cloud-migration-factory-on-aws icon indicating copy to clipboard operation
cloud-migration-factory-on-aws copied to clipboard
verified publisher icon aws-solutions

Incorrect permissions to enable post-launch actions

Open Kirizan opened this issue 1 year ago • 4 comments

Describe the bug The permissions defined for the role CMF-MGNAutomation deployed to the target accounts is missing permissions required to run post-launch actions.

To Reproduce Follow instructions here to remove vmware tools.

When a test cutover runs, the following error appears:

An error occurred (AccessDeniedException) when calling the GetDocument operation: User: arn:aws:sts::<REDACTED>:assumed-role/CMF-MGNAutomation/cloud-migration-factory-prod-MGNLambdaRole is not authorized to perform: ssm:GetDocument on resource: arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript because no identity-based policy allows the ssm:GetDocument action

The ssm:GetDocument is not the only missing action, adding the ssm:GetDocument permission leads to the two following actions being missing also:

  • ssm:SendCommand
  • ssm:StartSession

Expected behavior I expect the post-launch actions to run.

Please complete the following information about the solution:

  • [X] Version: 3.3.4

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0097) - AWS CloudEndure Migration Factory Solution. Version v1.1.0".

  • [X] Region: us-east-1
  • [No] Was the solution modified from the version published on this repository?
  • [N/A] If the answer to the previous question was yes, are the changes available on GitHub?
  • [N/A] Have you checked your service quotas for the sevices this solution uses?
  • [ ] Were there any errors in the CloudWatch Logs?

Screenshots None

Additional context PR Incoming to fix these issues.

Kirizan avatar Aug 27 '24 12:08 Kirizan

I discovered that ssm:ListCommandInvocations was also missing from the list, so I added that to the PR.

Kirizan avatar Aug 27 '24 18:08 Kirizan

I forgot to mention, the PR I submitted is based on the 3.3.5 template, not the 3.3.4 template. The only difference is the 3.3.5 template had already added the ssm:GetDocument permission in the policy MGNPostLaunchActions.

Kirizan avatar Aug 28 '24 12:08 Kirizan

Thank you for bringing this to our attention! We're looking into it!

tbelmega avatar Aug 28 '24 15:08 tbelmega

@tbelmega is this issue still being looked into? It looks like it's been several months since it was first opened and there's still a pending pull request.

jlosito avatar Apr 10 '25 02:04 jlosito