Open innayatullah opened 2 years ago
innayatullah
commented
2 years ago This happens when I've added the Volumes in my docker-compose file. I was able to deploy the stacks without the volume specification and the demo application worked fine. However I have a use case where I need to provide the EFS
gentksb
commented
2 years ago This is maybe temporary problem. I met the same error at the same date, but I can run every template in succeed today.
My CloudTrail log recorded this error as "unknown error".
"errorCode": "AccessDenied",
"errorMessage": "An unknown error occurred",
ollypom
commented
2 years ago Hi @innayatullah , thank you for reporting the issue. I've just gone through the blog walk through again and I am not able to recreate this error.
If you are following through the blog, the permissions that Compose needs to stand up the sample application can be found here. If you need to add additional permissions to stand up the stack, this is where you should do it (not in the role that a CLI user uses when running aws cloudformation create-stack)
Do you mind sharing the compose file you are trying to deploy?
frinzekt
commented
2 years ago I am also experiencing the same issue
i didnt touch any of the config, just simply run the tutorial to see how it is all working together. Here's the compose file I am trying to deploy (basically the exact same thing)
x-aws-vpc: ${AWS_VPC}
x-aws-cluster: ${AWS_ECS_CLUSTER}
x-aws-loadbalancer: ${AWS_ELB}
services:
frontend:
image: ${IMAGE_URI:-frontend}:${IMAGE_TAG:-latest}
build: ./frontend
environment:
REDIS_URL: "backend"
networks:
- demoapp
ports:
- 80:80
backend:
image: public.ecr.aws/docker/library/redis:6.2
volumes:
- redisdata:/data
networks:
- demoapp
volumes:
redisdata:
networks:
demoapp:
I have tried rerunning the pipeline by doing
aws s3 cp compose-bundle.zip s3://$BUCKET_NAME/compose-bundle.zipbut no luck... it fails at the same place
frinzekt
commented
2 years ago I dont exactly know what's happening, but here's some screenshots that I have
This is the compose-application that is failing. See that there is the attached IAM role in that screenshot
Looking for the IAM role. There are 2 Role Policy: ComposeRolePolicy and ExtractBuildRoleDefaultPolicy (this matches whats written in the Cloudformation file)
Below screenshot shows the EFS policy/permissions
ollypom
commented
2 years ago Hi @frinzekt , if you have a look in Cloudtrail do you find the failing API Call?
I've just ran through the walk-through successfully and I have 2 successfully created Mount Targets.
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "xxxx:AWSCloudFormation",
"arn": "arn:aws:sts::xxxx:assumed-role/compose-pipeline-ExtractBuildRole-xxxx/AWSCloudFormation",
"accountId": "xxxx",
"accessKeyId": "xxxx",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "xxxx",
"arn": "arn:aws:iam::xxxx:role/compose-pipeline-ExtractBuildRole-xxxx",
"accountId": "xxxx",
"userName": "compose-pipeline-ExtractBuildRole-xxxx"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-02-23T10:06:08Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "cloudformation.amazonaws.com"
},
"eventTime": "2022-02-23T10:06:10Z",
"eventSource": "elasticfilesystem.amazonaws.com",
"eventName": "CreateMountTarget",
"awsRegion": "eu-west-1",
"sourceIPAddress": "cloudformation.amazonaws.com",
"userAgent": "cloudformation.amazonaws.com",
"requestParameters": {
"fileSystemId": "fs-xxxx",
"subnetId": "subnet-xxxx",
"securityGroups": [
"sg-xxxx",
"sg-xxxx"
]
},
"responseElements": {
"ownerId": "xxxx",
"mountTargetId": "fsmt-xxxx",
"fileSystemId": "fs-xxxx",
"subnetId": "subnet-xxxx",
"lifeCycleState": "creating",
"ipAddress": "10.0.1.28",
"networkInterfaceId": "eni-xxxx",
"availabilityZoneId": "euw1-az2",
"availabilityZoneName": "eu-west-1a",
"vpcId": "vpc-xxxx"
},
....
}I'm trying to find out if there is a missing permission in the ExtractBuildRole or if there is an issue else where in the deployment.
(Note, be careful to sanitise any output if you do want to paste a cloudtrail response in this issue).
frinzekt
commented
2 years ago Hi @ollypom,
Thank you very much for the tutorial. I am learning heaps on it so far.
I believe, I have found the cloudtrail event record
{
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "XXXXXXXXXXX:AWSCloudFormation",
"arn": "arn:aws:sts::XXXXXXXXXXX:assumed-role/compose-pipeline-ExtractBuildRole-XXXXXXXXXXX/AWSCloudFormation",
"accountId": "XXXXXXXXXXX",
"accessKeyId": "XXXXXXXXXXX",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "XXXXXXXXXXX",
"arn": "arn:aws:iam::XXXXXXXXXXX:role/compose-pipeline-ExtractBuildRole-XXXXXXXXXXX",
"accountId": "XXXXXXXXXXX",
"userName": "compose-pipeline-ExtractBuildRole-XXXXXXXXXXX"
},
"webIdFederationData": {},
"attributes": {
"creationDate": "2022-02-23T07:12:17Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "cloudformation.amazonaws.com"
},
"eventTime": "2022-02-23T07:12:18Z",
"eventSource": "elasticfilesystem.amazonaws.com",
"eventName": "CreateMountTarget",
"awsRegion": "ap-southeast-2",
"sourceIPAddress": "cloudformation.amazonaws.com",
"userAgent": "cloudformation.amazonaws.com",
"errorCode": "AccessDenied",
"errorMessage": "An unknown error occurred",
"requestParameters": {
"fileSystemId": "fs-XXXXXXXXXXX",
"subnetId": "subnet-XXXXXXXXXXX",
"securityGroups": [
"sg-XXXXXXXXXXX",
"sg-XXXXXXXXXXX"
]
},
"responseElements": null,
"requestID": "61a16bad-c057-48b0-b72b-945802816802",
"eventID": "4b647cad-43e7-400e-ae47-8e65f4246b53",
"readOnly": false,
"eventType": "AwsApiCall",
"apiVersion": "2015-02-01",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXX",
"eventCategory": "Management"
}I did not find it using the Resource Type filter, so I used the Event name filter
Screen Shot 2022-02-24 at 7 50 02 am
I am not sure why it says "errorMessage": "An unknown error occurred",
ollypom
commented
2 years ago Yeah I'm not sure why "errorMessage": "An unknown error occurred" is being raised. I just tried in your region ap-southeast-2 , just in case there was some nuance there, but I didn't have an issue there either :( .
Using your user outside of CodePipeline / Cloudformation are you able to create Mount Targets in your account?
aws efs create-file-system \
--performance-mode generalPurpose \
--tags Key=Name,Value=myfilesystem
aws efs create-mount-target \
--file-system-id "fs-xxxx" \
--subnet-id "subnet-xxxx"
nynevi
commented
2 years ago I ended up adding the following permission policy via IAM: AmazonElasticFileSystemFullAccess
to the following roles: compose-pipeline-ExtractBuildRole-RANDOMHASH compose-pipeline-PipelineRole-RANDOMHASH
I don't know which one was effective, I can try removing one and trying to see if fails but I really don't have time, it has already been way too problematic trying to run the demo even
callefoss
commented
1 year ago Thanks, for me it was enough to add AmazonElasticFileSystemFullAccess to compose-pipeline-ExtractBuildRole-XX
Boffice
commented
9 months ago I'm encountering a similar issue. While using the AmazonElasticFileSystemFullAccess policy resolves the problem, I'm curious about the specific permission that's missing. I've tried experimenting with the elasticfilesystem:TagResource permission, but I continue to face the same error. Does anyone know which exact permission might be the key to solving this?
I'm getting the error while applying the changeset "User is not authorized to perform that action on the specified resource Service:Efs"
I've tried to give the permissions to DescribeNetworkInterfaceGroups to both the user in CLI as well as the ExtractBuildRole inside ComposeRolePolicy but without any luck. Can you guys help me out in this.