Zack McKenna
02/15/2022, 8:46 PMFrank
Frank
// index.js
export function debugStack(app, stack, props) {
... stack is already created ...
}
Zack McKenna
02/15/2022, 9:28 PMFrank
Zack McKenna
02/15/2022, 9:29 PMFrank
Frank
Stack
object.Frank
Zack McKenna
02/15/2022, 9:34 PMFrank
// index.js
export function debugStack(app, stack, props) {
stack.node.children.forEach((resource) => {
// check resource instanceof iam.Role
});
}
Frank
Frank
Zack McKenna
02/15/2022, 9:38 PMZack McKenna
02/15/2022, 9:38 PMZack McKenna
02/15/2022, 9:38 PMFrank
Frank
Zack McKenna
02/17/2022, 7:49 PMFrank
Frank
Frank
Zack McKenna
02/18/2022, 6:02 PMZack McKenna
02/18/2022, 6:57 PMFrank
Frank
Frank
sst.Api
, you’d need to override the roles for all the routes?Frank
export function debugApp(app) {
new sst.DebugStack(app, "debug-stack", {
synthesizer: new cdk.DefaultStackSynthesizer({
...
}),
});
}
Frank
deployRoleArn
and cloudFormationExecutionRoleArn
Frank
export function debugApp(app) {
new sst.DebugStack(app, "debug-stack", {
synthesizer: ...,
websocketHandlerRoleArn: "arn:...",
lambdaLogRetentionRoleArn: "arn:...",
...,
});
}
But before I proceed, I’d wanted to hear your thoughts on the above:
Thinking ahead, do you also need a way to override all the other IAM roles in your app?
ie. if you were to useLet me know., you’d need to override the roles for all the routes?sst.Api
Zack McKenna
02/21/2022, 4:09 PMZack McKenna
02/21/2022, 4:16 PMFrank
Frank
Frank
Frank
Zack McKenna
02/28/2022, 7:13 PMZack McKenna
03/01/2022, 9:23 PMzmcken282-serverless-my-debug-stack | CREATE_FAILED | AWS::IAM::Role | CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092 | API: iam:CreateRole User: arn:aws:sts::311732959032:assumed-role/IhatLambdaRole/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::311732959032:role/zmcken282-serverless-my-d-CustomS3AutoDeleteObject-1EIO9SKO5VTEY
hmm, looks like it’s still trying to create a role for the S3 autodelete.Frank
export function debugApp(app) {
new DebugStack(app, "debug-stack", {
payloadBucketArn: "arn:aws:s3:::my-bucket",
websocketHandlerRoleArn: "...",
});
}
This way, the debug stack won’t try to create a bucket.Frank
Zack McKenna
03/15/2022, 2:48 PMclass CustomRoleAspect {
constructor(permissionBoundaryArn, path) {
this.permissionsBoundaryArn = permissionBoundaryArn
this.path = path
}
visit(node) {
if (CfnResource.isCfnResource(node) && node.cfnResourceType === 'AWS::IAM::Role') {
node.addPropertyOverride('PermissionsBoundary', this.permissionsBoundaryArn)
node.addPropertyOverride('Path', this.path)
}
}
}
Zack McKenna
03/15/2022, 4:26 PMtype: 'error',
message: 'Unexpected server response: 403',
error: Error: Unexpected server response: 403
at ClientRequest.<anonymous> (/var/task/node_modules/ws/lib/websocket.js:604:7)
at ClientRequest.emit (events.js:400:28)
at ClientRequest.emit (domain.js:475:12)
at HTTPParser.parserOnIncomingClient [as onIncoming] (_http_client.js:647:27)
at HTTPParser.parserOnHeadersComplete (_http_common.js:127:17)
at TLSSocket.socketOnData (_http_client.js:515:22)
at TLSSocket.emit (events.js:400:28)
at TLSSocket.emit (domain.js:475:12)
at addChunk (internal/streams/readable.js:293:12)
at readableAddChunk (internal/streams/readable.js:267:9)
and a 503 from within the api gateway.
{
"requestTime": "15/Mar/2022:14:54:58 +0000",
"requestId": "PB9OYjYdIAMESOg=",
"httpMethod": "GET",
"path": "/",
"routeKey": "ANY /",
"status": 503,
"responseLatency": 30005,
"integrationRequestId": "-",
"integrationStatus": "-",
"integrationLatency": "30000",
"integrationServiceStatus": "200",
"ip": "198.178.12.68",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36",
"cognitoIdentityId": "-"
}
I assume this might have something to do with permissions/policies, unless there might be something else I should look into before diving into it?Zack McKenna
03/15/2022, 7:14 PMsst start
running, I see Client not connected. Make sure "sst start" is running.
Zack McKenna
03/16/2022, 7:19 PMFrank
Frank
problems with VPC/Public WebSocketsWas the issue that Lambda in VPC wasn’t able to talk to the public WS?
Zack McKenna
03/22/2022, 6:46 PMZack McKenna
03/22/2022, 6:50 PMJay