This morning I tried using the console for the first time. And it's stuck on "Syncing metadata" At first (reading stuff here) I thought it was the Brave shields but I tried in chrome and same result... 403 errors as per the browser network screenshot :

hmm.. can u try enabling this flag on Chrome temporarily and see if it fixes this? https://stackoverflow.com/a/31900210

Is this with SST start

Yes it's with SST start. The issue still occurs after setting the flag. For the sake of it I also tried setting the other 'insecure' flags but still no difference.

how are your local aws credentials setup?

They use my keys in ~/.aws/credentials but I do use the --role-arn option in sst start as the policy is defined in the role rather than user

wonder if we have some issue with that with the console

OK. Let me know if I can help further providing more detail

I ran into something like this with port forwarding from a VM I was SSH coding inside of. I generally wrote it off as outside the scope, but figured I would at least mention. GitHub Codespaces, as an example.

@Erik Robertson I think u mentioned in another thread that you were running

sst start

with the

default

IAM profile like this:

$ sst start --role-arn xxxx

Do u know what IAM permission does the

default

profile has?

Here's what I have on my user policy (replacing account # + removing some app specific stuff ):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudformation:DescribeStacks",
        "cloudformation:GetTemplate",
        "cloudformation:DeleteChangeSet",
        "cloudformation:CreateChangeSet",
        "cloudformation:ExecuteChangeSet",
        "cloudformation:DescribeChangeSet",
        "cloudformation:DescribeStackEvents",
        "cloudformation:DeleteStack"
      ],
      "Resource": [
        "arn:aws:cloudformation:us-west-2:ACCOUNT:stack/CDK*",
        "arn:aws:cloudformation:us-west-2:ACCOUNT:stack/DEV-*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole",
        "sts:AssumeRole"
      ],
      "Resource": [
        "arn:aws:iam::ACCOUNT:role/DWAM-SST-CloudFormation-Role",
        "arn:aws:iam::ACCOUNT:role/cdk-*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameter"
      ],
      "Resource": "arn:aws:ssm:us-west-2:ACCOUNT:parameter/cdk-*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:*Object",
        "s3:ListBucket",
        "s3:getBucketLocation"
      ],
      "Resource": "arn:aws:s3:::cdk*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:*Object"
      ],
      "Resource": "arn:aws:s3:::dev-*"
    },
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "arn:aws:secretsmanager:us-west-2:ACCOUNT:secret:CONFIG/DEV*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:DeleteRetentionPolicy"
      ],
      "Resource": "arn:aws:logs:us-west-2:ACCOUNT:log-group:*"
    }
  ]
}

@Erik Robertson circling back on this issue. I’m guessing the permission that’s missing is the

cloudformation:ListStacks

. Can you try temporarily giving the

cloudformation:*

permission to

*

resources in ur user policy just to confirm this is permission related.

So @Frank just adding cloudformation:* to my uers's policy was not sufficient. However adding the full admininistrator privileges to the user does work and get the console UI up and running. Let me know if you want to try other policy changes.