search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.67k stars 3.92k forks source link

(opensearch): you don't have permissions to integrate with Cognito #20307

Closed caoheyang closed 2 years ago

caoheyang commented 2 years ago

Describe the bug

You don?t have permissions to integrate with Cognito

Expected Behavior

create opensearch domain successful ,and without integrate with Cognito.

Current Behavior

下午5:22:54 | CREATE_FAILED | AWS::OpenSearchService::Domain | skywalkingC6680076 Resource handler returned message: "Access denied for operation 'You don?t have permissions to integrate with Cognito. Contact your admin if you need help. (Service: OpenSearch, Status Code: 409, Request ID: 348401ea-d94d-4c40-8ce3-91d0f3e9f79f, Extended Request ID: null)'." (RequestToken: fcf4b2c8-12b0-794f-e 95f-46035d94d7fd, HandlerErrorCode: AccessDenied)

❌ OpenSearchSkywalkingStackdev failed: Error: The stack named OpenSearchSkywalkingStackdev failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access denied for operation 'You don?t have permissions to integrate with Cognito. Contact your admin if you need help. (Service: OpenSearch, Status Code: 409, Request ID: 348401ea-d94d-4c40-8ce3-91d0f3e9f79f, Extended Request ID: null)'." (RequestToken: fcf4b2c8-12b0-794f-e95f-46035d94d7fd, HandlerErrorCode: AccessDenied) at prepareAndExecuteChangeSet (/Users/heyac/.nvm/versions/node/v16.13.0/lib/node_modules/aws-cdk/lib/api/deploy-stack.ts:382:13) at processTicksAndRejections (node:internal/process/task_queues:96:5) at CdkToolkit.deploy (/Users/heyac/.nvm/versions/node/v16.13.0/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:209:24) at initCommandLine (/Users/heyac/.nvm/versions/node/v16.13.0/lib/node_modules/aws-cdk/lib/cli.ts:341:12)

The stack named OpenSearchSkywalkingStackdev failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access denied for operation 'You don?t have permissions to integrate with Cognito. Contact your admin if you need help. (Service: OpenSearch, Status Code: 409, Request ID: 348401ea-d94d-4c40-8ce3-91d0f3e9f79f, Extended Request ID: null)'." (RequestToken: fcf4b2c8-12b0-794f-e95f-46035d94d7fd, HandlerErrorCode: AccessDenied)

Reproduction Steps

 const prodDomain = new opensearch.Domain(this, props.esDomainName, {
      version: opensearch.EngineVersion.OPENSEARCH_1_2,
      domainName: props.esDomainName,
      cognitoDashboardsAuth: undefined,
      capacity: {
        masterNodes: 3,
        masterNodeInstanceType: "t3.small.search",
        dataNodes: 3,
        dataNodeInstanceType: "t3.small.search",
      },
      automatedSnapshotStartHour: 1,
      ebs: {
        enabled: true,
        volumeSize: 100,
        volumeType: ec2.EbsDeviceVolumeType.GP2
      },
      zoneAwareness: {
        availabilityZoneCount: 3,
        enabled: true
      },
      logging: {
        slowSearchLogEnabled: true,
        appLogEnabled: true,
        slowIndexLogEnabled: true,
      },
      accessPolicies: [
        new iam.PolicyStatement({
          actions: ['es:*'],
          effect: iam.Effect.ALLOW,
          resources: ["arn:aws-cn:es:" + props.env?.region + ":" + props.env?.account + ":domain/" + props.esDomainName + "/*"],
        }),],
      encryptionAtRest: {
        enabled: true,
      },
      nodeToNodeEncryption: true,
      enforceHttps: false,
      vpc: props.vpc,
      vpcSubnets: [
        {
          onePerAz: true,
          subnetGroupName: UserConfigUtil.getUserConfig().eks.applicationSubnetGroupName
        }
      ],

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.21.1

Framework Version

No response

Node.js Version

v16.13.0

OS

MacOS 10.15.7

Language

Typescript

Language Version

No response

Other information

No response

kaizencc commented 2 years ago

This could be a bug on our part with null and undefined being used incorrectly. @caoheyang Can you share the relevant cloudformation template that gets created?

peterwoodworth commented 2 years ago

Here's what I get when I specify cognitoDashboardsAuth as undefined


"CognitoOptions": {
 "Enabled": false
},
github-actions[bot] commented 2 years ago

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

dashjim commented 2 years ago

For others who has this issue, I think the issue is still there because I met it with latest cdk v2.26.0. I think it is specific to China Region (cn-northwest-1/cn-north-1) because China Region / Partition doesn't have Cognito.

Please try to use opensearch.CfnDomain instead.

SamStephens commented 2 years ago

@caoheyang @dashjim one of you should re-file this bug. The Opensearch module should not require Cognito in a region if Cognito authentication is not being used.

nowfox commented 2 years ago

I have the same issue in China region. CDK version:2.31.1

SamStephens commented 2 years ago

@nowfox someone needs to open a new issue. This issue is closed and the CDK team will not see these comments. I cannot open that issue as I'm not in China and do not face this issue.

nowfox commented 2 years ago

@SamStephens I have opened a new issue. https://github.com/aws/aws-cdk/issues/21192