hey guys, got a bug here (?), exceptions raised by subprocess calls in the site upload lambda is not handled gracefully, (i.e.

Custom::SSTBucketDeployment

here) this results in pretty vague messages, e.g.

Custom::SSTBucketDeployment | .../ReactSite/S3Deployment/Default (ReactSiteS3Deployment...) Received response status [FAILED] from custom resource. Message returned: invalid request. Missing key 'Status'

i had to dig through the cloudwatch logs to find this

CalledProcessError: Command '['/opt/awscli/aws', 's3', 'cp', 's3:...', '/tmp/...']' returned non-zero exit status 1.
Traceback (most recent call last):
  File "/var/task/s3-upload.py", line 29, in handler
    s3_deploy(s3_source_zip, s3_dest, file_options, replace_values)
    ...

i had to modify the lambda a bit to log the exception to figure out what went wrong (permissions in this case)

Hey @Hans Song, yeah we need to show a more descriptive error message for this.

hey Frank, yeah my org has a pretty restrictive permission boundary, it was just a matter of adding s3 related permissions

Hmm.. the

StaticSite

construct should’ve already granted necessary permissions for the upload, ie. https://github.com/serverless-stack/serverless-stack/blob/master/packages/resources/src/StaticSite.ts#L289-L290

i believe we gave it

s3:HeadObject

for it to be able to continue

Got it! It should already have

s3:PutObject

,

s3:ListObjectsV2

those other permissions are likely to be missing from our permission boundary then 🤔

Oh i see. U have a permission boundary set on the IAM roles in the app?

its an org requirement for all roles created by cdk to have the boundary applied

Yup makes sense