search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.65k stars 3.91k forks source link

CDK workshop produced "AccessDenied. User doesn't have permission to call ssm:GetParameters" error in GovCloud #20959

Closed estebane-frb closed 2 years ago

estebane-frb commented 2 years ago

Describe the bug

Following this cdk workshop when using an AWS GovCloud account fails when running cdk deploy command with the following error:

cdk-workshop failed: Error [ValidationError]: AccessDenied. User doesn't have permission to call ssm:GetParameters
    at Request.extractError (/usr/local/lib/node_modules/aws-sdk/lib/protocol/query.js:50:29)
    at Request.callListeners (/usr/local/lib/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/usr/local/lib/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/usr/local/lib/node_modules/aws-sdk/lib/request.js:686:14)
    at Request.transition (/usr/local/lib/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/usr/local/lib/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /usr/local/lib/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/usr/local/lib/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/usr/local/lib/node_modules/aws-sdk/lib/request.js:688:12)
    at Request.callListeners (/usr/local/lib/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  code: 'ValidationError',

AWS CDK version: 2.30.0 (build 1529743)

Expected Behavior

Stack deploys successfully as instructed in the Workshop

Current Behavior

See error pasted above.

Reproduction Steps

Follow the steps in this workshop https://cdkworkshop.com/30-python.html

Possible Solution

The cloudtrail even shows the following information: "eventSource": "cloudformation.amazonaws.com", "eventName": "CreateChangeSet", "awsRegion": "us-gov-west-1", "errorCode": "ValidationException", "errorMessage": "AccessDenied. User doesn't have permission to call ssm:GetParameters", "requestParameters": null, "responseElements": null,

There is a validation step in CreateChangeSet that I think checks cached metadata about the deploy-role generated during bootstrap. Even if I manually change the cdk-*********-deploy-role-**************-us-gov-west-1 IAM role default policy to include sam:GetParameters (notice that the policy is missing sam:GetParameters), the CreateChangeSet action does not seem to be checking the actual IAM role. Is it possible that it is checking somewhere else?

Additional Information/Context

No response

CDK CLI Version

2.30.0 (build 1529743)

Framework Version

No response

Node.js Version

Node.js v17.9.0

OS

Mac OS (Monterrey) / Intel

Language

Python

Language Version

Python 3.8.2

Other information

Colleague reported seeing the same issue in Typescript sample

rix0rrr commented 2 years ago

The issue is most likely not with the deploy-role, but the cfn-exec-role. This is the role that CloudFormation uses to perform all calls it needs to.

Make sure that role has ssm:GetParameters.

github-actions[bot] commented 2 years ago

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

praveenvtmn commented 1 year ago

@rix0rrr it helps a lot

devopscaxsol commented 1 year ago

@rix0rrr i have attached same permission to cfn-exec-role. Unfortunately its not work. getting error as mentioned title.