-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(custom-resource): Creation Fails Due to Lack of Permissions on Some Services #31429
Comments
Yes, custom resource has a lambda function as its provider which has an IAM role and the role has the default policy.
Possible Solutions
Now, let's look into your provided code. When I
Obviously, the iam policy with logicalId "Resources": {
"PutContactInformation78FED2C5": {
"Type": "Custom::AWS",
"Properties": {
...
},
"DependsOn": [
"PutContactInformationCustomResourcePolicyB3C7E805"
], which means custom resource is actually depending on
With that being said, when CR is being created, the role and policy should all set and ready. So I don't think this would cause the issue. Are you able to try to reproduce that and show me the full error message if you see that happening again? |
Thank you for the quick response. I can happily reproduce this. As you outlined this is exactly how my code and synthesized template looks. So technically it looks correct but still fails. I'm curious to know if that the execution and the policy attachment are happening too quickly which results in this failure? I do this exact same type of operation for other API endpoints in AWS and do not get the error. One thing to note is that I am doing this via a stackset. I don't know why that would make a difference. As it is simply just running the CloudFormation template. The other succeeding API calls are also done as a stackset. Error message requested: |
Remove |
Thanks Tim! That worked 10/10. I have zero idea why that would be the case. Anyone else facing similar issues consider removing that flag. |
Describe the bug
When using the custom-resource (AwsCustomResource) module there are arbitrary failures on AWS services. This seems to be because the Custom Resource that is created has a policy associated to the lambda function and immediately executes it. The execution is not timed to wait until permissions are attached or validated. Even when using a CloudFormation Wait Condition the resources are created simultaneously.
Regression Issue
Last Known Working CDK Version
No response
Expected Behavior
When using AwsCustomResource and defining the policy the custom resource should wait until policy creation before execution.
Current Behavior
When calling AwsCustomResource and defining the policy for the resource the policy is immediately created along with execution of the lambda function. If the policy creation is not completed or delayed due to some sort of inconsistent latency within AWS the custom resource lambda fails with permission denied.
Reproduction Steps
Create a CDK deployment that creates a Custom Resource using the below policy and Custom Resource.
Policy
Custom Resource
Possible Solution
Decouple creation of the policy for the custom resource from the same call. Allow creation of a depends on for the policy for the custom resource.
Additional Information/Context
See related issue that was closed: 21332
CDK CLI Version
2.147.3 (build 32f0fdb)
Framework Version
No response
Node.js Version
v18.20.4
OS
MacOSX
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: