[英]Amplify, User is not authorized to preform iam:passRole on resource
So I'm trying to init an existing "react-ts" amplify project, which has about 8 services configured in it.所以我正在尝试初始化一个现有的“react-ts”放大项目,其中配置了大约 8 个服务。 When I run amplify push, everything seems to be good and successful except the following, which I get this error:
当我运行 amplify push 时,除了以下情况外,一切似乎都很好且成功,我收到此错误:
Resource Name: 2021/10/08/[$LATEST]c1c602b361e347ad83d49f77293e6aae (Custom::LambdaCallout)
Event Type: create
Reason: Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream: 2021/10/08/[$LATEST]c1c602b361e347ad83d49f77293e6aae (RequestId: 90c39ffc-b3ee-4830-ae87-7df3cd3a0770)
and here is the log on cloudwatch for the given address:这是给定地址的 cloudwatch 日志:
2021-10-08T06:28:37.448Z d30823f5-a9f8-4d7e-a823-dd53b298a2fb INFO Response body:
{
"Status": "FAILED",
"Reason": "See the details in CloudWatch Log Stream: 2021/10/08/[$LATEST]3b533dd8fb9a43bc921cfe635d2bc945",
"PhysicalResourceId": "2021/10/08/[$LATEST]3b533dd8fb9a43bc921cfe635d2bc945",
"StackId": "arn:aws:cloudformation:us-east-1:474847889857:stack/amplify-storyliner-staging-44500-authstorylinerb9277983-1V5J90W5KFK1A/cef02b40-2800-11ec-bcb5-0adb3c7f2f15",
"RequestId": "f7b5fc9e-0a46-43ae-bf7e-eb19fb81285e",
"LogicalResourceId": "MFALambdaInputs",
"NoEcho": false,
"Data": {
"err": {
"message": "User: arn:aws:sts::474847889857:assumed-role/storylb9277983_totp_lambda_role-staging/amplify-storyliner-staging-44500-authsto-MFALambda-tA8KTT12iWvY is not authorized to perform: iam:PassRole on resource: arn:aws:iam::474847889857:role/snsb927798344500-staging because no identity-based policy allows the iam:PassRole action",
"code": "AccessDeniedException",
"time": "2021-10-08T06:28:37.445Z",
"requestId": "3978bf89-5872-460d-b991-c3cd4e5280e1",
"statusCode": 400,
"retryable": false,
"retryDelay": 38.192028876441576
}
}
}
I tried to create the role "snsb927798344500-staging" and add the needed policies but once I try to re-run the amplify push
command I get an error saying the snsb927798344500-staging already exist
.我尝试创建角色“snsb927798344500-staging”并添加所需的策略,但是一旦我尝试重新运行
amplify push
命令,我收到一条错误消息,指出snsb927798344500-staging already exist
。 so I think it is the amplify that creates the role on every push and it is deleting it after the process is failed.所以我认为是在每次推送时创建角色的放大,并在过程失败后将其删除。 which is the reason I'm not able to see the "snsb927798344500-staging" role again after the push process.
这就是我无法在推送过程后再次看到“snsb927798344500-staging”角色的原因。
That specific message appears to be related to this GitHub issue on the CLI: https://github.com/aws-amplify/amplify-cli/issues/8363该特定消息似乎与 CLI 上的这个 GitHub 问题有关: https://github.com/aws-amplify/amplify-cli/issues/8363
We ran into the same issue today, and the below fixed it for us.我们今天遇到了同样的问题,下面为我们解决了这个问题。
Solution copied here:解决方案复制在这里:
This issue is due to missing policy in the MFALambda role which was fixed in #7729.
此问题是由于 MFALambda 角色中缺少策略,已在 #7729 中修复。 Could you try adding the following policy to your auth cloudformation and see if that fixes the issue.
您能否尝试将以下策略添加到您的 auth cloudformation 中,看看是否可以解决问题。 The part that you need to add is the policy with name corecocf3573d0_sns_pass_role_policy
您需要添加的部分是名称为 corecocf3573d0_sns_pass_role_policy 的策略
# Snippet
MFALambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::If:
- ShouldNotCreateEnvResources
- corecocf3573d0_totp_lambda_role
- Fn::Join:
- ''
- - corecocf3573d0_totp_lambda_role
- '-'
- Ref: env
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: corecocf3573d0_totp_pass_role_policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- iam:PassRole
Resource:
Fn::If:
- ShouldNotCreateEnvResources
- arn:aws:iam:::role/corecocf3573d0_totp_lambda_role
- Fn::Join:
- ''
- - arn:aws:iam:::role/corecocf3573d0_totp_lambda_role
- '-'
- Ref: env
# New policy
- PolicyName: corecocf3573d0_sns_pass_role_policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'iam:PassRole'
Resource: !GetAtt SNSRole.Arn
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.