When trying to deploy the resources below, I am getting the following error for Custom::VpcRestrictDefaultSG resource:
Message returned: UnauthorizedOperation: You are not authorized to perform this operation. User:
arn:aws:sts::<account number>:assumed-role/MyStack-CustomVpcRestrictDefaultSGCustomRe-asdfasdf/MyStack-CustomVpcRestrictDefaultSGCustomR-asdfasdf
is not authorized to perform: ec2:AuthorizeSecurityGroupIngress
on resource: arn:aws:ec2:us-east-1:<account number>:security-group/sg-123412341234
because no identity-based policy allows the ec2:AuthorizeSecurityGroupIngress action.
Please let me know how to fix this.
// Role
const lambdaRole = new iam.Role(this, 'lambda_role', {
roleName: "lambdaRole",
assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com')
})
const trustedRole = new iam.Role(this, 'trusted_role', {
roleName: "trustedRole",
assumedBy: new iam.ArnPrincipal(lambdaRole.roleArn)
})
lambdaRole.addToPolicy(
new iam.PolicyStatement({
resources: [trustedRole.roleArn],
actions: ['sts:AssumeRole']
})
)
lambdaRole.addToPolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
resources: ['*'],
actions: [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress"
]
})
)
trustedRole.addToPolicy(
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
resources: ['*'],
actions: [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress"
]
})
)
const vpc = new ec2.Vpc(this, "vpc", {
ipAddresses: ec2.IpAddresses.cidr('10.0.0.0/20'),
natGateways: 1,
maxAzs: 2,
subnetConfiguration: [
{
name: 'private-subnet-1',
subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
cidrMask: 26
},
{
name: 'public-subnet-1',
subnetType: ec2.SubnetType.PUBLIC,
cidrMask: 26
}
]
})
// vpc SecurityGroup
const securityGroup = new ec2.SecurityGroup(this, 'security_group', {
vpc: vpc,
allowAllOutbound: true
})
// Get lists of Subnets by type
var privateSubnets = vpc.privateSubnets;
// Create Subnet group list to be used with Neptune.
const neptuneSubnets: ec2.SubnetSelection = { subnets: privateSubnets };
console.log(neptuneSubnets)
const subnetGroup = new neptune.SubnetGroup(this, 'subnet_group', {
vpc: vpc,
vpcSubnets: {
subnets: privateSubnets
}
})
Where can I edit the permissions for the IAM role that is used to cdk-deploy?
To address your question: I'm not sure, but I think the principal that assumes the role (assumed-role/MyStack-CustomVpcRestrictDefaultSGCustomRe-asdfasdf/MyStack-CustomVpcRestrictDefaultSGCustomR-asdfasdf) is the lambda role.
Do you happen to know how to interpret the structure of "assumed-role/MyStack-CustomVpcRestrictDefaultSGCustomRe-asdfasdf/MyStack-CustomVpcRestrictDefaultSGCustomR-asdfasdf" ? The first part "MyStack-CustomVpcRestrictDefaultSGCustomRe-asdfasdf" is likely the 'lambdaRole', but not sure why there is a second part "MyStack-CustomVpcRestrictDefaultSGCustomR-asdfasdf"