copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

deploy env fails: The EnvManagerRole fails to iam:PassRole to the CFNExecutionRole because its missing tags

Open gs-emp opened this issue 2 years ago • 5 comments

Getting this error: AccessDenied: User: arn:aws:sts:::assumed-role/-EnvManagerRole/ is not authorized to perform: iam:PassRole on resource: arn:aws:iam:::role/*-CFNExecutionRole because no identity-based policy allows the iam:PassRole action

Looking at the stack set for the environment it appears that EnvManagerRole is only allowed to pass to roles with the correct "copilot-application" and "copilot-environment" tags which are missing from CFNExecutionRole.

I believe the problem is here: https://github.com/aws/copilot-cli/blob/8a08a1026f8a8e7cc4ea043084b2755ea026099c/internal/pkg/template/templates/environment/partials/environment-manager-role.yml#L122

because there are no resource tags in here: https://github.com/aws/copilot-cli/blob/8a08a1026f8a8e7cc4ea043084b2755ea026099c/internal/pkg/template/templates/environment/partials/cfn-execution-role.yml

Not sure 100% maybe there is something I am doing wrong. Thanks for any help.

gs-emp avatar May 08 '23 20:05 gs-emp

Hey @gabestep-emp 👋

CloudFormation stack created by Copilot will automatically add these tags copilot-application and copilot-environment for all the resources with in the stack.

Can you please check and confirm below

  1. when you run copilot env init --profile . The user profile you are using to create a environment, does the user have permission that allows iam:TagRole?
  2. Is there any permission boundary set on the user that does not allow iam:TagRole?

Here is related https://github.com/aws/copilot-cli/issues/2160#issuecomment-1024693374 that you can help you to fix the issue.

KollaAdithya avatar May 08 '23 22:05 KollaAdithya

Thanks - I missed that permission when creating the role for copilot. Is there any way we could add an error message on the failed creation of those tags so its easier to debug in the future @KollaAdithya?

gs-emp avatar May 09 '23 12:05 gs-emp

This will be an enhancement for us. We can add Recommended Actions with an error message in this case to have iam:TagRole permission with user profile creating the environment. Also this has been an longstanding issue for a while. We need to surface minimal IAM permissions required in our docs in order to set up copilot.

KollaAdithya avatar May 09 '23 16:05 KollaAdithya

@KollaAdithya are the minimal IAM permissions documented anywhere? I've run into a handful of issues today, including this one. Thanks!

curthipster avatar Mar 25 '24 20:03 curthipster

Hey @curthipster, unfortunately we don't have the full list documented anywhere today, but there's a related issue https://github.com/aws/copilot-cli/issues/1345 with some example policies that have worked for others that you can try!

dannyrandall avatar Mar 29 '24 19:03 dannyrandall