search

aws-samples / aws-modern-application-workshop

A tutorial for developers that want to learn about how to build modern applications on top of AWS. You will build a sample website that leverages infrastructure as code, containers, serverless code functions, CI/CD, and more.
Apache License 2.0
1.46k stars 829 forks source link

InvalidOriginAccessIdentity #129

Open EajksEajks opened 4 years ago

EajksEajks commented 4 years ago

When running the module-1 of the dotnet-cdk branch, I get the following error message when running $ cdk deploy MythicalMysfits-WebApplication

`This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening). Please confirm you intend to make the following modifications:

IAM Statement Changes ┌───┬────────────────────────────────────────────────────────────┬────────┬────────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────────┬───────────┐ │ │ Resource │ Effect │ Action │ Principal │ Condition │ ├───┼────────────────────────────────────────────────────────────┼────────┼────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────┼───────────┤ │ + │ ${Bucket.Arn} │ Allow │ s3:GetBucket │ CanonicalUser:${BucketOrigin.S3CanonicalUserId} │ │ │ │ ${Bucket.Arn}/ │ │ s3:GetObject │ │ │ │ │ │ │ s3:List │ │ │ │ + │ ${Bucket.Arn} │ Allow │ s3:Abort │ AWS:${Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9E │ │ │ │ ${Bucket.Arn}/ │ │ s3:DeleteObject │ B8756C/ServiceRole} │ │ │ │ │ │ s3:GetBucket │ │ │ │ │ │ │ s3:GetObject │ │ │ │ │ │ │ s3:List │ │ │ │ │ │ │ s3:PutObject │ │ │ ├───┼────────────────────────────────────────────────────────────┼────────┼────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────┼───────────┤ │ + │ ${Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB87 │ Allow │ sts:AssumeRole │ Service:lambda.amazonaws.com │ │ │ │ 56C/ServiceRole.Arn} │ │ │ │ │ ├───┼────────────────────────────────────────────────────────────┼────────┼────────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────────┼───────────┤ │ + │ arn:${AWS::Partition}:s3:::${DeployWebsiteAssetS3Bucket39B │ Allow │ s3:GetBucket │ AWS:${Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9E │ │ │ │ 9A580} │ │ s3:GetObject │ B8756C/ServiceRole} │ │ │ │ arn:${AWS::Partition}:s3:::${DeployWebsiteAssetS3Bucket39B │ │ s3:List │ │ │ │ │ 9A580}/* │ │ │ │ │ └───┴────────────────────────────────────────────────────────────┴────────┴────────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────┴───────────┘ IAM Policy Changes ┌───┬────────────────────────────────────────────────────────────────────────────┬────────────────────────────────────────────────────────────────────────────────┐ │ │ Resource │ Managed Policy ARN │ ├───┼────────────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────────────────────────┤ │ + │ ${Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole │ └───┴────────────────────────────────────────────────────────────────────────────┴────────────────────────────────────────────────────────────────────────────────┘ (NOTE: There may be security-related changes not in this list. See http://bit.ly/cdk-2EhF7Np)

Do you wish to deploy these changes (y/n)? y MythicalMysfits-WebApplication: deploying... Updated: asset.98cff2dda51886e73e4f3123769e1c8ca80e4bb624869cd81761be64b3b4bcd3 (zip) Updated: asset.792d9e631bb2437aa19c6f6bc19f1a38a6fc8d740d0f8afd38c4ab1a80aff2ad.zip (file) MythicalMysfits-WebApplication: creating CloudFormation changeset... 0/10 | 8:51:45 PM | CREATE_IN_PROGRESS | AWS::CloudFormation::Stack | MythicalMysfits-WebApplication User Initiated 0/10 | 8:52:22 PM | CREATE_IN_PROGRESS | AWS::CloudFront::CloudFrontOriginAccessIdentity | BucketOrigin 0/10 | 8:52:22 PM | CREATE_IN_PROGRESS | AWS::S3::Bucket | Bucket (Bucket83908E77) 0/10 | 8:52:23 PM | CREATE_IN_PROGRESS | AWS::S3::Bucket | Bucket (Bucket83908E77) Resource creation Initiated 0/10 | 8:52:23 PM | CREATE_IN_PROGRESS | AWS::IAM::Role | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265) 0/10 | 8:52:23 PM | CREATE_IN_PROGRESS | AWS::CDK::Metadata | CDKMetadata 0/10 | 8:52:23 PM | CREATE_IN_PROGRESS | AWS::IAM::Role | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265) Resource creation Initiated 0/10 | 8:52:25 PM | CREATE_IN_PROGRESS | AWS::CloudFront::CloudFrontOriginAccessIdentity | BucketOrigin Resource creation Initiated 0/10 | 8:52:25 PM | CREATE_IN_PROGRESS | AWS::CDK::Metadata | CDKMetadata Resource creation Initiated 1/10 | 8:52:25 PM | CREATE_COMPLETE | AWS::CDK::Metadata | CDKMetadata 2/10 | 8:52:25 PM | CREATE_COMPLETE | AWS::CloudFront::CloudFrontOriginAccessIdentity | BucketOrigin 3/10 | 8:52:37 PM | CREATE_COMPLETE | AWS::IAM::Role | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265) 4/10 | 8:52:43 PM | CREATE_COMPLETE | AWS::S3::Bucket | Bucket (Bucket83908E77) 4/10 | 8:52:46 PM | CREATE_IN_PROGRESS | AWS::IAM::Policy | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF) 4/10 | 8:52:46 PM | CREATE_IN_PROGRESS | AWS::CloudFront::Distribution | CloudFront/CFDistribution (CloudFrontCFDistribution57EFBAC6) 4/10 | 8:52:46 PM | CREATE_IN_PROGRESS | AWS::S3::BucketPolicy | Bucket/Policy (BucketPolicyE9A3008A) 4/10 | 8:52:47 PM | CREATE_IN_PROGRESS | AWS::IAM::Policy | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF) Resource creation Initiated 4/10 | 8:52:47 PM | CREATE_IN_PROGRESS | AWS::S3::BucketPolicy | Bucket/Policy (BucketPolicyE9A3008A) Resource creation Initiated 5/10 | 8:52:47 PM | CREATE_COMPLETE | AWS::S3::BucketPolicy | Bucket/Policy (BucketPolicyE9A3008A) 6/10 | 8:52:48 PM | CREATE_FAILED | AWS::CloudFront::Distribution | CloudFront/CFDistribution (CloudFrontCFDistribution57EFBAC6) The specified origin access identity does not exist or is not valid. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidOriginAccessIdentity; Request ID: 0442a54f-d333-11e9-b8a8-73c8ff9a8d23) new CloudFrontWebDistribution (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/node_modules/@aws-cdk/aws-cloudfront/lib/webdistribution.ts:699:26) _ new WebApplicationStack (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/lib/web-application-stack.ts:42:17) _ Object. (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/bin/cdk.ts:10:1) \ Module.compile (internal/modules/cjs/loader.js:936:30) \ Module.m._compile (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/nodemodules/ts-node/src/index.ts:473:23) \ Module.extensions..js (internal/modules/cjs/loader.js:947:10) \ Object.require.extensions. [as .ts] (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/nodemodules/ts-node/src/index.ts:476:12) _ Module.load (internal/modules/cjs/loader.js:790:32) \ Function.Module.load (internal/modules/cjs/loader.js:703:12) _ Function.Module.runMain (internal/modules/cjs/loader.js:999:10) \ Object. (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/nodemodules/ts-node/src/bin.ts:158:12) \ Module.compile (internal/modules/cjs/loader.js:936:30) \ Object.Module.extensions..js (internal/modules/cjs/loader.js:947:10) _ Module.load (internal/modules/cjs/loader.js:790:32) \ Function.Module.load (internal/modules/cjs/loader.js:703:12) _ Function.Module.runMain (internal/modules/cjs/loader.js:999:10) \ /usr/lib/node_modules/npm/node_modules/libnpx/index.js:268:14 7/10 | 8:52:49 PM | CREATE_FAILED | AWS::IAM::Policy | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF) Resource creation cancelled new Policy (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/nodemodules/@aws-cdk/aws-iam/lib/policy.ts:102:22) \ Role.addToPolicy (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/nodemodules/@aws-cdk/aws-iam/lib/role.ts:291:28) \ Function.addToPrincipal (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/nodemodules/@aws-cdk/aws-iam/lib/grant.ts:140:61) \ Function.addToPrincipalOrResource (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/nodemodules/@aws-cdk/aws-iam/lib/grant.ts:110:26) \ Import.grant (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/nodemodules/@aws-cdk/aws-s3/lib/bucket.ts:523:23) \ Import.grantRead (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/nodemodules/@aws-cdk/aws-s3/lib/bucket.ts:402:17) \ new BucketDeployment (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/nodemodules/@aws-cdk/aws-s3-deployment/lib/bucket-deployment.ts:79:19) _ new WebApplicationStack (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/lib/web-application-stack.ts:34:5) _ Object. (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/bin/cdk.ts:10:1) \ Module.compile (internal/modules/cjs/loader.js:936:30) \ Module.m._compile (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/nodemodules/ts-node/src/index.ts:473:23) \ Module.extensions..js (internal/modules/cjs/loader.js:947:10) \ Object.require.extensions. [as .ts] (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/nodemodules/ts-node/src/index.ts:476:12) _ Module.load (internal/modules/cjs/loader.js:790:32) \ Function.Module.load (internal/modules/cjs/loader.js:703:12) _ Function.Module.runMain (internal/modules/cjs/loader.js:999:10) \ Object. (/home/eajkseajks/Repositories/Thunder-Cloud-Server/CDK/nodemodules/ts-node/src/bin.ts:158:12) \ Module.compile (internal/modules/cjs/loader.js:936:30) \ Object.Module.extensions..js (internal/modules/cjs/loader.js:947:10) _ Module.load (internal/modules/cjs/loader.js:790:32) \ Function.Module.load (internal/modules/cjs/loader.js:703:12) _ Function.Module.runMain (internal/modules/cjs/loader.js:999:10) \ /usr/lib/node_modules/npm/node_modules/libnpx/index.js:268:14 7/10 | 8:52:49 PM | ROLLBACK_IN_PROGRESS | AWS::CloudFormation::Stack | MythicalMysfits-WebApplication The following resource(s) failed to create: [CloudFrontCFDistribution57EFBAC6, CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF]. . Rollback requested by user. 7/10 | 8:52:53 PM | DELETE_IN_PROGRESS | AWS::CDK::Metadata | CDKMetadata 7/10 | 8:52:53 PM | DELETE_IN_PROGRESS | AWS::IAM::Policy | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF) 7/10 | 8:52:53 PM | DELETE_IN_PROGRESS | AWS::S3::BucketPolicy | Bucket/Policy (BucketPolicyE9A3008A) 8/10 | 8:52:53 PM | DELETE_COMPLETE | AWS::CloudFront::Distribution | CloudFront/CFDistribution (CloudFrontCFDistribution57EFBAC6) 9/10 | 8:52:54 PM | DELETE_COMPLETE | AWS::IAM::Policy | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF) 10/10 | 8:52:54 PM | DELETE_COMPLETE | AWS::S3::BucketPolicy | Bucket/Policy (BucketPolicyE9A3008A) 11/10 | 8:52:54 PM | DELETE_COMPLETE | AWS::CDK::Metadata | CDKMetadata 11/10 | 8:52:55 PM | DELETE_IN_PROGRESS | AWS::IAM::Role | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265) 11/10 | 8:52:55 PM | DELETE_IN_PROGRESS | AWS::CloudFront::CloudFrontOriginAccessIdentity | BucketOrigin 11/10 | 8:52:55 PM | DELETE_SKIPPED | AWS::S3::Bucket | Bucket (Bucket83908E77) 12/10 | 8:52:56 PM | DELETE_COMPLETE | AWS::IAM::Role | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265)

❌ MythicalMysfits-WebApplication failed: Error: The stack named MythicalMysfits-WebApplication failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE at /usr/lib/node_modules/aws-cdk/lib/api/util/cloudformation.ts:163:13 at processTicksAndRejections (internal/process/task_queues.js:93:5) at waitFor (/usr/lib/node_modules/aws-cdk/lib/api/util/cloudformation.ts:76:20) at Object.deployStack (/usr/lib/node_modules/aws-cdk/lib/api/deploy-stack.ts:98:3) at CdkToolkit.deploy (/usr/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:143:24) at main (/usr/lib/node_modules/aws-cdk/bin/cdk.ts:193:16) at initCommandLine (/usr/lib/node_modules/aws-cdk/bin/cdk.ts:148:9) The stack named MythicalMysfits-WebApplication failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE `

Any idea what is going on and how I can solve the problem? Thanks a lot for any help.

Eric

abaird986 commented 4 years ago

@DavidChristiansen - can you take a look here?