Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document minimum IAM permissions #4039

Closed
jeshan opened this issue Sep 11, 2019 · 1 comment
Closed

Document minimum IAM permissions #4039

jeshan opened this issue Sep 11, 2019 · 1 comment
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management docs/guide Related to the developer guide effort/medium Medium work item 鈥 several days of effort feature-request A feature should be added or improved. needs-reproduction This issue needs reproduction. p1

Comments

@jeshan
Copy link

jeshan commented Sep 11, 2019

馃悰 Bug Report

What is the problem?

If one uses a role without at least s3 access, we get an error saying "forbidden: null" when running cdk deploy.
Since a lot of people care about granting only required permissions and the error message is not meaningful, it would be nice if somebody documented it.

In the meantime, one can use a policy like the following to grant the role at least access to the cdk toolkit bucket:

new PolicyStatement({
    resources: [
        'arn:aws:s3:::cdktoolkit-stagingbucket-*',
    ],
    actions: ['s3:*'],
}),

Reproduction Steps

Choose a role with no permissions.
Run cdk deploy

Verbose Log

 鉂  my-stack failed: Forbidden: null 
null 
Forbidden:  
    at Request.extractError (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/services/s3.js:565:35) 
    at Request.callListeners (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:106:20) 
    at Request.emit (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:78:10) 
    at Request.emit (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:683:14) 
    at Request.transition (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:22:10) 
    at AcceptorStateMachine.runTo (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:14:12) 
    at /usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:26:10 
    at Request.<anonymous> (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:38:9) 
    at Request.<anonymous> (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:685:12) 
    at Request.callListeners (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:116:18) 

Environment

  • CDK CLI Version: 1.7.0
  • Module Version:
  • OS: all
  • Language: all

Other information

@jeshan jeshan added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 11, 2019
@SomayaB SomayaB added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Sep 11, 2019
@SomayaB SomayaB added the needs-reproduction This issue needs reproduction. label Sep 11, 2019
@rix0rrr rix0rrr added feature-request A feature should be added or improved. guidance Question that needs advice or information. and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 11, 2019
@ghost ghost added the docs/guide Related to the developer guide label Sep 11, 2019
@SomayaB SomayaB removed the guidance Question that needs advice or information. label Nov 12, 2019
@rix0rrr rix0rrr added the effort/medium Medium work item 鈥 several days of effort label Jan 23, 2020
@rix0rrr rix0rrr added the p2 label Aug 12, 2020
@rix0rrr rix0rrr removed their assignment Jun 3, 2021
@rix0rrr rix0rrr added p1 and removed p2 labels Mar 16, 2022
@jeshan jeshan closed this as not planned Won't fix, can't repro, duplicate, stale Jun 13, 2022
@github-actions
Copy link

鈿狅笍COMMENT VISIBILITY WARNING鈿狅笍

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management docs/guide Related to the developer guide effort/medium Medium work item 鈥 several days of effort feature-request A feature should be added or improved. needs-reproduction This issue needs reproduction. p1
Projects
None yet
Development

No branches or pull requests

3 participants