所以我正在尝试初始化一个现有的"react-ts"放大项目,该项目配置了大约 8 个服务。 当我运行放大推送时,一切似乎都很好且成功,除了以下情况,我收到此错误:
Resource Name: 2021/10/08/[$LATEST]c1c602b361e347ad83d49f77293e6aae (Custom::LambdaCallout)
Event Type: create
Reason: Received response status [FAILED] from custom resource. Message returned: See the details in CloudWatch Log Stream: 2021/10/08/[$LATEST]c1c602b361e347ad83d49f77293e6aae (RequestId: 90c39ffc-b3ee-4830-ae87-7df3cd3a0770)
以下是给定地址的 CloudWatch 登录:
2021-10-08T06:28:37.448Z d30823f5-a9f8-4d7e-a823-dd53b298a2fb INFO Response body:
{
"Status": "FAILED",
"Reason": "See the details in CloudWatch Log Stream: 2021/10/08/[$LATEST]3b533dd8fb9a43bc921cfe635d2bc945",
"PhysicalResourceId": "2021/10/08/[$LATEST]3b533dd8fb9a43bc921cfe635d2bc945",
"StackId": "arn:aws:cloudformation:us-east-1:474847889857:stack/amplify-storyliner-staging-44500-authstorylinerb9277983-1V5J90W5KFK1A/cef02b40-2800-11ec-bcb5-0adb3c7f2f15",
"RequestId": "f7b5fc9e-0a46-43ae-bf7e-eb19fb81285e",
"LogicalResourceId": "MFALambdaInputs",
"NoEcho": false,
"Data": {
"err": {
"message": "User: arn:aws:sts::474847889857:assumed-role/storylb9277983_totp_lambda_role-staging/amplify-storyliner-staging-44500-authsto-MFALambda-tA8KTT12iWvY is not authorized to perform: iam:PassRole on resource: arn:aws:iam::474847889857:role/snsb927798344500-staging because no identity-based policy allows the iam:PassRole action",
"code": "AccessDeniedException",
"time": "2021-10-08T06:28:37.445Z",
"requestId": "3978bf89-5872-460d-b991-c3cd4e5280e1",
"statusCode": 400,
"retryable": false,
"retryDelay": 38.192028876441576
}
}
}
我尝试创建角色"snsb927798344500-stage"并添加所需的策略,但是一旦我尝试重新运行amplify push命令,我就会收到一条错误消息,说snsb927798344500-staging already exist。 所以我认为是放大在每次推送时创建角色,并在过程失败后将其删除。这就是我在推送过程后无法再次看到"snsb927798344500-暂存"角色的原因。
该特定消息似乎与 CLI 上的此 GitHub 问题有关:https://github.com/aws-amplify/amplify-cli/issues/8363
我们今天遇到了同样的问题,下面为我们修复了它。
此处复制的解决方案:
此问题是由于 MFALambda 角色中缺少策略,该策略已在 #7729 中修复。您能否尝试将以下策略添加到您的身份验证云形成中,看看是否可以解决问题。需要添加的部分是名称为 corecocf3573d0_sns_pass_role_policy
的策略
# Snippet
MFALambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName:
Fn::If:
- ShouldNotCreateEnvResources
- corecocf3573d0_totp_lambda_role
- Fn::Join:
- ''
- - corecocf3573d0_totp_lambda_role
- '-'
- Ref: env
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- sts:AssumeRole
Policies:
- PolicyName: corecocf3573d0_totp_pass_role_policy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- iam:PassRole
Resource:
Fn::If:
- ShouldNotCreateEnvResources
- arn:aws:iam:::role/corecocf3573d0_totp_lambda_role
- Fn::Join:
- ''
- - arn:aws:iam:::role/corecocf3573d0_totp_lambda_role
- '-'
- Ref: env
# New policy
- PolicyName: corecocf3573d0_sns_pass_role_policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'iam:PassRole'
Resource: !GetAtt SNSRole.Arn