放大,用户无权在资源上执行 iam:passRole
Amplify, User is not authorized to preform iam:passRole on resource
所以我正在尝试初始化一个现有的“react-ts”放大项目,其中配置了大约 8 个服务。
当我 运行 放大推送时,除了以下内容之外,一切似乎都很好且成功,我收到此错误:
Resource Name: 2021/10/08/[$LATEST]c1c602b361e347ad83d49f77293e6aae (Custom::LambdaCallout)
Event Type: create
Reason: Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream: 2021/10/08/[$LATEST]c1c602b361e347ad83d49f77293e6aae (RequestId: 90c39ffc-b3ee-4830-ae87-7df3cd3a0770)
这里是给定地址的 cloudwatch 日志:
2021-10-08T06:28:37.448Z d30823f5-a9f8-4d7e-a823-dd53b298a2fb INFO Response body:
{
"Status": "FAILED",
"Reason": "See the details in CloudWatch Log Stream: 2021/10/08/[$LATEST]3b533dd8fb9a43bc921cfe635d2bc945",
"PhysicalResourceId": "2021/10/08/[$LATEST]3b533dd8fb9a43bc921cfe635d2bc945",
"StackId": "arn:aws:cloudformation:us-east-1:474847889857:stack/amplify-storyliner-staging-44500-authstorylinerb9277983-1V5J90W5KFK1A/cef02b40-2800-11ec-bcb5-0adb3c7f2f15",
"RequestId": "f7b5fc9e-0a46-43ae-bf7e-eb19fb81285e",
"LogicalResourceId": "MFALambdaInputs",
"NoEcho": false,
"Data": {
"err": {
"message": "User: arn:aws:sts::474847889857:assumed-role/storylb9277983_totp_lambda_role-staging/amplify-storyliner-staging-44500-authsto-MFALambda-tA8KTT12iWvY is not authorized to perform: iam:PassRole on resource: arn:aws:iam::474847889857:role/snsb927798344500-staging because no identity-based policy allows the iam:PassRole action",
"code": "AccessDeniedException",
"time": "2021-10-08T06:28:37.445Z",
"requestId": "3978bf89-5872-460d-b991-c3cd4e5280e1",
"statusCode": 400,
"retryable": false,
"retryDelay": 38.192028876441576
}
}
}
我尝试创建角色“snsb927798344500-staging”并添加所需的策略,但是一旦我尝试重新运行 amplify push 命令,我收到一条错误消息说 snsb927798344500-staging already exist.
所以我认为是在每次推送时创建角色的放大,并在过程失败后将其删除。这就是我无法在推送过程后再次看到“snsb927798344500-staging”角色的原因。
该特定消息似乎与 CLI 上的这个 GitHub 问题有关:https://github.com/aws-amplify/amplify-cli/issues/8363
我们今天 运行 遇到了同样的问题,下面为我们修复了它。
解决方案复制到这里:
This issue is due to missing policy in the MFALambda role which was fixed in #7729. Could you try adding the following policy to your auth cloudformation and see if that fixes the issue. The part that you need to add is the policy with name corecocf3573d0_sns_pass_role_policy
# Snippet
MFALambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::If:
- ShouldNotCreateEnvResources
- corecocf3573d0_totp_lambda_role
- Fn::Join:
- ''
- - corecocf3573d0_totp_lambda_role
- '-'
- Ref: env
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: corecocf3573d0_totp_pass_role_policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- iam:PassRole
Resource:
Fn::If:
- ShouldNotCreateEnvResources
- arn:aws:iam:::role/corecocf3573d0_totp_lambda_role
- Fn::Join:
- ''
- - arn:aws:iam:::role/corecocf3573d0_totp_lambda_role
- '-'
- Ref: env
# New policy
- PolicyName: corecocf3573d0_sns_pass_role_policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'iam:PassRole'
Resource: !GetAtt SNSRole.Arn
所以我正在尝试初始化一个现有的“react-ts”放大项目,其中配置了大约 8 个服务。 当我 运行 放大推送时,除了以下内容之外,一切似乎都很好且成功,我收到此错误:
Resource Name: 2021/10/08/[$LATEST]c1c602b361e347ad83d49f77293e6aae (Custom::LambdaCallout)
Event Type: create
Reason: Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream: 2021/10/08/[$LATEST]c1c602b361e347ad83d49f77293e6aae (RequestId: 90c39ffc-b3ee-4830-ae87-7df3cd3a0770)
这里是给定地址的 cloudwatch 日志:
2021-10-08T06:28:37.448Z d30823f5-a9f8-4d7e-a823-dd53b298a2fb INFO Response body:
{
"Status": "FAILED",
"Reason": "See the details in CloudWatch Log Stream: 2021/10/08/[$LATEST]3b533dd8fb9a43bc921cfe635d2bc945",
"PhysicalResourceId": "2021/10/08/[$LATEST]3b533dd8fb9a43bc921cfe635d2bc945",
"StackId": "arn:aws:cloudformation:us-east-1:474847889857:stack/amplify-storyliner-staging-44500-authstorylinerb9277983-1V5J90W5KFK1A/cef02b40-2800-11ec-bcb5-0adb3c7f2f15",
"RequestId": "f7b5fc9e-0a46-43ae-bf7e-eb19fb81285e",
"LogicalResourceId": "MFALambdaInputs",
"NoEcho": false,
"Data": {
"err": {
"message": "User: arn:aws:sts::474847889857:assumed-role/storylb9277983_totp_lambda_role-staging/amplify-storyliner-staging-44500-authsto-MFALambda-tA8KTT12iWvY is not authorized to perform: iam:PassRole on resource: arn:aws:iam::474847889857:role/snsb927798344500-staging because no identity-based policy allows the iam:PassRole action",
"code": "AccessDeniedException",
"time": "2021-10-08T06:28:37.445Z",
"requestId": "3978bf89-5872-460d-b991-c3cd4e5280e1",
"statusCode": 400,
"retryable": false,
"retryDelay": 38.192028876441576
}
}
}
我尝试创建角色“snsb927798344500-staging”并添加所需的策略,但是一旦我尝试重新运行 amplify push 命令,我收到一条错误消息说 snsb927798344500-staging already exist.
所以我认为是在每次推送时创建角色的放大,并在过程失败后将其删除。这就是我无法在推送过程后再次看到“snsb927798344500-staging”角色的原因。
该特定消息似乎与 CLI 上的这个 GitHub 问题有关:https://github.com/aws-amplify/amplify-cli/issues/8363
我们今天 运行 遇到了同样的问题,下面为我们修复了它。
解决方案复制到这里:
This issue is due to missing policy in the MFALambda role which was fixed in #7729. Could you try adding the following policy to your auth cloudformation and see if that fixes the issue. The part that you need to add is the policy with name corecocf3573d0_sns_pass_role_policy
# Snippet
MFALambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::If:
- ShouldNotCreateEnvResources
- corecocf3573d0_totp_lambda_role
- Fn::Join:
- ''
- - corecocf3573d0_totp_lambda_role
- '-'
- Ref: env
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: corecocf3573d0_totp_pass_role_policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- iam:PassRole
Resource:
Fn::If:
- ShouldNotCreateEnvResources
- arn:aws:iam:::role/corecocf3573d0_totp_lambda_role
- Fn::Join:
- ''
- - arn:aws:iam:::role/corecocf3573d0_totp_lambda_role
- '-'
- Ref: env
# New policy
- PolicyName: corecocf3573d0_sns_pass_role_policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'iam:PassRole'
Resource: !GetAtt SNSRole.Arn