AWSCloud9 Permissions Issue

[narayanpromax]

AWSCloud9 User created via IAM console gives numerous permission issues of not authorized.

Better to add a required permissions policy JSON for all resources to be used as template

[nmoutschen]

Hey @narayandreamer! What error are you seeing when you're using Cloud9?

[narayanpromax]

An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.

Above is first of series. When i give above then others come, like that I have to give 1 by 1 as per error

[nmoutschen]

I'm unsure how this issue is related to this sample. As this is an entirely serverless application, it doesn't launch any EC2 instance, thus you don't need to perform any DescribeInstances call.

[narayanpromax]

Yes that i agree. But on dev environment as per your getting started guide if we use AWS Cloud9

[nmoutschen]

Ah, I understand now. It looks like you don't have permissions to make API calls from AWS Cloud9. This sample assumes that you're deploying this with a broad set of permissions. Ideally, you would deploy this in a development/playground account for experimentation - where people usually have admin permissions (or close to that).

I cannot help you on this since this is not related to this sample directly. I encourage you to look at https://docs.aws.amazon.com/cloud9/latest/user-guide/credentials.html and/or contact AWS support to help you troubleshoot your Cloud9 environment.

Also, please note you might still encounter issues with Cloud9. There's currently an issue (see #158) as this uses an API Gateway WebSockets API for integration testing, but it doesn't support IP address restrictions - which Cloud9 enforces if you use managed credentials.

[narayanpromax]

Ok got it.

According to you which is the best setup that will work for both dev (I use macOS) and prod? As i need to make it running first then change various services and add/remove

[nmoutschen]

Personally, I use my Mac directly to make changes to this project, then deploy into a dev AWS account (where I have full admin permissions). Then to deploy to production, I use a CI/CD pipeline that has the right permissions.

That said, while there is a sample pipeline in this project, it's still overly broad (see https://github.com/aws-samples/aws-serverless-ecommerce-platform/blob/main/pipeline/resources/service-pipeline-environment.yaml#L30), but scoped down to a single region.

[narayanpromax]

Ok I will give it a try from macOS then