Hi,
I’m trying to deploy a service in client’s production environment. I used Yeoman tool to generate AWS policies for the IAM user. But when trying to deploy I get the following message:
An error occurred: ServerlessDeploymentBucketPolicy - API: s3:PutBucketPolicy Access Denied.
The generated policy json is the following:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“cloudformation:List*”,
“cloudformation:Get*”,
“cloudformation:ValidateTemplate”
],
“Resource”: [
“"
]
},
{
“Effect”: “Allow”,
“Action”: [
“cloudformation:CreateStack”,
“cloudformation:CreateUploadBucket”,
“cloudformation:DeleteStack”,
"cloudformation:Describe”,
“cloudformation:UpdateStack”
],
“Resource”: [
“arn:aws:cloudformation:us-east-2::stack/xxxxx-resources-prod/”
]
},
{
“Effect”: “Allow”,
“Action”: [
“lambda:Get*”,
“lambda:List*”,
“lambda:CreateFunction”
],
“Resource”: [
“"
]
},
{
“Effect”: “Allow”,
“Action”: [
“s3:GetBucketLocation”,
“s3:CreateBucket”,
“s3:DeleteBucket”,
“s3:ListBucket”,
“s3:ListBucketVersions”,
“s3:PutAccelerateConfiguration”,
“s3:GetEncryptionConfiguration”,
“s3:PutEncryptionConfiguration”
],
“Resource”: [
"arn:aws:s3:::xxxxx-resourcesserverlessdeploy*”
]
},
{
“Effect”: “Allow”,
“Action”: [
“s3:PutObject”,
“s3:GetObject”,
“s3:DeleteObject”
],
“Resource”: [
“arn:aws:s3:::xxxxx-resourcesserverlessdeploy”
]
},
{
“Effect”: “Allow”,
“Action”: [
“lambda:AddPermission”,
“lambda:CreateAlias”,
“lambda:DeleteFunction”,
“lambda:InvokeFunction”,
“lambda:PublishVersion”,
“lambda:RemovePermission”,
“lambda:Update*”
],
“Resource”: [
“arn:aws:lambda:us-east-2::function:xxxxx-resources-prod-”
]
},
{
“Effect”: “Allow”,
“Action”: [
“apigateway:GET”,
“apigateway:POST”,
“apigateway:PUT”,
“apigateway:DELETE”,
“apigateway:PATCH”
],
“Resource”: [
“arn:aws:apigateway:::/restapis”,
“arn:aws:apigateway:::/apikeys”,
“arn:aws:apigateway:::/usageplans”
]
},
{
“Effect”: “Allow”,
“Action”: [
“iam:PassRole”
],
“Resource”: [
“arn:aws:iam:::role/”
]
},
{
“Effect”: “Allow”,
“Action”: “kinesis:",
“Resource”: [
"arn:aws:kinesis:::stream/xxxxx-resources-prod-us-east-2"
]
},
{
“Effect”: “Allow”,
“Action”: [
“iam:GetRole”,
“iam:CreateRole”,
“iam:PutRolePolicy”,
“iam:DeleteRolePolicy”,
“iam:DeleteRole”
],
“Resource”: [
"arn:aws:iam:::role/xxxxx-resources-prod-us-east-2-lambdaRole”
]
},
{
“Effect”: “Allow”,
“Action”: “sqs:",
“Resource”: [
"arn:aws:sqs:::xxxxx-resources-prod-us-east-2"
]
},
{
“Effect”: “Allow”,
“Action”: [
“cloudwatch:GetMetricStatistics”
],
“Resource”: [
"”
]
},
{
“Action”: [
“logs:CreateLogGroup”,
“logs:CreateLogStream”,
“logs:DeleteLogGroup”
],
“Resource”: [
“arn:aws:logs:us-east-2::”
],
“Effect”: “Allow”
},
{
“Action”: [
“logs:PutLogEvents”
],
“Resource”: [
“arn:aws:logs:us-east-2::”
],
“Effect”: “Allow”
},
{
“Effect”: “Allow”,
“Action”: [
“logs:DescribeLogStreams”,
“logs:DescribeLogGroups”,
“logs:FilterLogEvents”
],
“Resource”: [
“"
]
},
{
“Effect”: “Allow”,
“Action”: [
"events:Put”,
“events:Remove*”,
“events:Delete*”
],
“Resource”: [
“arn:aws:events:::rule/xxxxx-resources-prod-us-east-2”
]
},
{
“Effect”: “Allow”,
“Action”: [
“events:DescribeRule”
],
“Resource”: [
“arn:aws:events:us-east-2::rule/xxxxx-resources-prod-”
]
},
{
“Effect”: “Allow”,
“Action”: [
“dynamodb:"
],
“Resource”: [
"arn:aws:dynamodb:::table/”
]
},
{
“Effect”: “Allow”,
“Action”: [
“s3:CreateBucket”
],
“Resource”: [
“arn:aws:s3:::*”
]
}
]
}