search

awslabs / clickstream-analytics-on-aws

Build clickstream analytics on AWS for your mobile and web applications
https://aws.amazon.com/solutions/implementations/clickstream-analytics-on-aws/
Apache License 2.0
70 stars 21 forks source link

insufficient permission when creating ingestion server without existing service link role of AGA #259

Closed zxkane closed 1 year ago

zxkane commented 1 year ago

Summary

fail to create ingestion server with insufficient permission

Steps to reproduce

  1. create a project
  2. create an ingestion server with AGA

What is the current bug behavior?

What is the expected correct behavior?

Relevant logs and/or screenshots

Resource handler returned message: "User: arn:aws:sts::123456789012:assumed-role/xxx-clickstream-ClickStreamApiStackActio-1K5K4UTZSFHVA/gcr-solutions-clickstream-ClickStreamApiStackActio-l2PreoxogsBW is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::123456789012:role/aws-service-role/globalaccelerator.amazonaws.com/AWSServiceRoleForGlobalAccelerator because no identity-based policy allows the iam:CreateServiceLinkedRole action

Possible fixes

This is :bug: Bug Report

zxkane commented 1 year ago

Might @jingnanl have a try?

jingnanl commented 1 year ago

I tried to reproduce the issue in local but didn't see the problem. I used the latest build and created a pipeline with an ingestion server which enabled Global Accelerator in ap-southeast-1 successfully. Did I miss any configuration to reproduce the issue?

zxkane commented 1 year ago

You need make sure there is no IAM service link role for global accelerator. Delete it if you already have the role in your account.