When running stack_master, and the current account's ID isn't in the (non-empty) list of allowed_account values, it attempts to fetch account aliases to check if these match. If the current principal isn't permitted to iam:ListAccountAliases, this results in the following error:
$ stack_master validate ap-southeast-2
Executing validate on stack-name in ap-southeast-2
error: Failed to retrieve account aliases. Missing required IAM permission: iam:ListAccountAliases. Use --trace to view backtrace
It becomes a bit clearer if you use --trace:
$ stack_master validate ap-southeast-2 --trace
...
4: from .../stack_master/lib/stack_master/cli.rb:294:in `execute_if_allowed_account'
3: from .../stack_master/lib/stack_master/cli.rb:305:in `running_in_allowed_account?'
2: from .../stack_master/lib/stack_master/identity.rb:10:in `running_in_account?'
1: from .../stack_master/lib/stack_master/identity.rb:45:in `contains_account_alias?'
.../stack_master/lib/stack_master/identity.rb:22:in `account_aliases': Failed to retrieve account aliases. Missing required IAM permission: iam:ListAccountAliases (StackMaster::Identity::MissingIamPermissionsError)
Ideally, I think the error message returned to the user should make it immediately obvious why stack_master attempted to use that permission.
When running
stack_master, and the current account's ID isn't in the (non-empty) list ofallowed_accountvalues, it attempts to fetch account aliases to check if these match. If the current principal isn't permitted toiam:ListAccountAliases, this results in the following error:It becomes a bit clearer if you use
--trace:Ideally, I think the error message returned to the user should make it immediately obvious why
stack_masterattempted to use that permission.