https://serverless-stack.com/ logo
#help
Title
# help
h

Hans Song

03/16/2022, 11:52 AM
hey guys, got a bug here (?), exceptions raised by subprocess calls in the site upload lambda is not handled gracefully, (i.e.
Custom::SSTBucketDeployment
here) this results in pretty vague messages, e.g.
Copy code
Custom::SSTBucketDeployment | .../ReactSite/S3Deployment/Default (ReactSiteS3Deployment...) Received response status [FAILED] from custom resource. Message returned: invalid request. Missing key 'Status'
i had to dig through the cloudwatch logs to find this
Copy code
CalledProcessError: Command '['/opt/awscli/aws', 's3', 'cp', 's3:...', '/tmp/...']' returned non-zero exit status 1.
Traceback (most recent call last):
  File "/var/task/s3-upload.py", line 29, in handler
    s3_deploy(s3_source_zip, s3_dest, file_options, replace_values)
    ...
i had to modify the lambda a bit to log the exception to figure out what went wrong (permissions in this case)
f

Frank

03/16/2022, 1:17 PM
Hey @Hans Song, yeah we need to show a more descriptive error message for this.
Btw, are you able to fix the s3 permission error?
h

Hans Song

03/16/2022, 10:47 PM
hey Frank, yeah my org has a pretty restrictive permission boundary, it was just a matter of adding s3 related permissions
f

Frank

03/17/2022, 1:55 AM
Hmm.. the
StaticSite
construct should’ve already granted necessary permissions for the upload, ie. https://github.com/serverless-stack/serverless-stack/blob/master/packages/resources/src/StaticSite.ts#L289-L290
What permission did u have to grant to get it to work?
h

Hans Song

03/17/2022, 1:59 AM
i believe we gave it
s3:HeadObject
for it to be able to continue
it will also need
s3:PutObject
,
s3:ListObjectsV2
but i haven’t been able to test yet
f

Frank

03/17/2022, 3:24 AM
Got it! It should already have
s3:PutObject
,
s3:ListObjectsV2
I think what’s missing was the
s3:HeadObject
h

Hans Song

03/17/2022, 3:25 AM
those other permissions are likely to be missing from our permission boundary then 🤔
f

Frank

03/17/2022, 3:25 AM
Oh i see. U have a permission boundary set on the IAM roles in the app?
h

Hans Song

03/17/2022, 3:26 AM
its an org requirement for all roles created by cdk to have the boundary applied
f

Frank

03/17/2022, 3:26 AM
Yup makes sense
4 Views