Reputation: 29
Error creating a skill with Cloudformation
i have a month developing alexa skills and want to create then via Cloudformation. And for that i am using this:
Lambda function
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Lambda Function from Cloud Formation by Felix Vazquez",
"Resources": {
"Lambda1": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "felix-lambda-code",
"S3Key": "hello_lambda.zip"
},
"Description": "Test with Cloud Formation",
"FunctionName": "Felix-hello-world1234",
"Handler": "lambda_function.lambda_handler",
"Role": "arn:aws:iam::776831754616:role/testRol",
"Runtime": "python2.7"
}
}
}
}
Alexa Skill
"Resources": {
"23LT3": {
"Type": "Alexa::ASK::Skill",
"Properties": {
"AuthenticationConfiguration": {
"ClientId": "+my client ID+",
"ClientSecret": "+my client Secret+",
"RefreshToken": "+The token i generate via lwa+"
},
"VendorId": "+my vendor ID+",
"SkillPackage": {
"S3Bucket": "myskillpackagebucket",
"S3Key": "my_function10.zip",
"S3BucketRole": {
"Fn::GetAtt": [
"IAMRU6TJ",
"Arn"
]
},
"Overrides": {
"Manifest": {
"apis": {
"custom": {
"endpoint": {
"uri": {
"Fn::GetAtt": [
"Lambda1",
"Arn"
]
}}}}}}}}
IAM Role
{
"Resources": {
"IAMRU6TJ": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"s3.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}]}}]}}}}
The skill depends on the lambda and the IAM Role. When i "Create the Stack" after some seconds it gives me this error:
Could not assume the provided role. Reason: Access denied (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: b2e8762c-2593-11e9-b3ec-872599411915)
For the Token i use
ask util generate-lwa-tokens --scope "alexa::ask:skills:readwrite alexa::ask:models:readwrite profile”
image of the events:
Upvotes: 1
Views: 273
Answers (2)
Reputation: 21
I struggled to find the details necessary documented anywhere. Here is the role I used to get this working.
AlexaReadRole:
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- alexa-appkit.amazon.com
Sid: AllowServiceToAssumeRole
Version: 2012-10-17
Policies:
- PolicyName: "AlexaS3Read"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "s3:GetObject"
Resource: "arn:aws:s3:::<bucket-name>/<path-to-alexa-files>/*"
Type: AWS::IAM::Role
Upvotes: 0
Reputation: 58
your Alexa::ASK::Skill Resource: 23LT3['Properties']['SkillPackage']['S3BucketRole']
The docs say ARN of the role that grants the Alexa service permission to access the bucket and retrieve the skill package. This role is optional, and if not provided the bucket must be configured with a policy allowing this access, or be publicly accessible, in order for AWS CloudFormation to create the skill.
currently your role is allowing s3.amazonaws.com and lambda.amazonaws.com to Assume a role that can do anything in your AWS account, however you need to allow "The Alexa Service the permission..."
Best Practice would be to use least privilege necessary, but I get it if you are just testing it out.
Upvotes: 3
Related Questions
- AWS Alexa SKill - AWS lambda API error
- How to configure Alexa Skills Kit trigger for a lambda function via CloudFormation?
- CloudFormation fails to create AlexaSkill - Resource not found
- Alexa Skill SDK : Requested skill's response error
- "There was a problem with the requested skill's response" on Alexa Simulator
- Alexa Skill ARN - The remote endpoint could not be called, or the response it returned was invalid
- Alexa Skills Kit sample skill wont upload on Amazon Lambda - throws error
- Error with AWS Lambda
- Cannot Deploy Sample Alexa Skill using Lambda
- Alexa not finding my Skill