Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect permissions to enable post-launch actions #37

Open
2 of 3 tasks
Kirizan opened this issue Aug 27, 2024 · 3 comments
Open
2 of 3 tasks

Incorrect permissions to enable post-launch actions #37

Kirizan opened this issue Aug 27, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@Kirizan
Copy link

Kirizan commented Aug 27, 2024
edited
Loading

Describe the bug
The permissions defined for the role CMF-MGNAutomation deployed to the target accounts is missing permissions required to run post-launch actions.

To Reproduce
Follow instructions here to remove vmware tools.

When a test cutover runs, the following error appears:

An error occurred (AccessDeniedException) when calling the GetDocument operation: User: arn:aws:sts:::assumed-role/CMF-MGNAutomation/cloud-migration-factory-prod-MGNLambdaRole is not authorized to perform: ssm:GetDocument on resource: arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript because no identity-based policy allows the ssm:GetDocument action

The ssm:GetDocument is not the only missing action, adding the ssm:GetDocument permission leads to the two following actions being missing also:

  • ssm:SendCommand
  • ssm:StartSession

Expected behavior
I expect the post-launch actions to run.

Please complete the following information about the solution:

  • Version: 3.3.4

To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0097) - AWS CloudEndure Migration Factory Solution. Version v1.1.0".

  • Region: us-east-1
  • [No] Was the solution modified from the version published on this repository?
  • [N/A] If the answer to the previous question was yes, are the changes available on GitHub?
  • [N/A] Have you checked your service quotas for the sevices this solution uses?
  • Were there any errors in the CloudWatch Logs?

Screenshots
None

Additional context
PR Incoming to fix these issues.
@Kirizan Kirizan added the bug Something isn't working label Aug 27, 2024
@Kirizan Kirizan mentioned this issue Aug 27, 2024
Open
@Kirizan
Copy link
Author

Kirizan commented Aug 27, 2024

I discovered that ssm:ListCommandInvocations was also missing from the list, so I added that to the PR.

@Kirizan
Copy link
Author

Kirizan commented Aug 28, 2024

I forgot to mention, the PR I submitted is based on the 3.3.5 template, not the 3.3.4 template. The only difference is the 3.3.5 template had already added the ssm:GetDocument permission in the policy MGNPostLaunchActions.

@tbelmega
Copy link
Member

Thank you for bringing this to our attention! We're looking into it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tbelmega @Kirizan