Incorrect IAM permissions for DynamoDB

tk421 commented 5 years ago

Dynamo DB Incorrect permissions

When deploying a zappa application based in this post, with the following zappa_settings.json

{
    "dev": {
        "app_function": "blog.app", 
        "aws_region": "ap-southeast-2", 
        "profile_name": "default", 
        "project_name": "serverless-blog", 
        "runtime": "python2.7", 
        "s3_bucket": "taromba-sb"
    }
}

and make zappa deploy, it starts the deployment but eventually fails with the following error:

Error: Warning! Status check on the deployed lambda failed. A GET request to '/' yielded a 502 response code.

Zappa creates a IAM policy called _zappapermissions that contains the following code for DynamoDB

        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": "arn:aws:dynamodb:*:*:*"
        },

And those permissions does not allow to execute the action ListTables which is needed in the deployment process.

Python 2.7

Expected Behavior

After running zappa deploy, the deployment should be successful.

Actual Behavior

% zappa update
(python-slugify 1.2.6 (/home/tk421/code/serverless.blog/env/lib/python2.7/site-packages), Requirement.parse('python-slugify==1.2.4'), set([u'zappa']))
Calling update for stage dev..
Downloading and installing dependencies..
Packaging project as zip.
Uploading serverless-blog-dev-1539819658.zip (8.6MiB)..
100%|| 9.02M/9.02M [01:16<00:00, 117KB/s]
Updating Lambda function code..
Updating Lambda function configuration..
Uploading serverless-blog-dev-template-1539819740.json (1.6KiB)..
100%|█| 1.66K/1.66K [00:00<00:00, 14.1KB/s]
Deploying API Gateway..
Scheduling..
Unscheduled serverless-blog-dev-zappa-keep-warm-handler.keep_warm_callback.
Scheduled serverless-blog-dev-zappa-keep-warm-handler.keep_warm_callback with expression rate(4 minutes)!
Error: Warning! Status check on the deployed lambda failed. A GET request to '/' yielded a 502 response code.

zappa tail

[1539819427320] An error occurred (AccessDeniedException) when calling the ListTables operation: User: arn:aws:sts::808777168163:assumed-role/serverless-blog-dev-ZappaLambdaExecutionRole/serverless-blog-dev is not authorized to perform: dynamodb:ListTables on resource: *: ClientError
Traceback (most recent call last):
  File "/var/task/handler.py", line 580, in lambda_handler
  return LambdaHandler.lambda_handler(event, context)
  File "/var/task/handler.py", line 245, in lambda_handler
  handler = cls()
  File "/var/task/handler.py", line 139, in __init__
  self.app_module = importlib.import_module(self.settings.APP_MODULE)
  File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module
  __import__(name)
  File "/var/task/blog.py", line 12, in <module>
  dyn_storage = DynamoDBStorage(region_name='us-east-1')
  File "/var/task/flask_blogging/dynamodbstorage.py", line 22, in __init__
  self._create_all_tables()
  File "/var/task/flask_blogging/dynamodbstorage.py", line 195, in _create_all_tables
  response = self._client.list_tables()
  File "/var/runtime/botocore/client.py", line 314, in _api_call
  return self._make_api_call(operation_name, kwargs)
  File "/var/runtime/botocore/client.py", line 612, in _make_api_call
  raise error_class(parsed_response, operation_name)
ClientError: An error occurred (AccessDeniedException) when calling the ListTables operation: User: arn:aws:sts::808777168163:assumed-role/serverless-blog-dev-ZappaLambdaExecutionRole/serverless-blog-dev is not authorized to perform: dynamodb:ListTables on resource: *

Possible Fix

Make sure that zappa-permissions creates the correct values. More broader permissions works, but this gets override by zappa all the time - it would be best to tailor those permissions to what is actually needed.

        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:*"
            ],
            "Resource": "*"
        },

Steps to Reproduce

Configure AWS CLI and confirm that you can interact with AWS
Zappa version 0.47.0
git clone https://bitbucket.org/manageacloud/serverless-test.git
virtualenv env (tested with python 2.7)
source env/bin/activate
pip install -r requirements.txt
zappa deploy dev

Your Environment

Zappa version used: 0.47.0
Operating System and Python version: Ubuntu Xenial
The output of pip freeze: argcomplete==1.9.3 blinker==1.4 boto3==1.9.23 botocore==1.12.23 certifi==2018.10.15 cfn-flip==1.0.3 chardet==3.0.4 Click==7.0 docutils==0.14 durationpy==0.5 Flask==1.0.2 Flask-Blogging==1.1.0 Flask-Caching==1.4.0 Flask-FileUpload==0.5.0 Flask-Login==0.4.1 Flask-LoginManager==1.1.6 Flask-Principal==0.4.0 Flask-WTF==0.14.2 future==0.16.0 futures==3.2.0 hjson==3.0.1 idna==2.7 itsdangerous==0.24 Jinja2==2.10 jmespath==0.9.3 kappa==0.6.0 lambda-packages==0.20.0 Markdown==3.0.1 MarkupSafe==1.0 pkg-resources==0.0.0 placebo==0.8.2 python-dateutil==2.7.3 python-slugify==1.2.6 PyYAML==3.13 requests==2.19.1 s3transfer==0.1.13 shortuuid==0.5.0 six==1.11.0 SQLAlchemy==1.2.12 toml==0.10.0 tqdm==4.19.1 troposphere==2.3.3 Unidecode==1.0.22 urllib3==1.23 Werkzeug==0.14.1 wsgi-request-logger==0.4.6 WTForms==2.2.1 zappa==0.47.0
Link to your project (optional):
Your zappa_settings.py: { "dev": { "app_function": "blog.app", "aws_region": "ap-southeast-2", "profile_name": "default", "project_name": "serverless-blog", "runtime": "python2.7", "s3_bucket": "taromba-sb" } }

thesunlover commented 5 years ago

did you run aws configure?

tk421 commented 5 years ago

did you run aws configure?

@thesunlover yes. I can interact with aws over the cli without any problem.

progerjkd commented 5 years ago

I am having the same problem. Did you fixed it?

tk421 commented 5 years ago

@progerjkd I found a workaround.

File zappa_settings.json

    "dev": {
        "app_function": "blog.app", 
        "aws_region": "ap-southeast-2", 
        "profile_name": "default", 
        "project_name": "serverless-blog", 
        "runtime": "python2.7", 
        "s3_bucket": "taromba-sb",
        "manage_roles": false,
        "role_name": "MyLambdaRole", 
        "role_arn": "arn:aws:iam::800000000:role/my-role-name-dev-ZappaLambdaExecutionRole"
    }
}

You just need to create the role in AWS IAM to get the the correct value for role_arn . Those are the permissions that I am currently using for testing purposes.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateNetworkInterface",
                "ec2:DescribeInstances",
                "ec2:DetachNetworkInterface",
                "xray:PutTelemetryRecords",
                "ec2:DescribeNetworkInterfaces",
                "lambda:InvokeFunction",
                "ec2:ResetNetworkInterfaceAttribute",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:DeleteNetworkInterface",
                "route53:*",
                "ec2:AttachNetworkInterface",
                "xray:PutTraceSegments"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "logs:*",
            "Resource": "arn:aws:logs:*:*:*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": "kinesis:*",
            "Resource": "arn:aws:kinesis:*:*:*"
        },
        {
            "Sid": "VisualEditor4",
            "Effect": "Allow",
            "Action": "sns:*",
            "Resource": "arn:aws:sns:*:*:*"
        },
        {
            "Sid": "VisualEditor5",
            "Effect": "Allow",
            "Action": "sqs:*",
            "Resource": "arn:aws:sqs:*:*:*"
        },
        {
            "Sid": "VisualEditor6",
            "Effect": "Allow",
            "Action": "dynamodb:*",
            "Resource": "*"
        }
    ]
}

Miserlou / Zappa