Not authorized to perform: cloudformation:DescribeStackResources


#1

I’m getting this error when calling perform_later on a Jets job from a Jets lambda function:

Aws::CloudFormation::Errors::AccessDenied: User: arn:aws:sts::684080000000:assumed-role/my-app-prod-IamRole-1C7IMGWPZFT5Q/my-app-prod-my_fn_class-my_fn_method is not authorized to perform: cloudformation:DescribeStackResources

What I can’t figure out is that it seems like DescribeStackResources is explicitly allowed here in the default Jets IAM role:

Roles > my-app-prod-IamRole-1C7IMGWPZFT5Q

        {
            "Action": [
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackResources"
            ],
            "Resource": "arn:aws:cloudformation:us-east-1:684080000000:stack/my-app-prod*",
            "Effect": "Allow"
        },

this seems like it should be granting explicitly access to DescribeStackResources.

I feel like I’m missing something with regard to the “assumed role”. Any insight into what the “assumed role” actually means?

Here’s the full stack trace:

1 File "/opt/ruby/gems/2.5.0/gems/aws-sdk-core-3.85.0/lib/seahorse/client/plugins/raise_response_errors.rb" line 15 in call
2 File "/opt/ruby/gems/2.5.0/gems/aws-sdk-core-3.85.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb" line 20 in call
3 File "/opt/ruby/gems/2.5.0/gems/aws-sdk-core-3.85.0/lib/aws-sdk-core/plugins/idempotency_token.rb" line 17 in call
4 File "/opt/ruby/gems/2.5.0/gems/aws-sdk-core-3.85.0/lib/aws-sdk-core/plugins/param_converter.rb" line 24 in call
5 File "/opt/ruby/gems/2.5.0/gems/aws-sdk-core-3.85.0/lib/aws-sdk-core/plugins/response_paging.rb" line 10 in call
6 File "/opt/ruby/gems/2.5.0/gems/aws-sdk-core-3.85.0/lib/seahorse/client/plugins/response_target.rb" line 23 in call
7 File "/opt/ruby/gems/2.5.0/gems/aws-sdk-core-3.85.0/lib/seahorse/client/request.rb" line 70 in send_request
8 File "/opt/ruby/gems/2.5.0/gems/aws-sdk-cloudformation-1.29.0/lib/aws-sdk-cloudformation/client.rb" line 2185 in describe_stack_resources
9 File "/opt/ruby/gems/2.5.0/gems/jets-2.3.8/lib/jets/commands/call/base_guesser.rb" line 52 in stack_resources
10 File "/opt/ruby/gems/2.5.0/gems/jets-2.3.8/lib/jets/commands/call/base_guesser.rb" line 41 in generated_function_name
11 File "/opt/ruby/gems/2.5.0/gems/jets-2.3.8/lib/jets/commands/call/base_guesser.rb" line 33 in function_name
12 File "/opt/ruby/gems/2.5.0/gems/jets-2.3.8/lib/jets/commands/call/guesser.rb" line 30 in function_name
13 File "/opt/ruby/gems/2.5.0/gems/jets-2.3.8/lib/jets/commands/call.rb" line 22 in function_name
14 File "/opt/ruby/gems/2.5.0/gems/jets-2.3.8/lib/jets/commands/call.rb" line 51 in remote_run
15 File "/opt/ruby/gems/2.5.0/gems/jets-2.3.8/lib/jets/commands/call.rb" line 29 in run
16 File "/opt/ruby/gems/2.5.0/gems/jets-2.3.8/lib/jets/job/base.rb" line 36 in perform_later

#2

Weird. Would try double checking the IAM permission of the actual IAM role in the AWS Console.