search

awslabs / aws-saas-boost

AWS SaaS Boost is a ready-to-use toolset that removes the complexity of successfully running SaaS workloads in the AWS cloud.
Apache License 2.0
957 stars 188 forks source link

Fix apigateway permissions in Onboarding for CloudFormation #449

Closed PoeppingT closed 1 year ago

PoeppingT commented 1 year ago

Currently trying to create an AppConfig with an environment from the main branch results in an error when the core stack is updated with the following error: Unable to retrieve RootResourceId attribute for AWS::ApiGateway::RestApi, with error message "User: arn:aws:sts::${account}:assumed-role/sb-${env}-onboarding-svc-role-us-west-2/sb-${env}-onboarding-events is not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-west-2::/restapis/${restApiId} because no identity-based policy allows the apigateway:GET action. This commit adds the missing policy, allowing CloudFormation to update correctly.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

PoeppingT commented 1 year ago

Looks like CloudFormation is actually calling GetRestApi like you suggested. Here you can see the CloudTrail record showing that cloudformation.amazonaws.com called GetRestApi on my rest api using the sb-s3-onboarding-svc-role-us-west-2 role.

Looks like CloudFormation has changed what they're doing behind the scenes.

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "xxx:sb-s3-onboarding-events",
        "arn": "arn:aws:sts::xxx:assumed-role/sb-s3-onboarding-svc-role-us-west-2/sb-s3-onboarding-events",
        "accountId": "xxx",
        "accessKeyId": "xxx",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "xxx",
                "arn": "arn:aws:iam::xxx:role/sb-s3-onboarding-svc-role-us-west-2",
                "accountId": "xxx",
                "userName": "sb-s3-onboarding-svc-role-us-west-2"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-12-14T00:05:57Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "cloudformation.amazonaws.com"
    },
    "eventTime": "2022-12-14T00:08:09Z",
    "eventSource": "apigateway.amazonaws.com",
    "eventName": "GetRestApi",
    "awsRegion": "us-west-2",
    "sourceIPAddress": "cloudformation.amazonaws.com",
    "userAgent": "cloudformation.amazonaws.com",
    "errorCode": "AccessDenied",
    "errorMessage": "User: arn:aws:sts::xxx:assumed-role/sb-s3-onboarding-svc-role-us-west-2/sb-s3-onboarding-events is not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-west-2::/restapis/4bh7syglqj because no identity-based policy allows the apigateway:GET action",
    "requestParameters": null,
    "responseElements": null,
    "requestID": "0425ff01-008d-4a4a-9a08-d20b9e036301",
    "eventID": "56695abe-3798-4861-b768-d77b09bceb4f",
    "readOnly": true,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "xxx",
    "eventCategory": "Management"
}