I am trying to run sam deploy on a template that contains an image-based Lambda function. It is failing to deploy because the companion stack is not using the main stack's service role and my role doesn't have ecr:CreateRepository permission.
Command logs the following and returns a non-zero exit code:
Managed S3 bucket: aws-sam-cli-managed-default-samclisourcebucket-mysuffix
A different default S3 bucket can be set in samconfig.toml
Or by specifying --s3-bucket explicitly.
Error: Waiter StackCreateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "ROLLBACK_COMPLETE" at least once
(Note that the underlying error isn't reported here). In the console it shows this error message:
Resource handler returned message: "User: arn:aws:sts::0123456789012:assumed-role/MyRoleName/rsn is not authorized to perform: ecr:CreateRepository on resource: arn:aws:ecr:us-east-1:0123456789012:repository/my-stackbbdaea37/myfunction4c1a25bcrepo because no identity-based policy allows the ecr:CreateRepository action (Service: Ecr, Status Code: 400, Request ID: 0cf364b3-4990-4568-9777-478bb698a4ab)" (RequestToken: 759920e2-8dc1-ca88-ba3c-d1b1347887fe, HandlerErrorCode: GeneralServiceException)
Expected result:
I would expect the companion stack to be created with the same service role as the main stack (i.e. the one passed in via --role-arn) and the deployment to succeed. I expect that the update_stack and create_stack calls here would need to pass the RoleArn argument.
Thanks for opening this issue! I've tagged this as a good first issue for now as we look to prioritize this within our team and are open to contributions/discussions from the community
Description:
I am trying to run
sam deploy
on a template that contains an image-based Lambda function. It is failing to deploy because the companion stack is not using the main stack's service role and my role doesn't haveecr:CreateRepository
permission.Steps to reproduce:
Observed result:
Command logs the following and returns a non-zero exit code:
(Note that the underlying error isn't reported here). In the console it shows this error message:
Expected result:
I would expect the companion stack to be created with the same service role as the main stack (i.e. the one passed in via
--role-arn
) and the deployment to succeed. I expect that theupdate_stack
andcreate_stack
calls here would need to pass theRoleArn
argument.https://github.com/aws/aws-sam-cli/blob/a1deb7c694d508d255baa45ca7bb51aea78eab5c/samcli/lib/bootstrap/companion_stack/companion_stack_manager.py#L121-L133