Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CustomResourceRole missing SSM permissions #2

Closed
4 of 6 tasks
pgergov opened this issue Aug 3, 2020 · 2 comments
Closed
4 of 6 tasks

CustomResourceRole missing SSM permissions #2

pgergov opened this issue Aug 3, 2020 · 2 comments
Labels
bug Something isn't working

Comments

@pgergov
Copy link

pgergov commented Aug 3, 2020
edited
Loading

When following the deployment tutorial here the creation of the Cloudformation Stack fails due to an exception:

AccessDeniedException: User: arn:aws:sts:::assumed-role/LiveStreamingwithMediaStore-CustomResourceRole-I3LJAWWIUNNA/LiveStreamingwithMediaStore-custom-resources is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:us-east-1::parameter/

Selected region was Northern Virginia us-east-1.

To Reproduce

When creating the Stack fill in the source Username and Password as shown in the SS below.

Expected behavior
The stack should be created without failure.

When source username and password were removed from the Stack parameters ➡️ it was created successfully.

Please complete the following information about the solution:

  • Version: v1.1.0
  • Region: The stack was created in us-east-1
  • Was the solution modified from the version published on this repository? I don't think so.
  • If the answer to the previous question was yes, are the changes available on GitHub?
  • Have you checked your service quotas for the sevices this solution uses?
  • Were there any errors in the CloudWatch Logs? Yes, here's the full stacktrace:
2020-08-03T12:59:08.336Z	9fcbeed0-d869-4d94-be1c-98a6b2bf2cbe	INFO	ERROR::  AccessDeniedException: User: arn:aws:sts::<iam-id>:assumed-role/LiveStreamingwithMediaStore-CustomResourceRole-I3LJAWWIUNNA/LiveStreamingwithMediaStore-custom-resources is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:us-east-1:<iam-id>:parameter/<source-username>
    at Request.extractError (/var/task/node_modules/aws-sdk/lib/protocol/json.js:51:27)
    at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  code: 'AccessDeniedException',
  time: 2020-08-03T12:59:08.276Z,
  requestId: '9e044931-17cd-4096-8bb8-2285d7698716',
  statusCode: 400,
  retryable: false,
  retryDelay: 79.75711276262896
} AccessDeniedException: User: arn:aws:sts::<iam-id>:assumed-role/LiveStreamingwithMediaStore-CustomResourceRole-I3LJAWWIUNNA/LiveStreamingwithMediaStore-custom-resources is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:us-east-1:<iam-id>:parameter/<source-name>
    at Request.extractError (/var/task/node_modules/aws-sdk/lib/protocol/json.js:51:27)
    at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:116:18)

Screenshots

Screenshot from 2020-08-03 16-17-36

Additional context

Looking at the template policies for CustomResourceRole there's no SSM configuration link to template

I'm not an AWS expert, but I assume adding the policies will fix the issue?

On the other hand, the MediaLiveRole has two identical policies for the SSM here and here Not sure if this deserves a separate issue, but I think it's worth noting it.
@pgergov pgergov added the bug Something isn't working label Aug 3, 2020
@pgergov
Copy link
Author

pgergov commented Aug 17, 2020

@tomnight Just following up to check if this has been issued?

@tomnight
Copy link
Contributor

patched in the last commit, v1.1.1

thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pgergov @tomnight