Closed thoskam closed 1 year ago
Hi @thoskam, sorry to hear you're having an issue. It definitely sounds like something permissions related.
If it has failed at this point in the install, I would expect the two Lambda functions to have been created in the us-east-1
region? If so, please could you check under the IAM access management area > Roles. There should hopefully be two roles created, one ending -Origin-Response-Role
and the other -Viewer-Request-Role
. If you open one of them, under Trust Relationships, does it contain the json below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"edgelambda.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
Let me know regarding the above and we can figure out what's happening.
If the policy in my previous comment is all set up correctly. Under your Flux AWS user, in the inline policy one of the json blocks should be:
{
"Effect": "Allow",
"Action": [
"cloudfront:*",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:PutRolePolicy",
"iam:CreateRole",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"lambda:*",
"logs:DescribeLogGroups"
],
"Resource": "*"
},
Would you mind adding iam:CreateServiceLinkedRole
to the Action
array. I'm wondering if that might fix the issue?
That seems to have fixed it! - or at least I get three green check marks under Utilities.. Thanks!
Great! I will add this privilege into the IAM template for the next update. I wanted to try and be as restrictive with Flux's AWS permissions as possible despite it needing several different services.
Hopefully everything will work fine now you have three green status ticks. If you have any feedback on how Flux could be improved please don't hesitate to drop me an email.
I'm sure it's something i've done wrong but i've tried to follow the docs - first when I try to test the setup - I eventually get a time-out error. So instead I go into manual and enter all my settings. Then I go to Utilities->Flux->Install/Update AWS and it starts the process only to eventually fail. The Error I get back is:
Error executing "UpdateDistribution" on "https://cloudfront.amazonaws.com/2020-05-31/distribution/xxxxxxxxxxxxxxxxx/config"; AWS HTTP error: Client error:Sender < (truncated...) AccessDenied (client): The user is not authorized to create or assume a service linked role. - <?xml version="1.0"?> Sender The user is not authorized to create or assume a service linked role. cd99e80e-ac54-49c9-b7c2-ba0f7f3e52ce
PUT https://cloudfront.amazonaws.com/2020-05-31/distribution/xxxxxxxxxxxxxxxxx/config
resulted in a403 Forbidden
response: <?xml version="1.0"?>AccessDenied
I'm assuming I did something wrong in user creation or perhaps there is something different with the way our AWS account is set up? I'm at a loss.