tmokmss
Expose Lambda for Custom Resource for SociIndexBuild
While using SociIndexBuild, I'm currently getting the following:
Received response status [FAILED] from custom resource. Message returned: User: arn:aws:sts::<redacted>:assumed-role/<redacted> is not authorized to perform: codebuild:StartBuild on resource: arn:aws:codebuild:<redacted>:project/SociIndexBuild024cf76a10034-qZcibdyitqyI because no identity-based policy allows the codebuild:StartBuild action
Because the lambda for the custom resource isn't exposed, I can't easily add the necessary policy.
I supposed I'll need to find the child in the tree and add to the policy manually.
Actually, I shouldn't have to do this at all (though it's still a good idea to expose the underlying lambda, and probably the codebuild project, and role).
This is strange as this is in my Cfn template so it should have permission.
"CoreDockerCbImgSociIndexBuildLatestCustomResourceHandlerinlinePolicyAddedToExecutionRole038E770FC": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "codebuild:StartBuild",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"SociIndexBuild024cf76a10034aa4aa4b12c32c09ca3cFF24E8AD",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "CoreDockerCbImgSociIndexBuildLatestCustomResourceHandlerinlinePolicyAddedToExecutionRole038E770FC",
"Roles": [
{
"Ref": "DeployTimeBuildCustomResourceHandlerdb740fd554364a848a09e6dfcd01f4f3ServiceRoleB008BAA4"
}
]
},
"DependsOn": [
"CoreDockerCbImgCoreDockerCbImgECRDeploymentLatestCustomResource084A6E92",
"CoreDockerCbImgCoreDockerCbImgEcrRepo637145A5"
],
@tmokmss any ideas? It's also strange because this was working previously. I had to add a dependency on ECRDeployment otherwise I was getting the following:
An error occurred (ImageNotFoundException) when calling the DescribeImages operation: The image with imageId {imageDigest:'null', imageTag:'latest'} does not exist within the repository with name 'developmentedcorestage-corestack-<redacted>-nv9lmcdxzaxp' in the registry with id '<redacted>'
Other than that, nothing has changed
It's not entirely clear what's happening here. My first thought was that the CR was being invoked before the Role had the additional policy added, but I checked manually and it seemed that the role was updated with the exec policy and then the Cfn stack failed (it happened within a second of each other so it's difficult to tell).
My best guess is that the CR / Lambda needs explicit dependencies on both DeployTimeBuildCustomResourceHandlerServiceRole and CustomResourceHandlerinlinePolicyAddedToExecutionRole (if it doesn't already)
Hi @BwL1289, thank you for the detailed report! I think it's possible that the custom resource is created before the inline policy is applied, thus resulting in the permission error. I'll look into this tomorrow.
@BwL1289 I found there are already required dependencies set. Taking this template as an example,
Image1Index415B9527 (custom resource) ->
DeployTimeBuildCustomResourceHandlerdb740fd554364a848a09e6dfcd01f4f306AEFF37 (CR Lambda Handler) ->
DeployTimeBuildCustomResourceHandlerdb740fd554364a848a09e6dfcd01f4f3ServiceRoleDefaultPolicyFECC51DC (the IAM policy)
So this situation won't happen.
custom resource is created before the inline policy is applied
Does your problem persist? Or was it a transient issue?
@tmokmss it persists. I've had to comment out the soci indexes for now.
The issue is strange as it shouldn't be possible
@BwL1289 Which region are you trying to deploy to? One thing I suspect is the IAM propagation delay, which can vary with regions.
@tmokmss can I msg you privately? Lmk your email and I'll shoot you a message
As soci v1 index is being deprecated now, I close this issue. We can use SociIndexV2Build instead.
Customers new to SOCI on AWS Fargate can only use SOCI index manifest v2.
https://aws.amazon.com/blogs/containers/improving-amazon-ecs-deployment-consistency-with-soci-index-manifest-v2/