search

HicResearch / TREEHOOSE

DARE UK Sprint Project: Trusted Research Environment and Enclave for Hosting Open Original Science Exploration
Apache License 2.0
9 stars 15 forks source link

adding permissions #74

Closed awskaran closed 2 years ago

awskaran commented 2 years ago

Description

Declaration : By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

sylnkt commented 2 years ago

@manics please try the egress app backend deployment again, but with this change added

manics commented 2 years ago

Sorry for the delay.... I was debugging another problem:

09:29:40 | CREATE_FAILED        | Custom::EmailConfigurationSetEventDestination
| EmailConfiguration...nationProd5F0E58F0
Received response status [FAILED] from custom resource. Message returned: User:
arn:aws:sts::<AWS_ACCOUNT_ID>:assumed-role/EgressAppBackend-AWS679f53fac002430cb0da
5b7982bd22-769NXUX4VELD/EgressAppBackend-AWS679f53fac002430cb0da5b7982bd22-wIPV
RylhsDgl is not authorized to perform: ses:CreateConfigurationSetEventDestinati
on on resource: arn:aws:ses:eu-west-2:<AWS_ACCOUNT_ID>:configuration-set/egress_app
_configuration_set_Prod because no identity-based policy allows the ses:CreateC
onfigurationSetEventDestination action (RequestId: 05159908-c27e-43dd-88ab-75cf
b31786bc)

I made this change:

diff --git a/src/components/egress_app_backend/egress_backend/components/email_configuration_set_event_dest/email_configuration_set_event_dest_cr.py b/src/components/egress_app_backend/egress_backend/components/email_configuration_set_event_dest/email_configuration_set_event_dest_cr.py
index 96a1cbc..d06cfd1 100644
--- a/src/components/egress_app_backend/egress_backend/components/email_configuration_set_event_dest/email_configuration_set_event_dest_cr.py
+++ b/src/components/egress_app_backend/egress_backend/components/email_configuration_set_event_dest/email_configuration_set_event_dest_cr.py
@@ -46,6 +46,7 @@ class EmailConfigurationSetEventDestinationCustomResource(cdk.Construct):
                     "logs:CreateLogGroup",
                     "logs:CreateLogStream",
                     "logs:PutLogEvents",
+                    "ses:CreateConfigurationSetEventDestination",
                 ],
             )
         )

And now it's successfully deployed!

awskaran commented 2 years ago

That is a strange error as we did not face it and the iam policy statement on the custom resource has the required permissions

image
sylnkt commented 2 years ago

That is strange indeed, as I tried the egress app backend deployment last night on a new AWS account with a new EC2 instance (based on the updated template with the extra IAM permissions, cheers @manics for adding those!) and I didn't encounter this error hmm