serverless-localstack icon indicating copy to clipboard operation
serverless-localstack copied to clipboard

Published 20 hours ago verified publisher icon localstack

MalformedPolicyDocumentException: calling the PutRolePolicy operation: Resource must be in ARN format or "*"

Open johnmee opened this issue 4 years ago • 1 comments
trafficstars

I'm a little stuck with this one and appsync:

botocore.errorfactory.MalformedPolicyDocumentException: An error occurred (MalformedPolicyDocument) when calling the PutRolePolicy operation: Resource /aws/appsync/apis/3908675c must be in ARN format or "*"

The Cloudformation template, at the offensive point, reads

"GraphQlApiLogGroup": {
      "Type": "AWS::Logs::LogGroup",
      "Properties": {
        "LogGroupName": {
          "Fn::Join": [
            "/",
            [
              "/aws/appsync/apis",
              {
                "Fn::GetAtt": [
                  "GraphQlApi",
                  "ApiId"
                ]
              }
            ]

Which appears verbatim (the same) when deploying to aws; it doesn't seem to mind specifiying a path.

The only mention of LogGroup in the serverless.yml is in a PolicyDocument->Action

              Action:
                - logs:CreateLogGroup

The log goes like this

localstack_main | 2021-04-09T07:09:46:DEBUG:localstack.utils.cloudformation.template_deployer: Action "update" not yet implemented for CF resource type AWS::Lambda::LayerVersion
localstack_main | 2021-04-09T07:09:46:DEBUG:localstack.utils.cloudformation.template_deployer: Handling "Modify" for resource "PythonRequirementsLambdaLayer" (1/13) type "AWS::Lambda::LayerVersion" in loop iteration 1
localstack_main | 2021-04-09T07:09:46:DEBUG:localstack.utils.cloudformation.template_deployer: Handling "Modify" for resource "ActiveLifeBaseServiceRole" (1/12) type "AWS::IAM::Role" in loop iteration 1
localstack_main | 2021-04-09T07:09:46:INFO:localstack.utils.cloudformation.template_deployer: Updating resource ActiveLifeBaseServiceRole of type IAM::Role
localstack_main | 2021-04-09T07:09:46:DEBUG:localstack.utils.cloudformation.template_deployer: Action "update" not yet implemented for CF resource type AWS::IAM::ManagedPolicy
localstack_main | 2021-04-09T07:09:46:DEBUG:localstack.utils.cloudformation.template_deployer: Handling "Modify" for resource "ActiveLifeBasePolicy" (1/11) type "AWS::IAM::ManagedPolicy" in loop iteration 1
localstack_main | 2021-04-09T07:09:46:DEBUG:localstack.utils.cloudformation.template_deployer: Action "update" not yet implemented for CF resource type AWS::AppSync::GraphQLApi
localstack_main | 2021-04-09T07:09:46:DEBUG:localstack.utils.cloudformation.template_deployer: Handling "Modify" for resource "GraphQlApi" (1/10) type "AWS::AppSync::GraphQLApi" in loop iteration 1
localstack_main | 2021-04-09T07:09:46:DEBUG:localstack.utils.cloudformation.template_deployer: Action "update" not yet implemented for CF resource type AWS::Logs::LogGroup
localstack_main | 2021-04-09T07:09:46:DEBUG:localstack.utils.cloudformation.template_deployer: Handling "Modify" for resource "GraphQlApiLogGroup" (1/9) type "AWS::Logs::LogGroup" in loop iteration 1
localstack_main | 2021-04-09T07:09:46:DEBUG:localstack.utils.cloudformation.template_deployer: Handling "Modify" for resource "GraphQlApiCloudWatchLogsPolicy" (1/8) type "AWS::IAM::Policy" in loop iteration 1
localstack_main | 2021-04-09T07:09:46:DEBUG:localstack.utils.cloudformation.template_deployer: Running action "create" for resource type "IAM::Policy" id "GraphQlApiCloudWatchLogsPolicy"
localstack_main | 2021-04-09T07:09:46:DEBUG:localstack.utils.cloudformation.template_deployer: Error applying changes for CloudFormation stack "activelife-base-local": An error occurred (MalformedPolicyDocument) when calling the PutRolePolicy operation: Resource /aws/appsync/apis/3908675c must be in ARN format or "*". Traceback (most recent call last):
localstack_main |   File "/opt/code/localstack/localstack/utils/cloudformation/template_deployer.py", line 1952, in _run
localstack_main |     self.do_apply_changes_in_loop(changes, stack, stack_name)
localstack_main |   File "/opt/code/localstack/localstack/utils/cloudformation/template_deployer.py", line 1999, in do_apply_changes_in_loop
localstack_main |     self.apply_change(change, stack, new_resources, stack_name=stack_name)
localstack_main |   File "/opt/code/localstack/localstack/utils/cloudformation/template_deployer.py", line 2052, in apply_change
localstack_main |     result = deploy_resource(resource_id, new_resources, stack_name)
localstack_main |   File "/opt/code/localstack/localstack/utils/cloudformation/template_deployer.py", line 1097, in deploy_resource
localstack_main |     return execute_resource_action(resource_id, resources, stack_name, ACTION_CREATE)
localstack_main |   File "/opt/code/localstack/localstack/utils/cloudformation/template_deployer.py", line 1196, in execute_resource_action
localstack_main |     result = func['function'](resource_id, resources, resource_type, func, stack_name)
localstack_main |   File "/opt/code/localstack/localstack/services/cloudformation/service_models.py", line 599, in _create
localstack_main |     iam.put_role_policy(RoleName=role, PolicyName=policy_name, PolicyDocument=policy_doc)
localstack_main |   File "/opt/code/localstack/.venv/lib/python3.8/site-packages/botocore/client.py", line 357, in _api_call
localstack_main |     return self._make_api_call(operation_name, kwargs)
localstack_main |   File "/opt/code/localstack/.venv/lib/python3.8/site-packages/botocore/client.py", line 676, in _make_api_call
localstack_main |     raise error_class(parsed_response, operation_name)
localstack_main | botocore.errorfactory.MalformedPolicyDocumentException: An error occurred (MalformedPolicyDocument) when calling the PutRolePolicy operation: Resource /aws/appsync/apis/3908675c must be in ARN format or "*".
localstack_main |

Is it an issue with the Layer?

You want me to post more logs?

Question is whether to keep banging my head on this wall (my issue), or is it a localstack issue?

johnmee avatar Apr 09 '21 07:04 johnmee

something new here? I am facing similar issue using cdk...

elizeire avatar Aug 02 '22 14:08 elizeire

Hi @johnmee, @elizeire,

apologies for the delayed response. Do you still encounter this issue with the latest localstack version? The issue seems to be deleted to LocalStack indeed, we already fixed several issues in the meantime.

If you still see the error, could you please provide your serverless.yml and the logs from LocalStack?

steffyP avatar Oct 13 '23 15:10 steffyP

@steffyP

No. I recall I moved along to completely different (non-localstack) options. We can probably ignore or close this, as I didn't actually capture the heart of the problem: what was the invalid ARN?

johnmee avatar Oct 15 '23 21:10 johnmee

@johnmee, thanks for the reply!

what was the invalid ARN?

from the logs I assume it was an issue in LocalStack probably when parsing a CloudFormation template. We are doing a lot of re-work here lately.

steffyP avatar Oct 16 '23 07:10 steffyP