search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.35k stars 3.77k forks source link

aws-stepfunctions-tasks: endpointConfigName Token not resolved in create endpoint task #22635

Open yegortokmakov opened 1 year ago

yegortokmakov commented 1 year ago

Describe the bug

CDK doesn't resolve endpoint configuration name in create endpoint task when endpointConfigName is coming from another CDK resource.

Looks like that toLowerCase is causing the trouble.

https://github.com/aws/aws-cdk/blob/v1.178.0/packages/@aws-cdk/aws-stepfunctions-tasks/lib/sagemaker/create-endpoint.ts#L86

Expected Behavior

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sagemaker:createEndpoint",
            "Resource": [
                "arn:aws:sagemaker:us-east-1:1234567890:endpoint-config/sagemakerendpointconfig-s39vugh0gkoj",
                "arn:aws:sagemaker:us-east-1:1234567890:endpoint/endpoint"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "sagemaker:ListTags",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Current Behavior

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sagemaker:createEndpoint",
            "Resource": [
                "arn:aws:sagemaker:us-east-1:1234567890:endpoint-config/${token[token.264]}",
                "arn:aws:sagemaker:us-east-1:1234567890:endpoint/endpoint"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "sagemaker:ListTags",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Reproduction Steps

  1. Define endpointcofig and step function:
    const sagemakerEndpointConfig = new sagemaker.CfnEndpointConfig(this, 'sagemakerEndpointConfig', {
      productionVariants: [{
        initialVariantWeight: 1,
        modelName: model.attrModelName,
        variantName: 'default',
        initialInstanceCount: 1,
        instanceType: 'ml.c4.4xlarge',
      }],
    });

  const taskCreateEndpoint = new tasks.SageMakerCreateEndpoint(this, 'taskCreateEndpoint', {
    endpointName: 'endpointblabla',
    endpointConfigName: sagemakerEndpointConfig.attrEndpointConfigName,
  });

  const stateMachine = new sfn.StateMachine(this, 'stateMachine', {
    definition: taskCreateEndpoint,
  });
  1. Invoke the state machine
  2. Exception from invocation: 
    User: arn:aws:sts::1234567890:assumed-role/xxx-stateMachineRoleD7DCE394-LS2JK2THJEVN/XSPwMkuMxIVkbakcsGDVCSPhcLwtfitA is not authorized to perform: sagemaker:CreateEndpoint on resource: arn:aws:sagemaker:us-east-1:1234567890:endpoint-config/sagemakerendpointconfig-s39vugh0gkoj because no identity-based policy allows the sagemaker:CreateEndpoint action (Service: AmazonSageMaker; Status Code: 400; Error Code: AccessDeniedException; Request ID: 558f50e2-42bb-4a29-8397-001fe1a38d96; Proxy: null)

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.47.0 (build 3528e3d)

Framework Version

No response

Node.js Version

v18.11.0

OS

mac

Language

Typescript

Language Version

No response

Other information

No response

peterwoodworth commented 1 year ago

Thanks for reporting this, I can confirm this is still an issue.

You can work around this for now with escape hatches to replace the generated arn with one that has a proper token.

I'm not sure exactly how we can fix this bug. That will take some investigating.

I am marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

Check out our contributing guide if you're interested in contributing yourself - there's a low chance the team will be able to address this soon but we can try to review a PR 🙂