search

aws / aws-sam-cli

CLI tool to build, test, debug, and deploy Serverless applications using AWS SAM
https://aws.amazon.com/serverless/sam/
Apache License 2.0
6.5k stars 1.17k forks source link

Bug: Companion stack does not use service role #5051

Open aidansteele opened 1 year ago

aidansteele commented 1 year ago

Description:

I am trying to run sam deploy on a template that contains an image-based Lambda function. It is failing to deploy because the companion stack is not using the main stack's service role and my role doesn't have ecr:CreateRepository permission.

Steps to reproduce:

  1. Create a template that has a resource like this:
  MyFunction:
    Type: AWS::Serverless::Function
    Metadata:
      DockerContext: fn
      Dockerfile: fn/Dockerfile
    Properties:
      Architectures: [ x86_64 ]
      PackageType: Image
  1. Run the following command:
sam deploy \
  --stack-name my-stack \
  --resolve-s3 --resolve-image-repos \
  --capabilities CAPABILITY_IAM CAPABILITY_AUTO_EXPAND \
  --role-arn arn:aws:iam::$(aws sts get-caller-identity --query Account --output text):role/CloudFormationServiceRole

Observed result:

Command logs the following and returns a non-zero exit code:


        Managed S3 bucket: aws-sam-cli-managed-default-samclisourcebucket-mysuffix
        A different default S3 bucket can be set in samconfig.toml
        Or by specifying --s3-bucket explicitly.
Error: Waiter StackCreateComplete failed: Waiter encountered a terminal failure state: For expression "Stacks[].StackStatus" we matched expected path: "ROLLBACK_COMPLETE" at least once

(Note that the underlying error isn't reported here). In the console it shows this error message:

Resource handler returned message: "User: arn:aws:sts::0123456789012:assumed-role/MyRoleName/rsn is not authorized to perform: ecr:CreateRepository on resource: arn:aws:ecr:us-east-1:0123456789012:repository/my-stackbbdaea37/myfunction4c1a25bcrepo because no identity-based policy allows the ecr:CreateRepository action (Service: Ecr, Status Code: 400, Request ID: 0cf364b3-4990-4568-9777-478bb698a4ab)" (RequestToken: 759920e2-8dc1-ca88-ba3c-d1b1347887fe, HandlerErrorCode: GeneralServiceException)

Expected result:

I would expect the companion stack to be created with the same service role as the main stack (i.e. the one passed in via --role-arn) and the deployment to succeed. I expect that the update_stack and create_stack calls here would need to pass the RoleArn argument.

https://github.com/aws/aws-sam-cli/blob/a1deb7c694d508d255baa45ca7bb51aea78eab5c/samcli/lib/bootstrap/companion_stack/companion_stack_manager.py#L121-L133

lucashuy commented 1 year ago

Thanks for opening this issue! I've tagged this as a good first issue for now as we look to prioritize this within our team and are open to contributions/discussions from the community