AWS FullAccessを持っていない環境でSAMのhello-worldアプリを作ろうとして権限関係で悩んだのでメモ。
結論
AWS SAMのHello-worldをdeployするには、以下のIAM ポリシーがあればデプロイできる。権限が大きすぎるので絞ったほうがいいかも。
- IAMFullAccess
- AmazonEC2ContainerRegistryFullAccess
- AmazonS3FullAccess
- AmazonAPIGatewayAdministrator
- ResourceGroupsandTagEditorFullAccess
- AWSCloudFormationFullAccess
- CloudWatchApplicationInsightsFullAccess
- AWSLambda_FullAccess
deployログ
deploy実行時に以下のようなエラーが出力されました。
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ResourceStatus ResourceType LogicalResourceId ResourceStatusReason ----------------------------------------------------------------------------------------------------------------------------------------------------------------- DELETE_COMPLETE AWS::ResourceGroups::Group ApplicationResourceGroup Delete succeeded for the resources that failed to create. CREATE_IN_PROGRESS AWS::ResourceGroups::Group ApplicationResourceGroup - CREATE_FAILED AWS::ResourceGroups::Group ApplicationResourceGroup Resource handler returned message: "Access denied for operation 'CREATE'." (RequestToken: XXXXXXXXX HandlerErrorCode: AccessDenied) UPDATE_FAILED AWS::CloudFormation::Stack hello-world The following resource(s) failed to create: [ApplicationResourceGroup]. ----------------------------------------------------------------------------------------------------------------------------------------------------------------- Failed to deploy. Automatic rollback disabled for this deployment. Actions you can take next ========================= [*] Fix issues and try deploying again [*] Roll back stack to the last known stable state: aws cloudformation rollback-stack --stack-name hello-world
AccessDeniedで悩みましたが、与えているpolicyが不足しているようです。
ResouceGroupの作成に失敗しているようですね。
ResourceGroupsandTagEditorFullAccess
を付与しました。 これでdeploy成功するか?
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ResourceStatus ResourceType LogicalResourceId ResourceStatusReason ----------------------------------------------------------------------------------------------------------------------------------------------------------------- CREATE_IN_PROGRESS AWS::IAM::Role HelloWorldFunctionRole - CREATE_IN_PROGRESS AWS::ResourceGroups::Group ApplicationResourceGroup - CREATE_IN_PROGRESS AWS::IAM::Role HelloWorldFunctionRole Resource creation Initiated CREATE_IN_PROGRESS AWS::ResourceGroups::Group ApplicationResourceGroup Resource creation Initiated CREATE_COMPLETE AWS::ResourceGroups::Group ApplicationResourceGroup - CREATE_IN_PROGRESS AWS::ApplicationInsights::Application ApplicationInsightsMonitoring - CREATE_FAILED AWS::ApplicationInsights::Application ApplicationInsightsMonitoring Resource handler returned message: "User:
新しいエラーが出ました。今度はApplicationInsightsへの権限が不足しているようです。
CloudWatchApplicationInsightsFullAccess を追加しました。
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
ResourceStatus ResourceType LogicalResourceId ResourceStatusReason
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
DELETE_COMPLETE AWS::ApplicationInsights::Application ApplicationInsightsMonitoring Delete succeeded for the resources
that failed to create.
CREATE_IN_PROGRESS AWS::ApplicationInsights::Application ApplicationInsightsMonitoring -
CREATE_IN_PROGRESS AWS::ApplicationInsights::Application ApplicationInsightsMonitoring Resource creation Initiated
CREATE_COMPLETE AWS::ApplicationInsights::Application ApplicationInsightsMonitoring -
UPDATE_COMPLETE_CLEANUP_IN_PROGRESS AWS::CloudFormation::Stack hello-world -
UPDATE_COMPLETE AWS::CloudFormation::Stack hello-world -
うまく行きました。 結果として、hello-worldを実行するために以下の権限を付与しています。