Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing permissions in DEPLOY_WEBINY_PROJECT_CF_TEMPLATE #4320

Closed
cat5inthecradle opened this issue Oct 8, 2024 · 3 comments
Closed

Missing permissions in DEPLOY_WEBINY_PROJECT_CF_TEMPLATE #4320

cat5inthecradle opened this issue Oct 8, 2024 · 3 comments
Assignees
@adrians5j
Labels
bug

Comments

@cat5inthecradle
Copy link

cat5inthecradle commented Oct 8, 2024
edited
Loading

Version

5.40.6

Operating System

N/A

Browser

N/A

What are the steps to reproduce this bug?

To deploy our initial Webiny infrastructure, we followed these steps:

  1. create a new AWS Account
  2. Create an IAM user, "Webiny_Deployer" with no permissions
  3. Use the provided cloudformation template in the docs to assign the user to least-privilege groups suitable for deploying Webiny. This was created in us-east-1.
  4. Attempt to deploy Webiny, using the "Webiny_Deployer" user, via yarn webiny deploy

What is the expected behavior?

Successful Webiny environment creation.

What do you see instead?

We receive an IAM permissions error (account ID's redacted)

validating Step Functions State Machine definition:
User: arn:aws:iam::REDACTED:user/Webiny_Deployer
is not authorized to perform:
states:ValidateStateMachineDefinition on resource: arn:aws:states:us-east-1:REDACTED:stateMachine:*
because no identity-based policy allows the states:ValidateStateMachineDefinition action

And additional errors appear as each permission is granted. Logging them here:

  • states:ValidateStateMachineDefinition on resource: arn:aws:states:us-east-1:REDACTED:stateMachine:*
  • states:ListStateMachineVersions on resource: stateMachine:wby-background-task-sfn-811a8dd
  • cloudfront:GetDistribution on resource: distribution/<distribution id> - This occurred on yarn webiny destroy
    • this looks like a Condition mismatch.
  • lambda:ListTags on resource: event-source-mapping:<guid>
    • this looks like a Condition mismatch.

Additional information

No response

Possible solution

#4321
@cat5inthecradle cat5inthecradle changed the title Missing permissions Missing permissions in DEPLOY_WEBINY_PROJECT_CF_TEMPLATE Oct 8, 2024
@cat5inthecradle cat5inthecradle mentioned this issue Oct 8, 2024
Closed
@adrians5j adrians5j self-assigned this Oct 9, 2024
@cat5inthecradle
Copy link
Author

PR #4323 looks like it should take care of this, thanks for tidying up my attempt, @adrians5j!

In the meantime, we just added the following inline policy to our user:

	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "states:ValidateStateMachineDefinition",
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": "states:ListStateMachineVersions",
			"Resource": "arn:aws:states:*:*:stateMachine:wby-*"
		},
		{
			"Effect": "Allow",
			"Action": "lambda:ListTags",
			"Resource": "arn:aws:lambda:*:*:event-source-mapping:*"
		},
		{
			"Effect": "Allow",
			"Action": "cloudfront:GetDistribution",
			"Resource": "arn:*:cloudfront::*:distribution/*"
		}
	]
}

@adrians5j
Copy link
Member

adrians5j commented Oct 9, 2024
edited
Loading

Great @cat5inthecradle.

Glad you're not blocked.

We'll be releasing these fixes officially hopefully by the end of week, or beginning next week the latest. Make sure to keep an eye on the #announcements Slack channel. :)

@adrians5j
Copy link
Member

Forgot to close this one, so doing it now. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adrians5j adrians5j

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update least-privilege AWS permissions code-dot-org/webiny-js
2 participants
@adrians5j @cat5inthecradle