lambda-github-runner icon indicating copy to clipboard operation
lambda-github-runner copied to clipboard

Published 20 hours ago verified publisher icon nwestfall

Runner deploy failing trying to get-object from not-yet-created bucket

Open jeff-wishnie opened this issue 2 years ago • 9 comments

Hello, this setup looks very cool. I'm trying to try it out but am getting an error deploying with Terraform, and am not familiar enough with Terraform to easily debug.

There is a step that is attempting to pull a zip from an s3 bucket that has yet to be created that is erroring out.

Any guidance appreciated!

╷
│ Error: local-exec provisioner error
│ 
│   with module.lambda_webhook_pull.null_resource.lambda_github_webhook_pull_zip,
│   on webhook_module/main.tf line 2, in resource "null_resource" "lambda_github_webhook_pull_zip":
│    2:     provisioner "local-exec" {
│ 
│ Error running command 'mkdir -p ../files && aws s3api get-object --bucket lambda-github-webhook --key lambda-github-webhook-function.zip --request-payer true ../files/lambda-github-webhook-function.zip': exit status 254. Output: 
│ An error occurred (AccessDenied) when calling the GetObject operation: Access Denied```

jeff-wishnie avatar Mar 09 '22 21:03 jeff-wishnie

I believe this means your IAM role doesn't have permission to something. It will need to get an object from S3 and it getting an "AccessDenied"

Can you confirm your IAM Policy that is used while running terraform?

nwestfall avatar Mar 25 '22 13:03 nwestfall

I can confirm that the AWS account has full S3 GetObject permissions.

I think the issue is lack of permissions to retrieve lambda-github-webhook-function.zip from a bucket you own.

jeff-wishnie avatar Mar 28 '22 15:03 jeff-wishnie

Hmm, let me investigate that.

nwestfall avatar Apr 03 '22 22:04 nwestfall

I changed the objects, ACLs, let me know if that works!

nwestfall avatar Apr 03 '22 22:04 nwestfall

I'm also still getting the same permission denied issue. Tested with both a restricted role and administrator access.

michael1997 avatar Apr 19 '22 10:04 michael1997

can confirm this is a permissions issue. i manually compiled and created lambda-github-webhook-function.zip and put it an s3 bucket accessible to me. i then updated webhook_module/main.tf to point to my bucket, and the was able to successfully complete terraform apply

fgregg avatar May 27 '22 18:05 fgregg

I changed the objects, ACLs, let me know if that works!

still doesn't work

tricker-a avatar Jun 14 '22 14:06 tricker-a

A solution to this problem is to change deploy/webook_module/main.tf to compile the webhook code locally, rather than pulling it from S3:

resource "null_resource" "lambda_github_webhook_pull_zip" {
    provisioner "local-exec" {
        command = "mkdir -p ${var.file_destination} && cd ${var.file_destination}/../src/lambda-github-webhook && GOOS=linux go build -o ../../main && cd ../.. && zip ${abspath(var.file_destination)}/lambda-github-webhook-function.zip main"
    }
}

ceejatec avatar Oct 02 '23 05:10 ceejatec

A solution to this problem is to change deploy/webook_module/main.tf to compile the webhook code locally, rather than pulling it from S3:

resource "null_resource" "lambda_github_webhook_pull_zip" {
    provisioner "local-exec" {
        command = "mkdir -p ${var.file_destination} && cd ${var.file_destination}/../src/lambda-github-webhook && GOOS=linux go build -o ../../main && cd ../.. && zip ${abspath(var.file_destination)}/lambda-github-webhook-function.zip main"
    }
}

This worked for me, thank you!

hnprashanth avatar Jul 02 '24 10:07 hnprashanth