Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document minimum IAM permissions #4039

jeshan opened this issue Sep 11, 2019 · 0 comments

Document minimum IAM permissions #4039

jeshan opened this issue Sep 11, 2019 · 0 comments


Copy link

@jeshan jeshan commented Sep 11, 2019

馃悰 Bug Report

What is the problem?

If one uses a role without at least s3 access, we get an error saying "forbidden: null" when running cdk deploy.
Since a lot of people care about granting only required permissions and the error message is not meaningful, it would be nice if somebody documented it.

In the meantime, one can use a policy like the following to grant the role at least access to the cdk toolkit bucket:

new PolicyStatement({
    resources: [
    actions: ['s3:*'],

Reproduction Steps

Choose a role with no permissions.
Run cdk deploy

Verbose Log

 鉂  my-stack failed: Forbidden: null 
    at Request.extractError (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/services/s3.js:565:35) 
    at Request.callListeners (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:106:20) 
    at Request.emit (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:78:10) 
    at Request.emit (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:683:14) 
    at Request.transition (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:22:10) 
    at AcceptorStateMachine.runTo (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:14:12) 
    at /usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/state_machine.js:26:10 
    at Request.<anonymous> (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:38:9) 
    at Request.<anonymous> (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/request.js:685:12) 
    at Request.callListeners (/usr/local/lib/node_modules/aws-cdk/node_modules/aws-sdk/lib/sequential_executor.js:116:18) 


  • CDK CLI Version: 1.7.0
  • Module Version:
  • OS: all
  • Language: all

Other information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can鈥檛 perform that action at this time.