https://serverless-stack.com/ logo
#sst
Title
# sst
s

Simon Reilly

05/12/2021, 7:17 AM
Hi all, when working locally I notice that the permissions assumed by utilities like the AWS-SDK are those of the local system user, and not the ServiceRole that has been assigned to the AWS resource when the stack is constructed. I think the potential here is that local debug works, and the full deploy doesn't, purely due to a permissions issue. I opened an issue for this here: https://github.com/serverless-stack/serverless-stack/issues/363. Is this something of interest?
f

Frank

05/12/2021, 6:06 PM
Hey @Simon Reilly, it shouldn’t happen.
sst start
should use the IAM credentials of the Lambda function.
I’m going to try out ur code snippet and see if it’s a bug with SST.
s

Simon Reilly

05/13/2021, 7:32 AM
Thanks Frank, I am using the aws-sdk for js V3 if that has anything to do with it?
f

Frank

05/13/2021, 9:49 AM
Hi @Simon Reilly, I tried your code with both aws-sdk v2 and v3, and I got the
is not authorized to perform: dynamodb:PutItem
error in both cases.
s

Simon Reilly

05/13/2021, 9:50 AM
Alright, was this when running
npx sst start
. Perhaps I was just doing it wrong?
f

Frank

05/13/2021, 9:50 AM
Yeah, inside
npx sst start
s

Simon Reilly

05/13/2021, 9:53 AM
Awesome, sorry for the trouble, this looks like it must be user error. I am, on day 2 of using sst. One more thing is that I run
AWS_PROFILE=cgu npx sst start
to use a local profile. Is this potentially what is causing my issue?
f

Frank

05/13/2021, 9:54 AM
Hmm it shouldn’t.. b/c when the lambda function is invoked locally, it inherits the IAM credentials from the environment
Can you print out the
console.log(process.env)
in ur Lambda code?
Then trigger the Lambda. And in the
sst start
console, see if you spot
AWS_ACCESS_KEY_ID
,
AWS_SECRET_ACCESS_KEY
, and
AWS_SESSION_TOKEN
s

Simon Reilly

05/13/2021, 10:20 AM
Hey Frank, I am on debugging this. I am looking into whether the dynamo db client created outside the handler at require time has the same credentials as the process.env and will get back to you 👍
Hey Frank, I still see this issue occuring, I have created a minimal recreation of the stack with the README.md showing everything that I do to recreate the issue. I will cross reference in the ticket
f

Frank

05/13/2021, 8:17 PM
Hey Simon, had a chance to try ur repo… and I got the expected
AccessDenied
error.
Let’s figure out what IAM credential is the AWS SDK using. Try this: • in Lambda, make an aws sdk call to STS’s 
getCallerIdentity
 or 
getAccessKeyInfo
 to verify the IAM credentials the sdk is using • does the Lambda have other non-dynamodb permissions? (ie. make an aws sdk call to list out all SNS topics)
s

Simon Reilly

05/14/2021, 6:34 AM
Thanks for this Frank, I have been able to identify that the IAM credentials are my local credentials. Looking in detail 1. There is a set of temporary credentials provided locally by the SST framework 2. The clients constructed are not using them, because the
AWS_PROFILE
env var is present inside the lambdas, and they are preferentially using the credentials attached to that profile I have updated my bug report with my operating system, a PR that shows using
delete(process.env.AWS_PROFILE)
fixes this issue, and also a GIF of the issue happening when I deploy with
AWS_PROFILE=cgu npx sst start
It is worth mentioning now that I would usually deploy the cdk like so:
npx cdk deploy --profile cgu
this does not set the env var I believe. I do not think the sst supports this yet:
Copy code
$ npx sst start --profile cgu

=======================
 Deploying debug stack
=======================

 ✅  dev-sst-tester-debug-stack (no changes)

Stack dev-sst-tester-debug-stack
  Status: no changes
  Outputs:
    BucketArn: arn:aws:s3:::dev-sst-tester-debug-stack-bucket83908e77-8oy8jd2stedi
    BucketName: dev-sst-tester-debug-stack-bucket83908e77-8oy8jd2stedi
    Endpoint: <wss://e4y2ztj41b.execute-api.eu-west-1.amazonaws.com/dev>


===============
 Deploying app
===============

Preparing your SST app
Detected tsconfig.json
Transpiling source
Linting source
Running type checker
Deploying stacks
AccessDenied: User: arn:aws:iam::347250048819:user/simon.reilly is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:eu-west-1:347250048819:stack/dev-sst-tester-my-stack/*
    at Request.extractError (/home/simon/code/projects/sst-tester/node_modules/aws-sdk/lib/protocol/query.js:50:29)
    at Request.callListeners (/home/simon/code/projects/sst-tester/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/home/simon/code/projects/sst-tester/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/home/simon/code/projects/sst-tester/node_modules/aws-sdk/lib/request.js:688:14)
    at Request.transition (/home/simon/code/projects/sst-tester/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/home/simon/code/projects/sst-tester/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /home/simon/code/projects/sst-tester/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/home/simon/code/projects/sst-tester/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/home/simon/code/projects/sst-tester/node_modules/aws-sdk/lib/request.js:690:12)
    at Request.callListeners (/home/simon/code/projects/sst-tester/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
  code: 'AccessDenied',
  time: 2021-05-14T06:33:12.517Z,
  requestId: '281d9599-badf-4202-bf0e-5c843564c744',
  statusCode: 403,
  retryable: false,
  retryDelay: 16.820242262488392
}

 ❌  dev-sst-tester-my-stack failed: AccessDenied: User: arn:aws:iam::347250048819:user/simon.reilly is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:eu-west-1:347250048819:stack/dev-sst-tester-my-stack/*


Stack dev-sst-tester-my-stack
  Status: failed
  Error: User: arn:aws:iam::347250048819:user/simon.reilly is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:eu-west-1:347250048819:stack/dev-sst-tester-my-stack/*

Failed to deploy the app
f

Frank

05/14/2021, 6:50 PM
Thanks Simon. I think
AWS_PROFILE
might be the culprit. I removed it from the npm scripts when I cloned ur repo, which in the hindsight was dumb. I should’ve tried ur EXACT setup.
I will give ur repo another try today as is.
s

Simon Reilly

05/15/2021, 2:44 PM
Cheers Frank 👍
f

Frank

05/17/2021, 8:06 PM
I can confirm this issue! In aws sdk v3, AWS_PROFILE takes precedence over AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY - https://github.com/aws/aws-sdk-js-v3/pull/103
Hey @Simon Reilly, the fix is in the new v0.19.0 release.
s

Simon Reilly

05/20/2021, 5:57 AM
Great, thanks Frank 👍