放大,用户无权在资源上执行 iam:passRole

Posted

技术标签:

【中文标题】放大,用户无权在资源上执行 iam:passRole【英文标题】:Amplify, User is not authorized to preform iam:passRole on resource 【发布时间】:2021-11-28 04:38:27 【问题描述】:

所以我正在尝试启动一个现有的“react-ts”放大项目,其中配置了大约 8 个服务。 当我运行放大推送时,一切似乎都很好且成功,除了以下内容,我收到此错误:

Resource Name: 2021/10/08/[$LATEST]c1c602b361e347ad83d49f77293e6aae (Custom::LambdaCallout)
Event Type: create
Reason: Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream: 2021/10/08/[$LATEST]c1c602b361e347ad83d49f77293e6aae (RequestId: 90c39ffc-b3ee-4830-ae87-7df3cd3a0770)

这里是给定地址的 cloudwatch 日志:

2021-10-08T06:28:37.448Z    d30823f5-a9f8-4d7e-a823-dd53b298a2fb    INFO    Response body:
 

    "Status": "FAILED",
    "Reason": "See the details in CloudWatch Log Stream: 2021/10/08/[$LATEST]3b533dd8fb9a43bc921cfe635d2bc945",
    "PhysicalResourceId": "2021/10/08/[$LATEST]3b533dd8fb9a43bc921cfe635d2bc945",
    "StackId": "arn:aws:cloudformation:us-east-1:474847889857:stack/amplify-storyliner-staging-44500-authstorylinerb9277983-1V5J90W5KFK1A/cef02b40-2800-11ec-bcb5-0adb3c7f2f15",
    "RequestId": "f7b5fc9e-0a46-43ae-bf7e-eb19fb81285e",
    "LogicalResourceId": "MFALambdaInputs",
    "NoEcho": false,
    "Data": 
        "err": 
            "message": "User: arn:aws:sts::474847889857:assumed-role/storylb9277983_totp_lambda_role-staging/amplify-storyliner-staging-44500-authsto-MFALambda-tA8KTT12iWvY is not authorized to perform: iam:PassRole on resource: arn:aws:iam::474847889857:role/snsb927798344500-staging because no identity-based policy allows the iam:PassRole action",
            "code": "AccessDeniedException",
            "time": "2021-10-08T06:28:37.445Z",
            "requestId": "3978bf89-5872-460d-b991-c3cd4e5280e1",
            "statusCode": 400,
            "retryable": false,
            "retryDelay": 38.192028876441576
        
    

我尝试创建角色“snsb927798344500-staging”并添加所需的策略,但是一旦我尝试重新运行amplify push 命令,我收到一个错误提示snsb927798344500-staging already exist。 所以我认为这是在每次推送时创建角色的放大,并且在过程失败后将其删除。这就是在推送过程之后我无法再次看到“snsb927798344500-staging”角色的原因。

【问题讨论】:

【参考方案1】:

该特定消息似乎与 CLI 上的此 GitHub 问题有关:https://github.com/aws-amplify/amplify-cli/issues/8363

我们今天遇到了同样的问题,下面为我们解决了这个问题。

解决方案复制到这里:

此问题是由于在 #7729 中修复的 MFALambda 角色中缺少策略。您能否尝试将以下策略添加到您的 auth cloudformation 中,看看是否能解决问题。您需要添加的部分是名为 corecocf3573d0_sns_pass_role_policy 的策略

# Snippet
MFALambdaRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName:
        Fn::If:
          - ShouldNotCreateEnvResources
          - corecocf3573d0_totp_lambda_role
          - Fn::Join:
              - ''
              - - corecocf3573d0_totp_lambda_role
                - '-'
                - Ref: env
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: corecocf3573d0_totp_pass_role_policy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - iam:PassRole
                Resource:
                  Fn::If:
                    - ShouldNotCreateEnvResources
                    - arn:aws:iam:::role/corecocf3573d0_totp_lambda_role
                    - Fn::Join:
                        - ''
                        - - arn:aws:iam:::role/corecocf3573d0_totp_lambda_role
                          - '-'
                          - Ref: env
          # New policy
        - PolicyName: corecocf3573d0_sns_pass_role_policy
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action:
                  - 'iam:PassRole'
                Resource: !GetAtt SNSRole.Arn

【讨论】:

非常感谢,我被困在这里几天了。但幸运的是,该解决方案效果非常好,现在该项目已启动并运行。我只需要在/amplify/auth/<user>/<user>-cloudinformation-template.yml 中添加新策略。

以上是关于放大,用户无权在资源上执行 iam:passRole的主要内容,如果未能解决你的问题,请参考以下文章

无权执行:资源上的 sts:TagSession:***

AWS 用户无权通过显式拒绝访问此资源

F400813: 用户 '' 无权访问此资源

(具体资源)AWS Lambda:提供的执行角色无权调用EC2上的DescribeNetworkInterfaces

无权访问此资源/API (GCP)

您无权执行此操作