I have an AWS CDK script that I'm now unable to deploy. I could deploy it before adding a bucket policy. After adding a bucket policy, it fails to deploy. Here's the Python code:
bucket = aws_s3.Bucket(
self,
"myBucket",
bucket_name="mybucket",
access_control=aws_s3.BucketAccessControl.PRIVATE,
versioned=True,
encryption=aws_s3.BucketEncryption.S3_MANAGED,
block_public_access=aws_s3.BlockPublicAccess.BLOCK_ALL
)
policy_statement = aws_iam.PolicyStatement(
effect=aws_iam.Effect.DENY,
actions=["*"],
resources=[bucket.arn_for_objects("*")],
conditions={ "Bool": { "aws:SecureTransport": "false" } }
)
policy_statement.add_any_principal()
bucket.add_to_resource_policy(policy_statement)
I deploy this stack using this command: cdk deploy --require-approval=never
And I see the following error:
2/4 | 10:01:03 AM | CREATE_IN_PROGRESS | AWS::S3::BucketPolicy | myBucket/Policy (myBucketPolicyAFBF75F8)
3/4 | 10:01:04 AM | CREATE_FAILED | AWS::S3::BucketPolicy | myBucket/Policy (myBucketPolicyAFBF75F8) API: s3:PutBucketPolicy Access Denied
The user I'm using to deploy this is an admin user with access to everything. I've confirmed that I can log into the console, create this bucket, and add this Bucket Policy with this same user, but for some reason I get a permission denied error when deploying the CDK script.
I'm relatively new to CDK and AWS, so, it may be something simple that I'm missing. Any help would be appreciated.
AWS CLI Version 2.0.3
Python Version 3.7.5
CDK Version 1.31.0 (build 8f3ac79)
Botocore Version 2.0.0dev7
Windows 10
UPDATE:
I updated my CDK install to the latest and now it's deploying just fine. No code changed, just my CDK version. I'm now running 1.32.2 (build e19e206) and it deployed. In looking through the release notes, I can't tell exactly why it was broken before and why it's working now, but they did make some changes in IAM and one of them must have fixed this.
Related
I have a project with CDK and CDK Deploy does not work. My project is a simple CDK app that has been started with cdk init app --language typescript and was working at first. I don't have anything but a lambda and an api gateway in this project.
After adding NodejsFunction from #aws-cdk/aws-lambda-nodejs I faced some errors but by installing docker locally and some changes all those were resolved and synth completes successfully now.
I run cdk bootstrap and then cdk synth and then cdk deploy with the last one here is the error I see: (the rest finishes successfully)
SSM parameter /cdk-bootstrap/pipeline/version not found. Has the environment been bootstrapped? Please run 'cdk bootstrap' (see https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html)
bootstrap and synth work fine, my aws configure has been done and no errors anywhere but the deploy doesn't work.
More details:
Error:
MyStackNameStack failed: Error: MyStackNameStack: SSM parameter /cdk-bootstrap/pipeline/version not found. Has the environment been bootstrapped? Please run 'cdk bootstrap' (see https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html)
at CloudFormationDeployments.validateBootstrapStackVersion (/usr/local/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:297:13)
at processTicksAndRejections (internal/process/task_queues.js:93:5)
at CloudFormationDeployments.publishStackAssets (/usr/local/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:272:7)
at CloudFormationDeployments.deployStack (/usr/local/lib/node_modules/aws-cdk/lib/api/cloudformation-deployments.ts:179:5)
at CdkToolkit.deploy (/usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:184:24)
at initCommandLine (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:213:9)
MyStackNameStack: SSM parameter /cdk-bootstrap/pipeline/version not found. Has the environment been bootstrapped? Please run 'cdk bootstrap' (see https://docs.aws.amazon.com/cdk/latest/guide/bootstrapping.html)
error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
Package.json and CLI versions:
CDK version: 1.116.0
"#aws-cdk/aws-apigateway": "^1.116.0",
"#aws-cdk/aws-lambda": "^1.116.0",
"#aws-cdk/aws-lambda-nodejs": "^1.116.0",
"#aws-cdk/core": "^1.116.0",
I only use this:
cdk bootstrap
I am new to serverless and would like your help to figure out what I am doing wrong.
In my local development after using sls offline --config cusom.yml i am unable to retrieve secrets. After a bit of debugging, found out that the credentials is null.
However, when i invoke it separately using pure js aws-sdk (not with serverless) I am able to retrieve the secrets and the credentials is prepopulated. Please let me know if you have any suggestions on why this is not working with sls offline
Do you have the following files locally?
~/.aws/credentials
~/.aws/config
These files serves as the credentials if you don't write them in your code. Most libraries and aws cli relies on them for access
$ cat ~/.aws/credentials
[default]
aws_secret_access_key = your_aws_secret_access_key
aws_access_key_id = your_aws_access_key_id
$ cat ~/.aws/config
[default]
region = us-east-1 # or your preferred region
I'm running the sample-app but seems it doesn't work anymore
.env) [cdk-workshop]gdm$ cdk ls
CDK CLI >= 1.10.0 is required to interact with this app
(.env) [cdk-workshop]gdm$
Why?
the code is exactly https://cdkworkshop.com/30-python/20-create-project/100-cdk-init.html
the problem was my ckd version(1.9.0)
I've updated and now it works
I have previously had Serverless installed on a server, and then when I tried to edit the function and package it back up to edit the zip file I broke it, so I have to start all over. So to begin this issue: I had Serverless running and was using it with this package - https://github.com/adieuadieu/serverless-chrome/tree/master/examples/serverless-framework/aws
When I sudo npm run deploy, I get the ServerlessError:
ServerlessError: User: arn:aws:sts::XXX:assumed-role/EC2CodeDeploy/i-268b1acf is not authorized to perform: cloudformation:DescribeStackResources on resource: arn:aws:cloudformation:us-east-1:YYY:stack/aws-dev/*
I'm not sure why it is trying to connect to a Role and not an IAM. So I check the Role, and it is in an entirely different AWS account than the account I've configured. Let's call this Account B.
When it comes to configuration, I've installed AWS CLI and entered in the key, id, and region in my Account A in AWS. Not touching Account B whatsoever. When I run aws s3 ls I see the correct s3 buckets of the account with the key/id/regioin, so I know CLI is working with the correct account. Sounds good. I check the ~/.aws/creditionals file and just has one profile [default] which seems normal. No other profiles are in here. I copied this over to the ~/.aws/config file so now both files are same. Works great.
I then go into my SSH where I've installed serverless, and run npm run deploy and it gives me the same message above. I think maybe somehow it is not using the correct account for whatever reason. So I manually set the access key and secret with the following commands:
serverless config credentials --provider aws --key XXX --secret YYY
It tells me there already is a profile in the aws creds file, so I then add --o to the end to overwrite. I run sudo npm run deploy and still same error.
I then run this command to manually set a profile in the creds for serverless, with the profile name matching the IAM user name:
serverless config credentials --provider aws --key XXX --secret YYY --profile serverless-agent
Where "serverless-agent" is the name of my IAM user I've been trying to use to deploy. I run this, it tells me there already is an existing profile in the aws creds file so I run it with --o and it tells me the aws file is now updated. In bash I go to Vim the file and I only see the single "[default]" settings, as if nothing has changed. I run sudo npm run deploy and it gives me the same Error.
I then go and manually set the access and secret:
export AWS_ACCESS_KEY_ID=XXX
export AWS_SECRET_ACCESS_KEY=YYY
I run sudo npm run deploy and it gives me the same Error.
I even removed AWS CLI, and the directory that holds the creditionals and config files - and when I manually set my account creds via serverless config it tells me there already is a profile set up in my aws file, prompting me to use the overwrite command - how is this possible when the file is literally not on my computer?
So I then think that serverless itself has a cache or something, calling the wrong file or whatever for creds, so I uninstall serverless via sudo npm uninstall -g serverless so that I can start from zero again. I then do all of the above steps and more all over again, and nothing has changed. Same error message.
I do have Apex.run set up, but that should be using my AWS CLI config file so I'm not sure if that is causing any problems. But then again I've no clue of anything deep on this subject, and I can't find any ability to remove Apex itself in their docs.
In the package I am trying to deploy, I do not have a profile:XXX set in the serverless.yml file, because I've read if you do not then it just defaults to the [default] profile you have set in the aws creds file on your computer. Just to check, I go into the serverless.yml file and set the profile: default, and the error I now get when I run npm run deploy is
Profile default does not exist
How is that possible when I have the "default" profile set in my creds file? So I remember that previously I ran the serverless config creditionals command and added the profile name of serverless-agent to it (yet didn't save in the aws creds file as I mentioned above), so I add that profile name to the serverless.yml file just to see if this works, and same error of "Profile default does not exist".
So back to the error message. The Role is an account not even related to the IAM user I'm using in my aws creds. Without knowing a lot about this, it's as if the config in serverless via ssh isn't correct or something. Is it using old creds I had set up in Apex.run? Why is the aws creds file not updated with the profile when I manually set it in serverless config command? I am using the same user account (but with new key and secret) that I used a few weeks ago when I correctly deployed and my Lambda and API was set up for me on AWS. Boy do I miss those time and wish I didn't mess up my existing Lambda functions, without setting version number prior, forcing me to start all over.
I am so confused. Any help would be greatly appreciated.
If you are using IAM role then you have to use that IAM role through assume role using powershell.
I was also facing same issue earlier, when we moved from from user to role.
I have tried looking for an answer to this problem for over a month. Apparently I am the only one in the world who ever had this issue... Here's the console commands I am giving over ssh. I am logged into the only account with permissions and it has FULL permissions over the project... I am stumped.
sudo gcloud compute copy-files /home/lestado/trs.key adminuser#the-real-strategy-vm:/etc/ssl/private/
This is the response I am getting:
Did you mean zone [us-central1-f] for instances:
[['[the-real-strategy-vm]']]?
Do you want to continue (Y/n)? y
ERROR: (gcloud.compute.copy-files) Could not fetch instance:
- Insufficient Permission
Set your project name before you start copying files.
gcloud config set project <project_name>
Complete process will be:
Login: gcloud init
Set project: gcloud config set project <project_name>
Upload using root user for instance: gcloud compute copy-files ./ root#instance:/etc/ssl/pvt