Missing permissions in DEPLOY_WEBINY_PROJECT_CF_TEMPLATE

[cat5inthecradle]

Version

5.40.6

Operating System

N/A

Browser

N/A

What are the steps to reproduce this bug?

To deploy our initial Webiny infrastructure, we followed these steps:

1. create a new AWS Account
2. Create an IAM user, "Webiny_Deployer" with no permissions
3. Use the provided cloudformation template in the docs to assign the user to least-privilege groups suitable for deploying Webiny. This was created in us-east-1.
4. Attempt to deploy Webiny, using the "Webiny_Deployer" user, via yarn webiny deploy

What is the expected behavior?

Successful Webiny environment creation.

What do you see instead?

We receive an IAM permissions error (account ID's redacted)

validating Step Functions State Machine definition:
User: arn:aws:iam::REDACTED:user/Webiny_Deployer
is not authorized to perform:
states:ValidateStateMachineDefinition on resource: arn:aws:states:us-east-1:REDACTED:stateMachine:*
because no identity-based policy allows the states:ValidateStateMachineDefinition action

And additional errors appear as each permission is granted. Logging them here:

• states:ValidateStateMachineDefinition on resource: arn:aws:states:us-east-1:REDACTED:stateMachine:*
• states:ListStateMachineVersions on resource: stateMachine:wby-background-task-sfn-811a8dd
• cloudfront:GetDistribution on resource: distribution/<distribution id> - This occurred on yarn webiny destroy
  • this looks like a Condition mismatch.
• lambda:ListTags on resource: event-source-mapping:<guid>
  • this looks like a Condition mismatch.

Additional information

No response

Possible solution

#4321

[cat5inthecradle]

PR #4323 looks like it should take care of this, thanks for tidying up my attempt, @adrians5j!

In the meantime, we just added the following inline policy to our user:

	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": "states:ValidateStateMachineDefinition",
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": "states:ListStateMachineVersions",
			"Resource": "arn:aws:states:*:*:stateMachine:wby-*"
		},
		{
			"Effect": "Allow",
			"Action": "lambda:ListTags",
			"Resource": "arn:aws:lambda:*:*:event-source-mapping:*"
		},
		{
			"Effect": "Allow",
			"Action": "cloudfront:GetDistribution",
			"Resource": "arn:*:cloudfront::*:distribution/*"
		}
	]
}

[adrians5j]

Great @cat5inthecradle.

Glad you're not blocked.

We'll be releasing these fixes officially hopefully by the end of week, or beginning next week the latest. Make sure to keep an eye on the #announcements Slack channel. :)

[adrians5j]

Forgot to close this one, so doing it now. :)