search

riboseinc / terraform-aws-iam-authenticating-group

Dynamically manage IAM group membership through an authenticated HTTPS endpoint
1 stars 2 forks source link

{"message":"Forbidden"} after updating #20

Closed erikbor closed 6 years ago

erikbor commented 6 years ago

Hi @phuonghuynh,

After the Use custom logname for API gateway merge, we ran terraform init -upgrade && terraform get -update. When I then tried to authenticate against the endpoint using aws-authenticating-secgroup-scripts/post_it.sh I got the the following response:

> POST-ing https://a4lk2q5jp9.execute-api.us-west-2.amazonaws.com/dev/membership
HTTP/1.1 403 Forbidden
Content-Type: application/json
Content-Length: 23
Connection: keep-alive
Date: Mon, 11 Jun 2018 08:43:53 GMT
x-amzn-RequestId: 9257c9ee-1e53-11e8-93f3-5f9cce541c51
x-amzn-ErrorType: ForbiddenException
x-amz-apigw-id: IK1rjANFZHtF-_g=
X-Cache: Error from cloudfront
Via: 1.1 d3b07384d113edec49eaa6238ad5ff00.cloudfront.net (CloudFront)
X-Amz-Cf-Id: f1d2d2f924e986Ac86fdf7b36c94bcdf32beec15==

{"message":"Forbidden"}

When I deleted the Lambda and endpoint resources and ran terraform apply again I was able to successfully authenticate.

I have seen this behaviour previously but wasn't able to replicate. Can you please investigate? Many thanks

phuonghuynh commented 6 years ago

Yes

ronaldtse commented 6 years ago

@erikbor could you give a bit more detail here since @phuonghuynh can’t reproduce?

I believe this issue is that the newly re-created lambda function gets unlinked with the previously created IAM policy for the lambda function.