aws-containers / demo-app-for-docker-compose

MIT No Attribution
16 stars 28 forks source link

User not authorized to perform the action #4

Open innayatullah opened 2 years ago

innayatullah commented 2 years ago

I'm getting the error while applying the changeset "User is not authorized to perform that action on the specified resource Service:Efs"

I've tried to give the permissions to DescribeNetworkInterfaceGroups to both the user in CLI as well as the ExtractBuildRole inside ComposeRolePolicy but without any luck. Can you guys help me out in this.

image

innayatullah commented 2 years ago

This happens when I've added the Volumes in my docker-compose file. I was able to deploy the stacks without the volume specification and the demo application worked fine. However I have a use case where I need to provide the EFS

gentksb commented 2 years ago

This is maybe temporary problem. I met the same error at the same date, but I can run every template in succeed today.

My CloudTrail log recorded this error as "unknown error".

    "errorCode": "AccessDenied",
    "errorMessage": "An unknown error occurred",
ollypom commented 2 years ago

Hi @innayatullah , thank you for reporting the issue. I've just gone through the blog walk through again and I am not able to recreate this error.

If you are following through the blog, the permissions that Compose needs to stand up the sample application can be found here. If you need to add additional permissions to stand up the stack, this is where you should do it (not in the role that a CLI user uses when running aws cloudformation create-stack)

Do you mind sharing the compose file you are trying to deploy?

frinzekt commented 2 years ago

I am also experiencing the same issue Screen Shot 2022-02-23 at 3 23 17 pm

i didnt touch any of the config, just simply run the tutorial to see how it is all working together. Here's the compose file I am trying to deploy (basically the exact same thing)

x-aws-vpc: ${AWS_VPC}
x-aws-cluster: ${AWS_ECS_CLUSTER}
x-aws-loadbalancer: ${AWS_ELB}

services:
  frontend:
    image: ${IMAGE_URI:-frontend}:${IMAGE_TAG:-latest}
    build: ./frontend
    environment:
      REDIS_URL: "backend"
    networks:
      - demoapp
    ports:
      - 80:80

  backend:
    image: public.ecr.aws/docker/library/redis:6.2
    volumes:
      - redisdata:/data
    networks:
      - demoapp

volumes:
  redisdata:

networks:
  demoapp:

I have tried rerunning the pipeline by doing

aws s3 cp compose-bundle.zip s3://$BUCKET_NAME/compose-bundle.zip

but no luck... it fails at the same place

frinzekt commented 2 years ago

I dont exactly know what's happening, but here's some screenshots that I have

This is the compose-application that is failing. See that there is the attached IAM role in that screenshot Screen Shot 2022-02-23 at 4 39 19 pm

Looking for the IAM role. There are 2 Role Policy: ComposeRolePolicy and ExtractBuildRoleDefaultPolicy (this matches whats written in the Cloudformation file)

Screen Shot 2022-02-23 at 4 39 23 pm

Below screenshot shows the EFS policy/permissions Screen Shot 2022-02-23 at 4 39 42 pm

ollypom commented 2 years ago

Hi @frinzekt , if you have a look in Cloudtrail do you find the failing API Call?

I've just ran through the walk-through successfully and I have 2 successfully created Mount Targets.

image

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "xxxx:AWSCloudFormation",
        "arn": "arn:aws:sts::xxxx:assumed-role/compose-pipeline-ExtractBuildRole-xxxx/AWSCloudFormation",
        "accountId": "xxxx",
        "accessKeyId": "xxxx",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "xxxx",
                "arn": "arn:aws:iam::xxxx:role/compose-pipeline-ExtractBuildRole-xxxx",
                "accountId": "xxxx",
                "userName": "compose-pipeline-ExtractBuildRole-xxxx"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-02-23T10:06:08Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "cloudformation.amazonaws.com"
    },
    "eventTime": "2022-02-23T10:06:10Z",
    "eventSource": "elasticfilesystem.amazonaws.com",
    "eventName": "CreateMountTarget",
    "awsRegion": "eu-west-1",
    "sourceIPAddress": "cloudformation.amazonaws.com",
    "userAgent": "cloudformation.amazonaws.com",
    "requestParameters": {
        "fileSystemId": "fs-xxxx",
        "subnetId": "subnet-xxxx",
        "securityGroups": [
            "sg-xxxx",
            "sg-xxxx"
        ]
    },
    "responseElements": {
        "ownerId": "xxxx",
        "mountTargetId": "fsmt-xxxx",
        "fileSystemId": "fs-xxxx",
        "subnetId": "subnet-xxxx",
        "lifeCycleState": "creating",
        "ipAddress": "10.0.1.28",
        "networkInterfaceId": "eni-xxxx",
        "availabilityZoneId": "euw1-az2",
        "availabilityZoneName": "eu-west-1a",
        "vpcId": "vpc-xxxx"
    },
    ....
}

I'm trying to find out if there is a missing permission in the ExtractBuildRole or if there is an issue else where in the deployment.

(Note, be careful to sanitise any output if you do want to paste a cloudtrail response in this issue).

frinzekt commented 2 years ago

Hi @ollypom,

Thank you very much for the tutorial. I am learning heaps on it so far.

I believe, I have found the cloudtrail event record

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "XXXXXXXXXXX:AWSCloudFormation",
        "arn": "arn:aws:sts::XXXXXXXXXXX:assumed-role/compose-pipeline-ExtractBuildRole-XXXXXXXXXXX/AWSCloudFormation",
        "accountId": "XXXXXXXXXXX",
        "accessKeyId": "XXXXXXXXXXX",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "XXXXXXXXXXX",
                "arn": "arn:aws:iam::XXXXXXXXXXX:role/compose-pipeline-ExtractBuildRole-XXXXXXXXXXX",
                "accountId": "XXXXXXXXXXX",
                "userName": "compose-pipeline-ExtractBuildRole-XXXXXXXXXXX"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-02-23T07:12:17Z",
                "mfaAuthenticated": "false"
            }
        },
        "invokedBy": "cloudformation.amazonaws.com"
    },
    "eventTime": "2022-02-23T07:12:18Z",
    "eventSource": "elasticfilesystem.amazonaws.com",
    "eventName": "CreateMountTarget",
    "awsRegion": "ap-southeast-2",
    "sourceIPAddress": "cloudformation.amazonaws.com",
    "userAgent": "cloudformation.amazonaws.com",
    "errorCode": "AccessDenied",
    "errorMessage": "An unknown error occurred",
    "requestParameters": {
        "fileSystemId": "fs-XXXXXXXXXXX",
        "subnetId": "subnet-XXXXXXXXXXX",
        "securityGroups": [
            "sg-XXXXXXXXXXX",
            "sg-XXXXXXXXXXX"
        ]
    },
    "responseElements": null,
    "requestID": "61a16bad-c057-48b0-b72b-945802816802",
    "eventID": "4b647cad-43e7-400e-ae47-8e65f4246b53",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "apiVersion": "2015-02-01",
    "managementEvent": true,
    "recipientAccountId": "XXXXXXXXXXX",
    "eventCategory": "Management"
}

I did not find it using the Resource Type filter, so I used the Event name filter Screen Shot 2022-02-24 at 7 46 27 am

Screen Shot 2022-02-24 at 7 50 02 am

Screen Shot 2022-02-24 at 7 51 26 am

I am not sure why it says "errorMessage": "An unknown error occurred",

ollypom commented 2 years ago

Yeah I'm not sure why "errorMessage": "An unknown error occurred" is being raised. I just tried in your region ap-southeast-2 , just in case there was some nuance there, but I didn't have an issue there either :( .

Using your user outside of CodePipeline / Cloudformation are you able to create Mount Targets in your account?

aws efs create-file-system \
  --performance-mode generalPurpose \
  --tags Key=Name,Value=myfilesystem

aws efs create-mount-target \
  --file-system-id "fs-xxxx" \
  --subnet-id "subnet-xxxx"
nynevi commented 2 years ago

I ended up adding the following permission policy via IAM: AmazonElasticFileSystemFullAccess

to the following roles: compose-pipeline-ExtractBuildRole-RANDOMHASH compose-pipeline-PipelineRole-RANDOMHASH

I don't know which one was effective, I can try removing one and trying to see if fails but I really don't have time, it has already been way too problematic trying to run the demo even

callefoss commented 1 year ago

Thanks, for me it was enough to add AmazonElasticFileSystemFullAccess to compose-pipeline-ExtractBuildRole-XX

Boffice commented 10 months ago

I'm encountering a similar issue. While using the AmazonElasticFileSystemFullAccess policy resolves the problem, I'm curious about the specific permission that's missing. I've tried experimenting with the elasticfilesystem:TagResource permission, but I continue to face the same error. Does anyone know which exact permission might be the key to solving this?