Copilot stucks in "Proposing infrastructure changes ".

[Mic-U]

Symptom

copilot env init command stucks in the following state.

$ copilot env init 
Environment name: test
Credential source: [profile default]
Default environment configuration? Yes, use default.
✔ Wrote the manifest for environment test at ../copilot/environments/test/manifest.yml
- Update regional resources with stack set "demo-app-infrastructure"  [succeeded]  [10.5s]
⠦ Proposing infrastructure changes for the demo-app-test environment.

Repro Steps

1. Attach AdministratorAccess policy and following inline policy to the IAM user.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": "cloudformation:DescribeChangeSet",
            "Resource": "*"
        }
    ]
}

2. Set the credential of of the IAM user with aws configure command.
3. Run copilot env init command and choose the profile for the IAM user.

Additional Information

When this issue occurs, DescribeChangeSet API returns AccessDenied error. We can confirm it with CloudTrail.

Suggestion

It seems that copilot retries DescribeChangeSet API even though it returns AccessDenied error. copilot should stop the process and show the error message.

[KollaAdithya]

Hey @Mic-U ! I could reproduce the issue. let me try to dig into your codebase and see what exactly is happening in this case and what are the actions we can take on our end to fix this.

In the mean time as a workaround can you create an user profile that allows DescribeChangeSet action.

[dannyrandall]

I dug in to this; thanks for the great repro steps @Mic-U! I was able to reproduce the error, and filed a bug report in aws-sdk-go here: https://github.com/aws/aws-sdk-go/issues/4983.