deploy env fails: The EnvManagerRole fails to iam:PassRole to the CFNExecutionRole because its missing tags

aws / copilot-cli

The AWS Copilot CLI is a tool for developers to build, release and operate production ready containerized applications on AWS App Runner or Amazon ECS on AWS Fargate.

https://aws.github.io/copilot-cli/

Apache License 2.0

3.52k stars 417 forks source link

deploy env fails: The EnvManagerRole fails to iam:PassRole to the CFNExecutionRole because its missing tags #4849

Open gs-emp opened 1 year ago

gs-emp commented 1 year ago

Getting this error: AccessDenied: User: arn:aws:sts:::assumed-role/-EnvManagerRole/ is not authorized to perform: iam:PassRole on resource: arn:aws:iam:::role/*-CFNExecutionRole because no identity-based policy allows the iam:PassRole action

Looking at the stack set for the environment it appears that EnvManagerRole is only allowed to pass to roles with the correct "copilot-application" and "copilot-environment" tags which are missing from CFNExecutionRole.

I believe the problem is here: https://github.com/aws/copilot-cli/blob/8a08a1026f8a8e7cc4ea043084b2755ea026099c/internal/pkg/template/templates/environment/partials/environment-manager-role.yml#L122

because there are no resource tags in here: https://github.com/aws/copilot-cli/blob/8a08a1026f8a8e7cc4ea043084b2755ea026099c/internal/pkg/template/templates/environment/partials/cfn-execution-role.yml

Not sure 100% maybe there is something I am doing wrong. Thanks for any help.

KollaAdithya commented 1 year ago

Hey @gabestep-emp 👋

CloudFormation stack created by Copilot will automatically add these tags copilot-application and copilot-environment for all the resources with in the stack.

Can you please check and confirm below

when you run copilot env init --profile . The user profile you are using to create a environment, does the user have permission that allows iam:TagRole?
Is there any permission boundary set on the user that does not allow iam:TagRole?

Here is related https://github.com/aws/copilot-cli/issues/2160#issuecomment-1024693374 that you can help you to fix the issue.

gs-emp commented 1 year ago

Thanks - I missed that permission when creating the role for copilot. Is there any way we could add an error message on the failed creation of those tags so its easier to debug in the future @KollaAdithya?

KollaAdithya commented 1 year ago

This will be an enhancement for us. We can add Recommended Actions with an error message in this case to have iam:TagRole permission with user profile creating the environment. Also this has been an longstanding issue for a while. We need to surface minimal IAM permissions required in our docs in order to set up copilot.

curthipster commented 7 months ago

@KollaAdithya are the minimal IAM permissions documented anywhere? I've run into a handful of issues today, including this one. Thanks!

dannyrandall commented 7 months ago

Hey @curthipster, unfortunately we don't have the full list documented anywhere today, but there's a related issue https://github.com/aws/copilot-cli/issues/1345 with some example policies that have worked for others that you can try!