data-transfer-hub icon indicating copy to clipboard operation
data-transfer-hub copied to clipboard
verified publisher icon awslabs

Error: Resource handler returned message: "Invalid policy (Service: Iam, Status Code: 400, Request ID: 0b0ac792-14ae-4193-b414-acbded00e700)" (RequestToken: 143b646f-a21c-ad40-e151-f73822c75384, HandlerErrorCode: InvalidRequest)

Open zzy139 opened this issue 1 year ago • 2 comments

Describe the bug I deployed the DTH solution in the China region, and when starting the transfer task, CloudFormation encountered an error: Resource handler returned message: "Invalid policy (Service: Iam, Status Code: 400, Request ID: 0b0ac792-14ae-4193-b414-acbded00e700)" (RequestToken: 143b646f-a21c-ad40-e151-f73822c75384, HandlerErrorCode: InvalidRequest)

While investigating the error message, it seems to be related to the following permission issue: "FinderStackFinderRoleDefaultPolicy820CDD13": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyDocument": { "Statement": [ { "Action": "cloudformation:SignalResource", "Effect": "Allow", "Resource": { "Ref": "AWS::StackId" } }, { "Action": [ "sqs:SendMessage", "sqs:GetQueueAttributes", "sqs:GetQueueUrl" ], "Effect": "Allow", "Resource": { "Fn::GetAtt": [ "S3TransferQueue", "Arn" ] } }, { "Action": [ "s3:GetObject*", "s3:GetBucket*", "s3:List*" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Ref": "srcBucket" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Ref": "srcBucket" }, "/" ] ] } ] }, { "Action": [ "s3:GetObject", "s3:GetBucket*", "s3:List*" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Ref": "destBucket" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Ref": "destBucket" }, "/" ] ] } ] }, { "Action": [ "s3:GetObject", "s3:GetBucket*", "s3:List*" ], "Effect": "Allow", "Resource": [ { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Ref": "srcPrefixListBucket" } ] ] }, { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":s3:::", { "Ref": "srcPrefixListBucket" }, "/" ] ] } ] }, { "Action": [ "states:ListExecutions", "states:ListStateMachines" ], "Effect": "Allow", "Resource": { "Ref": "MultiPartStateMachinemultiPartControllerStateMachine59B94F06" } }, { "Action": [ "states:DescribeExecution", "states:DescribeStateMachineForExecution", "states:GetExecutionHistory" ], "Effect": "Allow", "Resource": { "Fn::Join": [ "", [ "arn:", { "Ref": "AWS::Partition" }, ":states:", { "Ref": "AWS::Region" }, ":", { "Ref": "AWS::AccountId" }, ":execution:", { "Fn::Select": [ 6, { "Fn::Split": [ ":", { "Ref": "MultiPartStateMachinemultiPartControllerStateMachine59B94F06" } ] } ] }, ":" ] ] } }, { "Action": [ "states:ListActivities", "states:DescribeStateMachine", "states:DescribeActivity" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" }, "PolicyName": "FinderStackFinderRoleDefaultPolicy820CDD13", "Roles": [ { "Ref": "FinderStackFinderRoleA666A5A8" } ] }, "Metadata": { "aws:cdk:path": "DataTransferS3Stack/FinderStack/FinderRole/DefaultPolicy/Resource" } },

To Reproduce Deploy the DTH solution in the China region, start the transfer task, the transfer status changes from starting to error, displaying the error message in CloudFormation

Expected behavior Fix the problem

Please complete the following information about the solution:

  • [ ] Version: [v2.6.3]
  • [ ] Region: [cn-north-1]
  • [ ] Was the solution modified from the version published on this repository? [no]
  • [ ] If the answer to the previous question was yes, are the changes available on GitHub?
  • [ ] Have you checked your service quotas for the sevices this solution uses?[yes]
  • [ ] Were there any errors in the CloudWatch Logs?[no]

zzy139 avatar Oct 16 '24 08:10 zzy139

Hi @zzy139, thank you for reporting this issue. Could you please provide more details about the solution deployment and the transfer configuration? In which region is the Data Transfer Hub solution deployed, what are the regions of the source and destination buckets, and how have the S3 credentials been configured?

bassemwanis avatar Oct 16 '24 14:10 bassemwanis

Hi @zzy139, We were able to reproduce this behavior and identified the root cause as the S3 read permissions for srcPrefixListBucket when the Transfer Type is set to Full Bucket (i.e., when srcPrefixListBucket is not provided). This configuration results in an IAM policy statement with "Resource": ["arn:aws-cn:s3:::", "arn:aws-cn:s3:::/*"] which causes a MalformedPolicyDocumentException.

To address this issue, we will need to introduce a new CloudFormation condition to ensure that this policy is only applied when srcPrefixListBucket is provided.

As a workaround until the fix is released, you can set the Transfer Type to Objects with different prefixes and do NOT provide/upload any prefix list (.txt file) to the root directory of the Solution’s logging bucket. This will ensure that the FinderStackFinderRoleDefaultPolicy does not fail, and the Full Bucket is transferred successfully.

bassemwanis avatar Oct 21 '24 20:10 bassemwanis