Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unclear error when missing permissions to validate allowed account #362

Open
liamdawson opened this issue Oct 4, 2021 · 0 comments
Open

Unclear error when missing permissions to validate allowed account #362

liamdawson opened this issue Oct 4, 2021 · 0 comments

Comments

@liamdawson
Copy link
Contributor

When running stack_master, and the current account's ID isn't in the (non-empty) list of allowed_account values, it attempts to fetch account aliases to check if these match. If the current principal isn't permitted to iam:ListAccountAliases, this results in the following error:

$ stack_master validate ap-southeast-2
Executing validate on stack-name in ap-southeast-2
error: Failed to retrieve account aliases. Missing required IAM permission: iam:ListAccountAliases. Use --trace to view backtrace

It becomes a bit clearer if you use --trace:

$ stack_master validate ap-southeast-2 --trace
...
         4: from .../stack_master/lib/stack_master/cli.rb:294:in `execute_if_allowed_account'
         3: from .../stack_master/lib/stack_master/cli.rb:305:in `running_in_allowed_account?'
         2: from .../stack_master/lib/stack_master/identity.rb:10:in `running_in_account?'
         1: from .../stack_master/lib/stack_master/identity.rb:45:in `contains_account_alias?'
.../stack_master/lib/stack_master/identity.rb:22:in `account_aliases': Failed to retrieve account aliases. Missing required IAM permission: iam:ListAccountAliases (StackMaster::Identity::MissingIamPermissionsError)

Ideally, I think the error message returned to the user should make it immediately obvious why stack_master attempted to use that permission.
liamdawson added a commit to liamdawson/stack_master that referenced this issue Oct 4, 2021
@liamdawson
Wrap error from account alias permissions error
5729d7d 
Per envato#362, the returned error message doesn't explain why the IAM
permission was required. While the wrapped error doesn't mention the
specific permission, the original MissingIamPermissionsError can still
be seen in --trace output, as it is registered as the Error#cause
liamdawson added a commit to liamdawson/stack_master that referenced this issue Oct 4, 2021
@liamdawson
Add ListAccountAliases failing test case
1ebb71d 
As highlighted in envato#362, if the current account ID doesn't match anything
in the allowed accounts list, and the current principal doesn't have
iam:ListAccountAliases privileges, Identity#running_in_account? will
fail due to an attempt to get account aliases. This adds an erroring
test case for that scenario, and the corresponding expected failure when
account aliases are actually in use.
@liamdawson liamdawson mentioned this issue Oct 4, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@liamdawson