Got error Aws::CloudFormation::Errors::AccessDenied

galetahub commented 4 years ago

Checklist

[x] Upgrade Jets: Are you using the latest version of Jets? This allows Jets to fix issues fast. There's a jets upgrade command that makes this a simple task. There's also an Upgrading Guide: http://rubyonjets.com/docs/upgrading/
[x] Reproducibility: Are you reporting a bug others will be able to reproduce and not asking a question. If you're unsure or want to ask a question, do so on https://community.rubyonjets.com
[-] Code sample: Have you put together a code sample to reproduce the issue and make it available? Code samples help speed up fixes dramatically. If it's an easily reproducible issue, then code samples are not needed. If you're unsure, please include a code sample.

My Environment

Software	Version
Operating System	Linux
Jets	2.3.12
Ruby	ruby 2.5.7p206

Expected Behaviour

No errors raises

Current Behavior

After I had setup sentry (before this all works fine), I'm getting errors like this:

Aws::CloudFormation::Errors::AccessDenied: User: arn:aws:sts::xxx:assumed-role/xxx-stag-JetsP-JetsPreheatJobIamRole-xxx/xxx-stag-jets-preheat_job-warm is not authorized to perform: cloudformation:DescribeStackResources
  from seahorse/client/plugins/raise_response_errors.rb:15:in `call'
  from aws-sdk-core/plugins/jsonvalue_converter.rb:20:in `call'
  from aws-sdk-core/plugins/idempotency_token.rb:17:in `call'
  from aws-sdk-core/plugins/param_converter.rb:24:in `call'
  from aws-sdk-core/plugins/response_paging.rb:10:in `call'
  from seahorse/client/plugins/response_target.rb:23:in `call'
  from seahorse/client/request.rb:70:in `send_request'
  from aws-sdk-cloudformation/client.rb:2245:in `describe_stack_resources'
  from jets/commands/call/base_guesser.rb:52:in `stack_resources'
  from jets/commands/call/base_guesser.rb:41:in `generated_function_name'
  from jets/commands/call/base_guesser.rb:33:in `function_name'
  from jets/commands/call/guesser.rb:30:in `function_name'
  from jets/commands/call.rb:22:in `function_name'
  from jets/commands/call.rb:56:in `remote_run'
  from jets/commands/call.rb:29:in `run'
  from jets/preheat.rb:26:in `warm'
  from jets/preheat.rb:36:in `block (2 levels) in warm_all'

And this error does not depend on lambda call https://i.imgur.com/1EVK0Bc.png (maybe warm function) Because it's a test environment and we don't have any request for it

Step-by-step reproduction instructions

Just add 'sentry-jets' gem to Gemfile

antoinemacia commented 4 years ago

Seconded, getting the exact same error

JetsPreheatJob-JetsPreheatJobIamRole-xxx/cas-jets-prod-jets-preheat_job-warm is not authorized to perform: cloudformation:DescribeStackResources

antoinemacia commented 4 years ago

@galetahub did you had any luck with this?

The warm lambda role seemed to had missing permissions (I've gave it full cloudformation access for debugging purposes) but it is now raising a validation error from CloudFormation on invocation

Aws::CloudFormation::Errors::ValidationError Either StackName or PhysicalResourceId must be specified.

There doesn't seen to be anything new and relevant from AWS changelog either

dkobia commented 4 years ago

Have the same issue here: Either StackName or PhysicalResourceId must be specified.

tongueroo commented 4 years ago

Also reported on the community forums https://community.rubyonjets.com/t/cloudformation-error-either-stackname-or-physicalresourceid-must-be-specified/424/2 Unsure right now 🧐

tongueroo commented 4 years ago

Unsure on the Aws::CloudFormation::Errors::AccessDenied error. But the Aws::CloudFormation::Errors::ValidationError Either StackName or PhysicalResourceId must be specified error was handled in #461 Closing, but if you're still getting AcessDenied, open it back up.

dkobia commented 4 years ago

@tongueroo fantastic! Now I can turn cloudwatch alarms back on. I was really getting spammed by this error. Thanks again for your hard work.

rubyonjets / jets