fullstack-app
fullstack-app copied to clipboard
serverless-components
Deployment fails "site: Access Denied"
Any idea why I'm getting a "site: Access Denied" error during the deployment to our environment?
PS C:\Repositories\fullstack-app> serverless deploy
serverless ⚡framework
Action: "deploy" - Stage: "dev" - Org: "janasmuth" - App: "fullstack" - Name: "fullstack-app"
database:
name: database-dev
arn: arn:aws:dynamodb:ap-southeast-2:155608619720:table/database-dev
region: ap-southeast-2
indexes:
gsi1:
name: gsi1
arn: arn:aws:dynamodb:ap-southeast-2:155608619720:table/database-dev/index/gsi1
site: Access Denied
permissions:
name: permissions-dev
api:
url: https://mmvbkodzkf.execute-api.us-east-1.amazonaws.com
api:
openapi: 3.0.3
paths:
/users/register: (max depth reached)
/test/: (max depth reached)
/users/login: (max depth reached)
/user: (max depth reached)
info:
version: 0.0.1
21s » Serverless » Errors: "deploy" ran for 3 apps successfully. 1 failed.
PS C:\Repositories\fullstack-app>
PS C:\Repositories\fullstack-app> serverless deploy
serverless ⚡framework
Action: "deploy" - Stage: "dev" - Org: "abc" - App: "fullstack" - Name: "fullstack-app"
database:
name: database-dev
arn: arn:aws:dynamodb:ap-southeast-2:12345:table/database-dev
region: ap-southeast-2
indexes:
gsi1:
name: gsi1
arn: arn:aws:dynamodb:ap-southeast-2:12345:table/database-dev/index/gsi1
site: Access Denied
permissions:
name: permissions-dev
arn: arn:aws:iam::12345:role/permissions-dev
api:
url: https://abcd.execute-api.ap-southeast-2.amazonaws.com
api:
openapi: 3.0.3
paths:
/users/register: (max depth reached)
/test/: (max depth reached)
/users/login: (max depth reached)
/user: (max depth reached)
info:
version: 0.0.1
24s » Serverless » Errors: "deploy" ran for 3 apps successfully. 1 failed.
Hmmm that's odd 🤔 ... Does your AWS credentials have admin access? Could you try deploying the website independently by running the following command:
cd site
sls deploy
I am having the same type of issues. When deploying first time or directly from root seems that is working ok.
But inside site is throwing permission denied issues.
@eahefnawy Same result if I deploy from the site folder and the AWS credentials have admin access.
PS C:\Repositories\fullstack-app\site> serverless deploy
serverless ⚡framework
Action: "deploy" - Stage: "dev" - Org: "fdsfd" - App: "fullstack" - Name: "site"
30s » Serverless » Error: Access Denied
Org: "janasmuth"
Org: "abc"
Org: "fdsfd"
Strange, why do you have a different org everytime? 🤔
@JanIHC Could you let me know your org name and your username in the Serverless Dashboard? I'll try to look this up in our internal logs.
@eahefnawy my org name on serverless.com is janasmuth please ignore the other ones.
Could it be an issue that I'm trying to deploy to 'ap-southeast-2'?
I ran serverless info --debug but still not sure what's wrong.
Will serverless components try to activate Public access on the bucket? We have deactivated public access on account level.
PS C:\Repositories\fullstack-app\site> serverless info --debug
Fetching App Info...
serverless ⚡framework
Action: "info" - Stage: "dev" - Org: "janasmuth" - App: "fullstack" - Name: "site"
Last Action: deploy (a few seconds ago)
Deployments: 16
Status: error
AccessDenied: Access Denied
at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:816:35)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
State:
region: ap-southeast-2
bucketName: website-k0w9hna
bucketUrl: http://website-k0w9hna.s3-website-ap-southeast-2.amazonaws.com
Outputs:
Serverless » Success
Full details: https://app.serverless.com/janasmuth/apps/fullstack/site/dev
Serverless » App info fetched
@eahefnawy do you have any other ideas what could be the issue or what I could try?
Wanted to bump this as I'm seeing the same issue! Are there some aws permissions I am missing? My cli user has the AdministratorAccess policy so I'm not sure what is left to try adding.
I was able to find a workaround for this by giving the site’s serverless.yml a bucketName with a . in it, since this forces it to skip acceleration. It appears this is happening because of the acceleration step, but I do not know how to fix that.
I found the solution, I had to send an email since I did not have cloudfront activated and wait 2 days for it to be activated, I tried again and everything works correctly
Hi all, one thing that got me past this point was adding S3, all permissions (hard to tell which one was needed from the error message). The other IAM errors were well-communicated but this was opaque. Hope it helps!
I'm having the same issue but only for one of my two environments (Dev & Prod). Whenever I try to deploy to Prod, the site component fails with an Access denied error, while everything works fine for Dev. These are associated with separate AWS accounts and I linked each stage in the Serverless console with a dedicated provider pointing to the associated account. I then deploy with sls deoploy --stage prod --aws-profile prod and while I see all the resources being created in the right account (API, permissions, Dynamo table), S3 fails.
If I try to change the S3 bucket name (following @tapegram 's advice) within serverless.yml I get the following error:
site: Changing the bucket name from site-prod to site.prod will remove your infrastructure. Please remove it manually, change the bucket name, then re-deploy.
Both IAM users have admin access.
