Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document minimum IAM permissions #4039

Closed
jeshan opened this issue Sep 11, 2019 · 1 comment
Closed

Document minimum IAM permissions #4039

jeshan opened this issue Sep 11, 2019 · 1 comment
Labels
@aws-cdk/aws-iam docs/guide effort/medium feature-request needs-reproduction p1

Comments

@jeshan
Copy link

@jeshan jeshan commented Sep 11, 2019

馃悰 Bug Report

What is the problem?

If one uses a role without at least s3 access, we get an error saying "forbidden: null" when running cdk deploy.
Since a lot of people care about granting only required permissions and the error message is not meaningful, it would be nice if somebody documented it.

In the meantime, one can use a policy like the following to grant the role at least access to the cdk toolkit bucket:

new PolicyStatement({
    resources: [
        'arn:aws:s3:::cdktoolkit-stagingbucket-*',
    ],
    actions: ['s3:*'],
}),

Reproduction Steps

Choose a role with no permissions.
Run cdk deploy

Verbose Log

 鉂  my-stack failed: Forbidden: null 
null 
Forbidden:  
    at Request.extractError (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/services/s3.js:565:35) 
    at Request.callListeners (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:106:20) 
    at Request.emit (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:78:10) 
    at Request.emit (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:683:14) 
    at Request.transition (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:22:10) 
    at AcceptorStateMachine.runTo (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:14:12) 
    at /usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:26:10 
    at Request.<anonymous> (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:38:9) 
    at Request.<anonymous> (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:685:12) 
    at Request.callListeners (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:116:18) 

Environment

  • CDK CLI Version: 1.7.0
  • Module Version:
  • OS: all
  • Language: all

Other information

@jeshan jeshan added bug needs-triage labels Sep 11, 2019
@SomayaB SomayaB added the @aws-cdk/aws-iam label Sep 11, 2019
@SomayaB SomayaB added the needs-reproduction label Sep 11, 2019
@rix0rrr rix0rrr added feature-request guidance and removed bug needs-triage labels Sep 11, 2019
@Jerry-AWS Jerry-AWS added the docs/guide label Sep 11, 2019
@SomayaB SomayaB removed the guidance label Nov 12, 2019
@rix0rrr rix0rrr added the effort/medium label Jan 23, 2020
@rix0rrr rix0rrr added the p2 label Aug 12, 2020
@rix0rrr rix0rrr removed their assignment Jun 3, 2021
@rix0rrr rix0rrr added p1 and removed p2 labels Mar 16, 2022
@jeshan jeshan closed this as not planned Jun 13, 2022
@github-actions
Copy link

@github-actions github-actions bot commented Jun 13, 2022

鈿狅笍COMMENT VISIBILITY WARNING鈿狅笍

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-iam docs/guide effort/medium feature-request needs-reproduction p1
Projects
None yet
Development

No branches or pull requests

4 participants