Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-ec2: ec2 key import error is unhelpful #25929

Closed
marios-zindilis opened this issue Jun 11, 2023 · 4 comments
Closed

aws-ec2: ec2 key import error is unhelpful #25929

marios-zindilis opened this issue Jun 11, 2023 · 4 comments
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@marios-zindilis
Copy link

Describe the bug

This is the entire stack:

import { Stack, StackProps } from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import { Construct } from 'constructs';

export class MyStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    const cfnKeyPair = new ec2.CfnKeyPair(this, 'MyCfnKeyPair', {
      keyName: 'keyName',
      publicKeyMaterial: [
        'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtS/sY98Yk6RqJXrWQIqMrRoesRKTI0s6xRUlSPJzx7G8kbWKEH1YS+kE0xFOfdbo/MpXpU',
        'yFf9vTIKS5HEG5ZKhFnLpbh3fBBfFmkFNazJcxpyu4yGQyy8SEhavM8xMl1NCpIhBmg8fccn78FwHVjrwBDaXlLkCkHkQf5AM+Fgx2lEOuSNz',
        '4NmIvDBAEzJi8gixgKlZM5wnyEOHXyUQ04Xs+vS6RHLxmBQ90ncmMga9FhflqfmSC8r/1uMVQYgW+8/pXOGvbMRmdy9zxxnIz6EBcNtAyWhGO',
        'sWB743fdXpCpbIqtiMXImkpjnItU15ar9ij+vkgB5nKBBqFbIvlQ0IKYZ5VJxZMFlpRNZAVyEDedcDWSvc8As5APYau/UgdEv73ingEZpqZR5',
        'VcpKQfP4F3psgHtIO+cyPvKss0Q0vKPMwmpl7z5RRcbKxWGXizsQ+B9kvVs3HzK8gu4qaDW1RbEyWkdIzOkV+ovnhqzbn9o6078hkdIU62wix',
        'k7fI9ugiOEFLoTiiAUo2H/nQ+Z06I+rxrOgF3ucGpBmAm6VaIO0upjysbKL+g05WRj5BKsHp2a2DfMlzp+TcDbpMcy/4YXYwA+BGIilIKeFbR',
        'AkWDT6MP/mLfh0ud4+xZpdymS1Qvq4AzasRVQatVWZpaVWOpGzjF5KJkzhWz4DHAnL5Q== m@e'
      ].join()
    });
  }
}

This is the resulting CloudFormation template from cdk synth:

Resources:
  MyCfnKeyPair:
    Type: AWS::EC2::KeyPair
    Properties:
      KeyName: keyName
      PublicKeyMaterial: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtS/sY98Yk6RqJXrWQIqMrRoesRKTI0s6xRUlSPJzx7G8kbWKEH1YS+kE0xFOfdbo/MpXpU,yFf9vTIKS5HEG5ZKhFnLpbh3fBBfFmkFNazJcxpyu4yGQyy8SEhavM8xMl1NCpIhBmg8fccn78FwHVjrwBDaXlLkCkHkQf5AM+Fgx2lEOuSNz,4NmIvDBAEzJi8gixgKlZM5wnyEOHXyUQ04Xs+vS6RHLxmBQ90ncmMga9FhflqfmSC8r/1uMVQYgW+8/pXOGvbMRmdy9zxxnIz6EBcNtAyWhGO,sWB743fdXpCpbIqtiMXImkpjnItU15ar9ij+vkgB5nKBBqFbIvlQ0IKYZ5VJxZMFlpRNZAVyEDedcDWSvc8As5APYau/UgdEv73ingEZpqZR5,VcpKQfP4F3psgHtIO+cyPvKss0Q0vKPMwmpl7z5RRcbKxWGXizsQ+B9kvVs3HzK8gu4qaDW1RbEyWkdIzOkV+ovnhqzbn9o6078hkdIU62wix,k7fI9ugiOEFLoTiiAUo2H/nQ+Z06I+rxrOgF3ucGpBmAm6VaIO0upjysbKL+g05WRj5BKsHp2a2DfMlzp+TcDbpMcy/4YXYwA+BGIilIKeFbR,AkWDT6MP/mLfh0ud4+xZpdymS1Qvq4AzasRVQatVWZpaVWOpGzjF5KJkzhWz4DHAnL5Q== m@e
    Metadata:
      aws:cdk:path: MyStack/MyCfnKeyPair
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/zPSMzfXM1BMLC/WTU7J1s3JTNKrDi5JTM7WAQrFpyYb6Tmn5XmnVgYkZhbpAJlBqcX5pUXJqSC2c35eSmZJZn5erU5efkqqXlaxfpmhhZ6hGdDArOLMTN2i0rySzNxUvSAIDQArsb2zbAAAAA==
    Metadata:
      aws:cdk:path: MyStack/CDKMetadata/Default
    Condition: CDKMetadataAvailable
Conditions:
  CDKMetadataAvailable:
    Fn::Or:
      - Fn::Or:
          - Fn::Equals:
              - Ref: AWS::Region
              - af-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-east-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-northeast-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-northeast-2
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-southeast-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-southeast-2
          - Fn::Equals:
              - Ref: AWS::Region
              - ca-central-1
          - Fn::Equals:
              - Ref: AWS::Region
              - cn-north-1
          - Fn::Equals:
              - Ref: AWS::Region
              - cn-northwest-1
      - Fn::Or:
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-central-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-north-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-west-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-west-2
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-west-3
          - Fn::Equals:
              - Ref: AWS::Region
              - me-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - sa-east-1
          - Fn::Equals:
              - Ref: AWS::Region
              - us-east-1
          - Fn::Equals:
              - Ref: AWS::Region
              - us-east-2
      - Fn::Or:
          - Fn::Equals:
              - Ref: AWS::Region
              - us-west-1
          - Fn::Equals:
              - Ref: AWS::Region
              - us-west-2
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]
Rules:
  CheckBootstrapVersion:
    Assertions:
      - Assert:
          Fn::Not:
            - Fn::Contains:
                - - "1"
                  - "2"
                  - "3"
                  - "4"
                  - "5"
                - Ref: BootstrapVersion
        AssertDescription: CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI.

Expected Behavior

If the key creation fails, we should get a meaningful error.

Current Behavior

The resource with name MyCfnKeyPair and type AWS::EC2::KeyPair fails to create with unhelpful error:

Resource handler returned message: "null" (RequestToken: c6817ee0-0c65-b552-f35f-336715c567ce, HandlerErrorCode: InvalidRequest)

Reproduction Steps

cdk deploy the provided stack.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.77.0 (build 06a0b19)

Framework Version

No response

Node.js Version

v18.16.0

OS

Ubuntu 22.04

Language

Typescript

Language Version

4.9.5

Other information

No response
@marios-zindilis marios-zindilis added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 11, 2023
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Jun 11, 2023
@marios-zindilis
Copy link
Author

Copying from CloudTrail:

{
    "eventVersion": "1.08",
    "userIdentity": "...",
    "eventTime": "2023-06-11T08:18:31Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "ImportKeyPair",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "cloudformation.amazonaws.com",
    "userAgent": "cloudformation.amazonaws.com",
    "errorCode": "Client.InvalidKey.Format",
    "errorMessage": "Key is not in valid OpenSSH public key format",
    "requestParameters": {
        "keyName": "keyName",
        "publicKeyMaterial": "c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFDQVFDdFMvc1k5OFlrNlJxSlhyV1FJcU1yUm9lc1JLVEkwczZ4UlVsU1BKeng3RzhrYldLRUgxWVMra0UweEZPZmRiby9NcFhwVSx5RmY5dlRJS1M1SEVHNVpLaEZuTHBiaDNmQkJmRm1rRk5hekpjeHB5dTR5R1F5eThTRWhhdk04eE1sMU5DcEloQm1nOGZjY243OEZ3SFZqcndCRGFYbExrQ2tIa1FmNUFNK0ZneDJsRU91U056LDRObUl2REJBRXpKaThnaXhnS2xaTTV3bnlFT0hYeVVRMDRYcyt2UzZSSEx4bUJROTBuY21NZ2E5RmhmbHFmbVNDOHIvMXVNVlFZZ1crOC9wWE9HdmJNUm1keTl6eHhuSXo2RUJjTnRBeVdoR08sc1dCNzQzZmRYcENwYklxdGlNWElta3Bqbkl0VTE1YXI5aWordmtnQjVuS0JCcUZiSXZsUTBJS1laNVZKeFpNRmxwUk5aQVZ5RURlZGNEV1N2YzhBczVBUFlhdS9VZ2RFdjczaW5nRVpwcVpSNSxWY3BLUWZQNEYzcHNnSHRJTytjeVB2S3NzMFEwdktQTXdtcGw3ejVSUmNiS3hXR1hpenNRK0I5a3ZWczNIeks4Z3U0cWFEVzFSYkV5V2tkSXpPa1Yrb3ZuaHF6Ym45bzYwNzhoa2RJVTYyd2l4LGs3Zkk5dWdpT0VGTG9UaWlBVW8ySC9uUStaMDZJK3J4ck9nRjN1Y0dwQm1BbTZWYUlPMHVwanlzYktMK2cwNVdSajVCS3NIcDJhMkRmTWx6cCtUY0RicE1jeS80WVhZd0ErQkdJaWxJS2VGYlIsQWtXRFQ2TVAvbUxmaDB1ZDQreFpwZHltUzFRdnE0QXphc1JWUWF0VldacGFWV09wR3pqRjVLSmt6aFd6NERIQW5MNVE9PQ=="
    },
    "responseElements": null,
    "requestID": "c5bf8f19-d84b-424a-b3bd-329b0b463a00",
    "eventID": "d70b02ea-7571-47b4-bbcb-91436b6a25ed",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "...",
    "eventCategory": "Management"
}

Why is the public key material different from the one in the CDK and in the CloudFormation template?

@pahud
Copy link
Contributor

pahud commented Jun 12, 2023

Unfortunately this error is from cloudformation and is not from CDK. Please kindly report this error to cloudformation coverage roadmap to help the cloudformation team add this in their backlog.

I guess in your case you should use join('') rather than join()

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jun 12, 2023
@marios-zindilis marios-zindilis mentioned this issue Jun 13, 2023
Open
@marios-zindilis
Copy link
Author

Thank you @pahud -- you are correct of course, it was a bug in my code. It worked with join('') rather than join(). I have created an issue in CloudFormation Coverage to surface a more helpful error: aws-cloudformation/cloudformation-coverage-roadmap#1711

Closing this issue in favour of the one in cloudformation-coverage-roadmap.

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

This was referenced Jul 26, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/small Small work item – less than a day of effort p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pahud @marios-zindilis