cloudformation-cli icon indicating copy to clipboard operation
cloudformation-cli copied to clipboard

Published 20 hours ago verified publisher icon aws-cloudformation

AccessDenied when running cfn submit due to SCP

Open janquijano29 opened this issue 4 years ago • 3 comments

The artifacts bucket created has a Deny for insecure transfer. But the upload task does not use SSE. The workaround for it is adding the ExtraArgs={'ServerSideEncryption': 'AES256'}

[2020-11-11T00:30:21Z] DEBUG    - S3 upload resulted in unknown ClientError
Traceback (most recent call last):
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/rpdk/core/upload.py", line 170, in upload
    self.s3_client.upload_fileobj(fileobj, self.bucket_name, key)
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/boto3/s3/inject.py", line 539, in upload_fileobj
    return future.result()
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/s3transfer/futures.py", line 106, in result
    return self._coordinator.result()
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/s3transfer/futures.py", line 265, in result
    raise self._exception
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/s3transfer/tasks.py", line 126, in __call__
    return self._execute_main(kwargs)
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/s3transfer/tasks.py", line 150, in _execute_main
    return_value = self._main(**kwargs)
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/s3transfer/upload.py", line 692, in _main
    client.put_object(Bucket=bucket, Key=key, Body=body, **extra_args)
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/botocore/client.py", line 316, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/botocore/client.py", line 635, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
[2020-11-11T00:30:21Z] DEBUG    - Caught downstream error
Traceback (most recent call last):
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/rpdk/core/upload.py", line 170, in upload
    self.s3_client.upload_fileobj(fileobj, self.bucket_name, key)
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/boto3/s3/inject.py", line 539, in upload_fileobj
    return future.result()
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/s3transfer/futures.py", line 106, in result
    return self._coordinator.result()
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/s3transfer/futures.py", line 265, in result
    raise self._exception
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/s3transfer/tasks.py", line 126, in __call__
    return self._execute_main(kwargs)
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/s3transfer/tasks.py", line 150, in _execute_main
    return_value = self._main(**kwargs)
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/s3transfer/upload.py", line 692, in _main
    client.put_object(Bucket=bucket, Key=key, Body=body, **extra_args)
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/botocore/client.py", line 316, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/botocore/client.py", line 635, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/rpdk/core/cli.py", line 100, in main
    args.command(args)
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/rpdk/core/submit.py", line 21, in submit
    args.set_default,
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/rpdk/core/project.py", line 395, in submit
    f, endpoint_url, region_name, role_arn, use_role, set_default
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/rpdk/core/project.py", line 683, in _upload
    s3_url = uploader.upload(self.hypenated_name, fileobj)
  File "/root/.pyenv/versions/3.7.7/lib/python3.7/site-packages/rpdk/core/upload.py", line 173, in upload
    raise DownstreamError("Failed to upload artifacts to S3") from e
rpdk.core.exceptions.DownstreamError: Failed to upload artifacts to S3

janquijano29 avatar Nov 11 '20 02:11 janquijano29

The ArtifactBucket has default encryption enabled for objects that are uploaded without a specific encryption setting. So adding the ServerSideEncryption should not be needed to have Encryption at rest.

Do you have an IAM policy or SCP that forces you to explicitly set that?

benbridts avatar Nov 11 '20 22:11 benbridts

Oh yeah. Sorry forgot to mention. We have SCP that enforces SSE for transfers.

janquijano29 avatar Nov 11 '20 23:11 janquijano29

similar to https://github.com/aws-cloudformation/cloudformation-cli/issues/466

PatMyron avatar Apr 29 '21 00:04 PatMyron