Closed Raghunath-SK closed 2 years ago
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
@Raghunath-SK Did you find a solution to this? I'm also having this problem with an S3 bucket.
@danw-mpl Yes, I did find what I was missing. I have missed adding some policies earlier and also even the error was very generic (not much details) in cloudformation deployment I couldn't figure it out earlier. Since I was using the cloudwatch logs for waf logging, I added these below policies and the deployment went well ( 'logs:CreateLogGroup', 'logs:DeleteLogGroup', 'logs:DescribeLogGroups', 'logs:PutRetentionPolicy', 'logs:GetLogEvents', 'logs:PutLogEvents', 'logs:CreateLogDelivery', 'logs:PutResourcePolicy', 'logs:DescribeResourcePolicies',).
Not sure whether these helps you as you are trying with S3. Maybe adding some S3 policies should help you I guess
I was just trying some of the IAM policies listed here https://docs.aws.amazon.com/waf/latest/developerguide/logging-s3.html and I've got it working.
I was going wrong by providing partial ARNs in the IAM policy. By using '*', it works.
I added these below policies and the deployment went well ( 'logs:CreateLogGroup', 'logs:DeleteLogGroup', 'logs:DescribeLogGroups', 'logs:PutRetentionPolicy', 'logs:GetLogEvents', 'logs:PutLogEvents', 'logs:CreateLogDelivery', 'logs:PutResourcePolicy', 'logs:DescribeResourcePolicies',).
I'm currently having this issue and the error persists in the AWS Console. Could you please elaborate on where you attached these IAM policies? @Raghunath-SK
I added these below policies and the deployment went well ( 'logs:CreateLogGroup', 'logs:DeleteLogGroup', 'logs:DescribeLogGroups', 'logs:PutRetentionPolicy', 'logs:GetLogEvents', 'logs:PutLogEvents', 'logs:CreateLogDelivery', 'logs:PutResourcePolicy', 'logs:DescribeResourcePolicies',).
I'm currently having this issue and the error persists in the AWS Console. Could you please elaborate on where you attached these IAM policies? @Raghunath-SK
I was deploying the waf resource and other resources through the AWS CLOUDFORMATION and so I add those above policies to the cloudformation service role . (Aws cloudformation was using this service role to deploy the resources)
Thank you for clarifying. @Raghunath-SK I verified that this errors still exists in the console with the AdministratorAccess IAM Policy attached. I guess my bug is somewhere else
Hi ,
Im using cdk version 1.139.0, and I had a waf earlier added in my previous deployment. Now I tried to add the logging configuration for that waf. So I added the below code in cdk and generated the template.
new CfnLoggingConfiguration(scope,'WafLoggingConfig',{ resourceArn:webAcl.attrArn, // here I attached the wabacl using wabacl code reference. logDestinationConfigs:[
arn:aws:logs:${region}:${accountId}:log-group:aws-waf-logs-for-app
],})
Note: I have already created the log group for waf named as aws-waf-logs-for-app (which has the expected prefix need for waf)
After synthesizing/generating the template I did cdk deploy to update the Cloud formation.
List of policies I have already attached to the Cloudformation :
'wafv2:AssociateWebACL', 'wafv2:CreateWebACL', 'wafv2:DeleteWebACL', 'wafv2:DescribeManagedRuleGroup', 'wafv2:DisassociateWebACL', 'wafv2:Get', 'wafv2:List', 'wafv2:UpdateWebACL', 'wafv2:GetLoggingConfiguration', 'wafv2:ListLoggingConfiguration', 'wafv2:PutLoggingConfiguration', 'wafv2:DeleteLoggingConfiguration', 'cloudwatch:DeleteAlarms', 'cloudwatch:Describe*', 'cloudwatch:DisableAlarmActions', 'cloudwatch:EnableAlarmActions', 'cloudwatch:GetDashboard', 'cloudwatch:ListDashboards', 'cloudwatch:PutDashboard', 'cloudwatch:DeleteDashboards', 'cloudwatch:GetMetricData', 'cloudwatch:GetMetricStatistics', 'cloudwatch:ListMetrics', 'cloudwatch:PutMetricAlarm', 'cloudwatch:PutMetricData', and other policies for other resources.
But my cloud formation fails to deploy the logging configuration for waf and displays the below error in Cloudformation events page.
Resource handler returned message: "You don't have the permissions that are required to perform this operation. (Service: Wafv2, Status Code: 400, Request ID: {12474621823782738}, Extended Request ID: null)" (RequestToken: {9732489732849732878973}, HandlerErrorCode: GeneralServiceException)
Note: In the above error I have modified the value of the Request ID: and RequestToken. I believe I have given the needed policies for the cloud formation.
Is it a bug in cdk ? Did cdk failed to create any role needed for this ? can someone help me with this?
Reproduction Steps
Try to add the waf and Logging configuration for waf in the cdk and do cdk deploy.
` const webAcl = new CfnWebACL(scope, 'CfnWebAcl', { description: "description", scope: 'REGIONAL', defaultAction: { allow: {}, }, visibilityConfig: { cloudWatchMetricsEnabled: true, metricName: 'dev-webacl-metrics', sampledRequestsEnabled: true, }, rules: [ { name: 'demo-rate-limit-rule', action: { block: {}, }, priority: 0, visibilityConfig: { cloudWatchMetricsEnabled: true, metricName: "dev-rate-limit-metrics", sampledRequestsEnabled: false, }, statement: { rateBasedStatement: { aggregateKeyType: 'IP', limit: serviceRateLimit.valueAsNumber, }, }, }, ], });
})`
What did you expect to happen?
It should deploy without any errors as I suspect I have added the necessary polices need for aws cloudformation to deploy the above code.
What actually happened?
My cloud formation fails to deploy the logging configuration for waf and displays the below error in the Cloudformation events page.
Resource handler returned message: "You don't have the permissions that are required to perform this operation. (Service: Wafv2, Status Code: 400, Request ID: {12474621823782738}, Extended Request ID: null)" (RequestToken: {9732489732849732878973}, HandlerErrorCode: GeneralServiceException)
Note: In the above error I have modified the value of the Request ID: and RequestToken.
CDK CLI Version
1.139.0
Framework Version
No response
Node.js Version
12.13.0
OS
windows , mac
Language
Typescript
Language Version
Typescript - 3.9.7
Other information
No response