aws-sdk-js-v3 icon indicating copy to clipboard operation
aws-sdk-js-v3 copied to clipboard

Published 20 hours ago verified publisher icon aws

[route53][waitUntilResourceRecordSetsChanged] waits endlessly if no permissions

Open Faithfinder opened this issue 3 years ago • 2 comments

Describe the bug

waitUntilResourceRecordSetsChanged from @aws-sdk/client-route-53 doesn't throw if you don't have route53:GetChange permission

Your environment

SDK version number

@aws-sdk/[email protected]

Is the issue in the browser/Node.js/ReactNative?

Node.js

Details of the browser/Node.js/ReactNative version

Lambda, really

Steps to reproduce

Have a lambda like this, without route53:GetChange permission

 const result = await r53Client.send(createRecordCommand);
await waitUntilResourceRecordSetsChanged(
    { client: r53Client, maxWaitTime: Infinity },
    { Id: result.ChangeInfo?.Id }
);

Observed behavior

Waiter never exits

Expected behavior

Waiter throws

Additional context

Sure, Infinity in the maxWaitTIme is cheeky, but I don't think it's entirely relevant - I still want the waiter to throw if there's no permission.

Faithfinder avatar Dec 02 '21 22:12 Faithfinder

This happens in all the waiters, I presume.

I was pulling my hair out trying to figure out why my ECS waitUntilTasksRunning and waitUntilTasksStopped were hanging for no reason.

webdestroya avatar Aug 29 '22 08:08 webdestroya

Can confirm - this happened for my waiters as well.

ghmeier avatar Mar 09 '23 02:03 ghmeier

Hi there,

This is the intended behavior. The waiter's definition of when to "exit" the await state, is defined upstream with the service model itself. I go over why this might be the intended behavior here.

I understand that having the underlying errors swallowed makes them hard to discover. Because of this you can enable the logger on your client to see the underlying error like so:

const r53Client = new Route53Client({
    region: "us-east-1",
    logger:console,
});

/*
{
  clientName: 'Route53Client',
  commandName: 'GetChangeCommand',
  input: { Id: 'REDACTED' },
  error: AccessDenied: User: arn:aws:sts::REDACTED:assumed-role/Route53LimitedAccessRole/testRoute53Session is not authorized to perform: route53:GetChange on resource: arn:aws:route53:::change/REDACTED with an explicit deny in an identity-based policy
      at throwDefaultError (/Users/rvaknin/test_folder/3081/node_modules/@smithy/smithy-client/dist-cjs/index.js:838:20)
      at /Users/rvaknin/test_folder/3081/node_modules/@smithy/smithy-client/dist-cjs/index.js:847:5
      at de_CommandError (/Users/rvaknin/test_folder/3081/node_modules/@aws-sdk/client-route-53/dist-cjs/index.js:4141:14)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async /Users/rvaknin/test_folder/3081/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:20
      at async /Users/rvaknin/test_folder/3081/node_modules/@smithy/core/dist-cjs/index.js:165:18
      at async /Users/rvaknin/test_folder/3081/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:38
      at async /Users/rvaknin/test_folder/3081/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:33:22
      at async checkState (/Users/rvaknin/test_folder/3081/node_modules/@aws-sdk/client-route-53/dist-cjs/index.js:7725:20)
      at async runPolling (/Users/rvaknin/test_folder/3081/node_modules/@smithy/util-waiter/dist-cjs/index.js:99:48) {
    '$fault': 'client',
    '$metadata': {
      httpStatusCode: 403,
      requestId: 'REDACTED',
      extendedRequestId: undefined,
      cfId: undefined,
      attempts: 1,
      totalRetryDelay: 0
    },
    Type: 'Sender',
    Code: 'AccessDenied'
  },
*/

Thanks, Ran~

RanVaknin avatar May 06 '24 17:05 RanVaknin

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

github-actions[bot] avatar May 21 '24 00:05 github-actions[bot]