Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

AWS SAM CLI: Deploy AWS Lambda with least privilege access

0

I'm trying to deploy the hello world quickstart AWS Lambda function created by AWS SAM ClI template with least priviliege access. For this I have created an IAM Policy, and assigned this policy to a user whose access_key_id and aws_secret_access_key is being used by SAM CLI. Also, I have created an private S3 bucket.

When I'm trying to use 'sam deploy --guided --s3-bucket 'name-of-already-created-bucket' command, I'm getting an error which says:

` Error: Failed to create managed resources: Waiter StackCreateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "ROLLBACK_COMPLETE" at least once

Can anyone please help me to understand, what can be the cause of this error, and how can it be resolved.

IAM Permissions granted to SAM CLI:

  1. CloudFormation: DescribeStacks, DescribeChangeSet, GetTemplate, CreateChangeSet, DeleteStack, ExecuteChangeSet
  2. Lambda: CreateFunction
  3. S3: PutObject
Themen
ServerlosKalkulationSicherheit, Identität & Konformität
Tags
AWS LambdaAWS Serverloses Anwendungs-RepositoryIAM-Richtlinien
Sprache
English
AWS-User-0264105
gefragt vor 2 Jahren961 Aufrufe
1 Antwort
0

There are likely to be other permissions required. If you look at the CloudFormation console (or use the aws cloudformation describe-stack-events --stack-name <stackname> command) you will be able to see which resource failed to create and that should point to the permission that you require.

profile pictureAWS
EXPERTE
Brettski-AWS
beantwortet vor 2 Jahren
  • AWS-User-0264105
    vor 2 Jahren

    I have tried to run the command aws cloudformation describe-stack-events --stack-name <stackname>. Initially, I was getting a message that the SAM CLI does not have permission to describe stack events, so I added the permission of describe stack events in IAM Policy. After that when I tried to run the same command again, I got a error message that stack does not exist and also AWS Console is not showing any stack.

  • Brettski-AWS EXPERTE
    vor 2 Jahren

    When a new stack deployment fails and it rolls back (deleting all the resources) it only stays in the CloudFormation console for a short time. You'll need to try the deployment again then run that command immediately afterwards.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt