Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

CUDOS Dashboard - Terraform Module Deployment Error

0

Has anyone got error with S3 bucket permissions denied when deploying the CUDOS Terraform Module via pipeline? If yes, how did you resolve it? I have not modified anything with the module in the GitHub and am using the GitHub location in the module and deploying via a pipeline. But I am getting below-

| The following resource(s) failed to create: [CidExecRole, QuickSightDataSourceRole, CidResourceLambdaLayer, ProcessPathLambdaExecutionRole, InitLambdaExecutionRole]. Rollback requested by user." "Resource creation cancelled" "Resource creation cancelled" "Resource creation cancelled" "Resource creation cancelled" "Resource handler returned message: "Your access has been denied by S3, please make sure your request credentials have permission to GetObject for aws-managed-cost-intelligence-dashboards-us-east-1/cid-resource-lambda-layer/cid-0.2.46.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException |

module "cid_dashboards" {
    source = "github.com/aws-samples/aws-cudos-framework-deployment//terraform-modules/cid-dashboards"
    stack_name      = "Cloud-Intelligence-Dashboards"
    template_bucket = "****************************"
      stack_parameters = {
      "PrerequisitesQuickSight"              = "yes"
      "PrerequisitesQuickSightPermissions"   = "yes"
      "QuickSightUser"                       = "***************************"
      "CURBucketPath"                        = "s3://****************************************************/"
      "OptimizationDataCollectionBucketPath" = "s3://***********************************/"
      "AthenaQueryResultsBucket"             =  "*************************"
      "AthenaWorkgroup"                      = "***********************"
      "DatabaseName"                      = "******************"
      "CURTableName"                         = "********************"
      "DeployCUDOSDashboard"                 = "yes"
      "DeployCostIntelligenceDashboard"      = "yes"
      "DeployKPIDashboard"                   = "yes"
      "DeployComputeOptimizerDashboard"      = "yes"
      "DeployTAODashboard"                  = "yes"
    }
Themen
SpeicherManagement & Unternehmensführung
Tags
Amazon Simple Storage ServiceAWS CloudFormationTerraform
Sprache
English
Bijal
gefragt vor 3 Monaten220 Aufrufe
2 Antworten
0
Akzeptierte Antwort

The user or role your pipeline is using to deploy the module must have s3:GetObject permissions on the Lambda layer object in S3. For deployment to us-east-1, you can do so by adding the below IAM policy statement to your deployment user/role's IAM policies. For other regions, replace the us-east-1 in the bucket name with the correct region.

{
  "Sid": "ReadLambdaLayerS3",
  "Effect": "Allow",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::aws-managed-cost-intelligence-dashboards-us-east-1/cid-resource-lambda-layer/*"
}

You review the full set of minimal permissions necessary to deploy CUDOS dashboards as well as a CloudFormation template to deploy a role with those permissions on the Cloud Intelligence Dashboard Alternate Deployment Methods page.

profile pictureAWS
Sean Nixon
beantwortet vor 3 Monaten
0

Thank you for your response! I found out that there was new release right at the time when I was deploying the dashboard. As per our AWS TAM, the bucket may not have been public yet due to the release, causing the error. I tried again the next day and was past this error.

Bijal
beantwortet vor 3 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt