search

awslabs / ecs-secrets

Runtime secrets management solution for ECS using Task IAM Roles
Apache License 2.0
176 stars 20 forks source link

Error creating cloudformation stack: ResourceNotReady: failed waiting for successful resource state #1

Open vecchp opened 7 years ago

vecchp commented 7 years ago

Hey! I saw this tool and was excited to try it out. When executing the following setup command: 

docker run --env-file setup-env.txt -v ~/.aws:/root/.aws     amazon/amazon-ecs-secrets setup     --application-name  test-secrets     --create-principal arn:aws:iam::$ACCOUNT_ID:role/SecretsAdmin     --fetch-role arn:aws:iam::$ACCOUNT_ID:role/MyApplicationRole

I get the following error: Error creating cloudformation stack: ResourceNotReady: failed waiting for successful resource state

When I checked the CloudFormation Stack Details it seems to have failed because of a MalformedPolicyDocumentException. screen shot 2017-05-01 at 5 51 59 pm

I've attached the generated CloudFormation template:

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description" : "AWS CloudFormation template to create resources for ECS Secrets.",
  "Parameters": {
    "ECSSecretsTableName": {
      "Type": "String",
      "Description": "Table name for ECS Secrets"
    },
    "ECSSecretsIAMPrincipalForCreatingSecrets": {
      "Type": "String",
      "Description": "IAM Entity used to create secrets"
    },
    "ECSSecretsIAMRoleArn": {
      "Type": "String",
      "Description": "Task IAM Role Arn used by the application"
    }
  },
  "Resources" : {
    "ECSSecretsTable" : {
      "Type" : "AWS::DynamoDB::Table",
      "Properties" : {
        "AttributeDefinitions" : [
          {
            "AttributeName" : "Name",
            "AttributeType" : "S"
          },
          {
            "AttributeName" : "Serial",
            "AttributeType" : "N"
          }
        ],
        "KeySchema" : [
          {
            "AttributeName" : "Name",
            "KeyType" : "HASH"
          },
          {
            "AttributeName" : "Serial",
            "KeyType" : "RANGE"
          }
        ],
        "ProvisionedThroughput" : {
          "ReadCapacityUnits" : "5",
          "WriteCapacityUnits" : "5"
        },
        "TableName" : {"Ref": "ECSSecretsTableName"}
      }
    },
    "ECSSecretsMasterKey": {
      "Type" : "AWS::KMS::Key",
      "Properties" : {
        "Description" : "Master Key for ECS Secrets",
        "KeyPolicy" : {
          "Version": "2012-10-17",
          "Id": "ecs-secrets-setup-key-policy",
          "Statement": [
            {
              "Sid": "Allow administration of the key",
              "Effect": "Allow",
              "Principal": { 
                "AWS": { "Fn::Join": [":", ["arn:aws:iam:", { "Ref":"AWS::AccountId" }, "root"]]}
              },
              "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
              ],
              "Resource": "*"
            },
            {
              "Sid": "Allow use of the key to create secrets",
              "Effect": "Allow",
              "Principal": { "AWS": { "Ref": "ECSSecretsIAMPrincipalForCreatingSecrets" } },
              "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
              ], 
              "Resource": "*"
            },
            {
              "Sid": "Allow use of the key to retrieve secrets",
              "Effect": "Allow",
              "Principal": { "AWS": { "Ref": "ECSSecretsIAMRoleArn" } },
              "Action": [
                "kms:Decrypt",
                "kms:DescribeKey"
              ], 
              "Resource": "*"
            }
          ]
        }
      }
    }
  },
  "Outputs" : {
    "secretsDynamoTable" : {
      "Value" : { "Fn::Sub" : "arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${ECSSecretsTable}" }
    },
    "kmsKey": {
      "Value" : { "Ref" : "ECSSecretsMasterKey" }
    }
  }
}
jhaynes commented 7 years ago

@vecchp Thanks for posting this issue. Can you confirm that you have already created the IAM Roles SecretsAdmin and MyApplicationRole.

vecchp commented 7 years ago

Ah that is most likely the culprit. I haven't got around to trying this approach again yet.

We've been putting more effort into using S3 with KMS-SSE

Sitin commented 6 years ago

I have the same problem. Which policies should be attached to these roles?