executing validate on stack-name in ap-southeast-2
error: Failed to retrieve account aliases. Missing required IAM permission: iam:ListAccountAliases. Use --trace to view backtrace

It becomes a bit clearer if you use --trace:

$ stack_master validate ap-southeast-2 --trace
...
         4: from .../stack_master/lib/stack_master/cli.rb:294:in `execute_if_allowed_account'
         3: from .../stack_master/lib/stack_master/cli.rb:305:in `running_in_allowed_account?'
         2: from .../stack_master/lib/stack_master/identity.rb:10:in `running_in_account?'
         1: from .../stack_master/lib/stack_master/identity.rb:45:in `contains_account_alias?'
.../stack_master/lib/stack_master/identity.rb:22:in `account_aliases': Failed to retrieve account aliases. Missing required IAM permission: iam:ListAccountAliases (StackMaster::Identity::MissingIamPermissionsError)

Ideally, I think the error message returned to the user should make it immediately obvious why stack_master attempted to use that permission.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions