Incorrect permissions to enable post-launch actions #37
Description
Describe the bug
The permissions defined for the role CMF-MGNAutomation deployed to the target accounts is missing permissions required to run post-launch actions.
To Reproduce
Follow instructions here to remove vmware tools.
When a test cutover runs, the following error appears:
An error occurred (AccessDeniedException) when calling the GetDocument operation: User: arn:aws:sts:::assumed-role/CMF-MGNAutomation/cloud-migration-factory-prod-MGNLambdaRole is not authorized to perform: ssm:GetDocument on resource: arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript because no identity-based policy allows the ssm:GetDocument action
The ssm:GetDocument is not the only missing action, adding the ssm:GetDocument permission leads to the two following actions being missing also:
ssm:SendCommandssm:StartSession
Expected behavior
I expect the post-launch actions to run.
Please complete the following information about the solution:
- Version: 3.3.4
To get the version of the solution, you can look at the description of the created CloudFormation stack. For example, "(SO0097) - AWS CloudEndure Migration Factory Solution. Version v1.1.0".
- Region: us-east-1
- [No] Was the solution modified from the version published on this repository?
- [N/A] If the answer to the previous question was yes, are the changes available on GitHub?
- [N/A] Have you checked your service quotas for the sevices this solution uses?
- Were there any errors in the CloudWatch Logs?
Screenshots
None
Additional context
PR Incoming to fix these issues.