Use cases fail to deploy due to a missing IAM permission #135
Description
Describe the bug
A recent service change in Cognito is causing deployment of use cases from the deployment dashboard to fail.
The use case management lambda, which backs the deployment API, assumes an IAM role with a policy allowing it to deploy use cases. This policy now requires the addition of the cognito-idp:GetGroup action.
To Reproduce
- Deploy a use case from the deployment dashboard
- Observe a failure response
Expected behavior
Deployments of use cases should succeed when performed from the deployment dashboard/via the API.
Please complete the following information about the solution:
- Version: v2.0.1
To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0276) - Generative AI Application Builder on AWS Solution. Version v1.0.0".
- Region: [us-west-2, us-east-1]
- Was the solution modified from the version published on this repository? No
- If the answer to the previous question was yes, are the changes available on GitHub? N/A
- Have you checked your service quotas for the sevices this solution uses? Yes
- Were there any errors in the CloudWatch Logs? Yes, error from the use case management lambda reads as follows:
Resource handler returned message: "User: arn:aws:sts::<redacted>:assumed-role/GAAB-UseCaseManagementSetupUseCase-UCMLRole389A579A-h1Yz0fQLOd16/GAAB-UseCaseManagementSetupUse-UseCaseMgmtFA52D6EF-d8pl21hV4vHW is not authorized to perform: cognito-idp:GetGroup on resource: arn:aws:cognito-idp:us-west-2:<redacted>:userpool/us-west-2_<redacted> because no identity-based policy allows the cognito-idp:GetGroup action (Service: CognitoIdentityProvider, Status Code: 400, Request ID: <redacted>)" (RequestToken: <redacted>, HandlerErrorCode: GeneralServiceException)