I just updated to the latest version of STT (and t...
# helpd
Daniel Gato
01/24/2022, 9:40 AMI just updated to the latest version of STT (and therefore to CDK too) and now my deploys are failing. On cloud watch I get
Copy code
upload failed: ../../tmp/tmpt2vmrmzx/contents/file.txt to <s3://dg-imac-xxx-storage-bucket970c6ada-1gfwpc3jg5cbd/public/demo/file.txt> An error occurred (AccessDenied) when calling the PutObject operation: Access Denied Copy code
new s3deploy.BucketDeployment(this, 'DeployDemoXxx', {
sources: [s3deploy.Source.asset('./src/deployments/demo/')],
exclude: ['*'],
include: ['*.txt'],
destinationKeyPrefix: 'public/demo/',
destinationBucket: bucket.s3Bucket,
accessControl: 'PublicRead',
contentType: 'plain/text',
});f
Frank
01/25/2022, 6:51 AM
It seems the s3deploy lambda function does not have IAM permission to upload to S3.
Frank
01/25/2022, 6:52 AM
We can do a quick check, if you run
sst build.build/cdk.outAWS::IAM::Roles3:PuObjectd
Daniel Gato
01/25/2022, 8:02 AMthis was working just fine before. It is very weird. Let me check the cdk.out
Daniel Gato
01/25/2022, 8:08 AM Copy code
{
"Resources": {
"SSTMetadata": {
"Type": "AWS::CDK::Metadata",
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "dg-imac-xxx-deployment/SSTMetadata",
"sst:version": "0.59.1",
"sst:constructs": []
}
},
"DeployDemoJsonAwsCliLayerD7448C3D": {
"Type": "AWS::Lambda::LayerVersion",
"Properties": {
"Content": {
"S3Bucket": "cdk-hnb659fds-assets-855659027122-eu-north-1",
"S3Key": "e9882ab123687399f934da0d45effe675ecc8ce13b40cb946f3e1d6141fe8d68.zip"
},
"Description": "/opt/awscli/aws"
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "dg-imac-xxx-deployment/DeployDemoJson/AwsCliLayer/Resource",
"aws:asset:path": "asset.e9882ab123687399f934da0d45effe675ecc8ce13b40cb946f3e1d6141fe8d68.zip",
"aws:asset:is-bundled": false,
"aws:asset:property": "Content"
}
},
"DeployDemoJsonCustomResourceC4D96F0E": {
"Type": "Custom::CDKBucketDeployment",
"Properties": {
"ServiceToken": {
"Fn::GetAtt": [
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536",
"Arn"
]
},
"SourceBucketNames": [
"cdk-hnb659fds-assets-855659027122-eu-north-1"
],
"SourceObjectKeys": [
"b7e8017cf854483f67d12a7dd9d84f74031409618e8596e279f00cab575b18f5.zip"
],
"DestinationBucketName": {
"Fn::ImportValue": "dg-imac-xxx-storage:ExportsOutputRefModelsBucket970C6ADACD092BA1"
},
"DestinationBucketKeyPrefix": "public/demo/",
"Prune": true,
"Exclude": [
"*"
],
"Include": [
"*.json"
],
"SystemMetadata": {
"content-type": "application/json",
"acl": "public-read"
}
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "dg-imac-xxx-deployment/DeployDemoJson/CustomResource/Default"
}
},
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "<http://lambda.amazonaws.com|lambda.amazonaws.com>"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
],
"Tags": [
{
"Key": "sst:app",
"Value": "xxx"
},
{
"Key": "sst:stage",
"Value": "dg-imac"
}
]
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "dg-imac-xxx-deployment/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/Resource"
}
},
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::cdk-hnb659fds-assets-855659027122-eu-north-1"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::cdk-hnb659fds-assets-855659027122-eu-north-1/*"
]
]
}
]
},
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*",
"s3:DeleteObject*",
"s3:PutObject",
"s3:Abort*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::ImportValue": "dg-imac-xxx-storage:ExportsOutputFnGetAttModelsBucket970C6ADAArnC12F88E2"
},
{
"Fn::Join": [
"",
[
{
"Fn::ImportValue": "dg-imac-xxx-storage:ExportsOutputFnGetAttModelsBucket970C6ADAArnC12F88E2"
},
"/*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF",
"Roles": [
{
"Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265"
}
]
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "dg-imac-xxx-deployment/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy/Resource"
}
},
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "cdk-hnb659fds-assets-855659027122-eu-north-1",
"S3Key": "e3d9996b6fafcc7da88312672e15e3cc925b02cffc6f01a615d81f22303e3ae0.zip"
},
"Role": {
"Fn::GetAtt": [
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265",
"Arn"
]
},
"Handler": "index.handler",
"Layers": [
{
"Ref": "DeployDemoJsonAwsCliLayerD7448C3D"
}
],
"Runtime": "python3.7",
"Tags": [
{
"Key": "sst:app",
"Value": "xxx"
},
{
"Key": "sst:stage",
"Value": "dg-imac"
}
],
"Timeout": 900
},
"DependsOn": [
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF",
"CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265"
],
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "dg-imac-xxx-deployment/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/Resource",
"aws:asset:path": "asset.e3d9996b6fafcc7da88312672e15e3cc925b02cffc6f01a615d81f22303e3ae0",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code"
}
}
},
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
}
}Daniel Gato
01/25/2022, 8:10 AMThere is a
PutObjectCustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDFDaniel Gato
01/25/2022, 8:12 AMBesides that, this code was working fine before I updated SST and therefore CDK, I wonder what have changed
Daniel Gato
01/26/2022, 2:40 PM@Frank would you know I to solve this:
It seems the s3deploy lambda function does not have IAM permission to upload to S3.I don’t have access to the function here, I’m passing it to the Deployment directly.
Daniel Gato
01/26/2022, 3:50 PMWhat I don’t get is: how come BucketDeployment won’t access to upload to S3… that’s the whole purpose of this construct
j
Jay
02/06/2022, 9:53 PM
@Daniel Gato Just checking in on this. Are you still having this issue?
d
Daniel Gato
02/07/2022, 7:49 AMYes I’m. But I found a way around (not too elegant IMO):
Copy code
this.bucket.s3Bucket.grantPut(new iam.AnyPrincipal());
this.bucket.s3Bucket.grantPutAcl(new iam.AnyPrincipal());j
Jay
02/07/2022, 6:58 PM
Oh let me bring it to @Frank’s attention.
f
Frank
02/24/2022, 2:18 AM
Hmm i stumbled upon this issue and thought might be related to what you saw https://github.com/aws/aws-cdk/issues/9201
Frank
02/24/2022, 2:18 AM
do u have KMS enabled by any chance?
d
Daniel Gato
02/24/2022, 11:00 AMI don’t know what KMS is. Does this require us to do something special?
f
Frank
02/27/2022, 9:07 AM
hmm.. I see
Frank
02/27/2022, 9:08 AM
I have a feeling this might be related to ur specific setup
Frank
02/27/2022, 9:09 AM
If you want to track this down, when you get a chance, if you can put together a sample repo that can recreate this issue, I can have a look. Might be easier that way to track this down.
d
Daniel Gato
03/01/2022, 8:36 AMI figure this out. It was a change on CDK
Daniel Gato
03/01/2022, 8:38 AMIt doesn’t come from the deploy function. When you updated CDK to go from 1.x to 2.7 it start happening.
It appears that the permissions on the bucket between both version are different. On 2.7, we don’t have Put and PutAcl on it. Therefore, the deployment fails.
Copy code
this.bucket.s3Bucket.grantPut(new AnyPrincipal());
this.bucket.s3Bucket.grantPutAcl(new AnyPrincipal());f
Frank
03/01/2022, 11:07 AM
Oh I see. Glad u figured it out!
4 Views