search

dyerc / craft-flux

Craft CMS plugin which integrates with AWS Lambda and CloudFront to process, cache and serve images
https://cdyer.co.uk/plugins/flux
Other
4 stars 2 forks source link

Install Failing #2

Closed thoskam closed 1 year ago

thoskam commented 1 year ago

I'm sure it's something i've done wrong but i've tried to follow the docs - first when I try to test the setup - I eventually get a time-out error. So instead I go into manual and enter all my settings. Then I go to Utilities->Flux->Install/Update AWS and it starts the process only to eventually fail. The Error I get back is:

Error executing "UpdateDistribution" on "https://cloudfront.amazonaws.com/2020-05-31/distribution/xxxxxxxxxxxxxxxxx/config"; AWS HTTP error: Client error: PUT https://cloudfront.amazonaws.com/2020-05-31/distribution/xxxxxxxxxxxxxxxxx/config resulted in a 403 Forbidden response: <?xml version="1.0"?> Sender< (truncated...) AccessDenied (client): The user is not authorized to create or assume a service linked role. - <?xml version="1.0"?> SenderAccessDeniedThe user is not authorized to create or assume a service linked role.cd99e80e-ac54-49c9-b7c2-ba0f7f3e52ce

I'm assuming I did something wrong in user creation or perhaps there is something different with the way our AWS account is set up? I'm at a loss.

dyerc commented 1 year ago

Hi @thoskam, sorry to hear you're having an issue. It definitely sounds like something permissions related.

If it has failed at this point in the install, I would expect the two Lambda functions to have been created in the us-east-1 region? If so, please could you check under the IAM access management area > Roles. There should hopefully be two roles created, one ending -Origin-Response-Role and the other -Viewer-Request-Role. If you open one of them, under Trust Relationships, does it contain the json below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "edgelambda.amazonaws.com",
                    "lambda.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Let me know regarding the above and we can figure out what's happening.

dyerc commented 1 year ago

If the policy in my previous comment is all set up correctly. Under your Flux AWS user, in the inline policy one of the json blocks should be:

{
    "Effect": "Allow",
    "Action": [
        "cloudfront:*",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:GetRole",
        "iam:GetRolePolicy",
        "iam:PutRolePolicy",
        "iam:CreateRole",
        "iam:ListAttachedRolePolicies",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "lambda:*",
        "logs:DescribeLogGroups"
    ],
    "Resource": "*"
},

Would you mind adding iam:CreateServiceLinkedRole to the Action array. I'm wondering if that might fix the issue?

thoskam commented 1 year ago

That seems to have fixed it! - or at least I get three green check marks under Utilities.. Thanks!

dyerc commented 1 year ago

Great! I will add this privilege into the IAM template for the next update. I wanted to try and be as restrictive with Flux's AWS permissions as possible despite it needing several different services.

Hopefully everything will work fine now you have three green status ticks. If you have any feedback on how Flux could be improved please don't hesitate to drop me an email.