search

awslabs / pireporter

A comprehensive tool for capturing performance metrics and workload snapshots, and generating in-depth comparison reports for Amazon Aurora PostgreSQL databases. Helps to troubleshoot problems, optimize instance size and cost.
Apache License 2.0
8 stars 4 forks source link

Additional unnecessary and failing call to rds:DescribeDBInstances for db:* #8

Open alecl opened 5 days ago

alecl commented 5 days ago

The file https://github.com/awslabs/pireporter/blob/master/pireporterPolicy.json only allows rds:DescribeDBInstance on a filtered condition on instances with the tag "pireporter": "allow" I am assuming a role with that policy and have put that tag on all my rds clusters and databases yet I get an error still as pireporter appears to make a call against db:* potentially? It is continuing past the error and succeeding.

From pireporterPolicy.json:

        {
            "Sid": "pireporter2",
            "Effect": "Allow",
            "Action": [
                "rds:DownloadDBLogFilePortion",
                "rds:DescribeDBInstances",
                "rds:DescribeDBLogFiles"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "rds:db-tag/pireporter": "allow"
                }
            }
        }

This error results though it seems to be ignored as the create snapshot process continues.

Cannot find the instance undefined
AccessDenied: User: arn:aws:sts::<redacted>:assumed-role/r/i-<redacted> is not authorized to perform: rds:DescribeDBInstances on resource: arn:aws:rds:us-east-1:<redacted>:db:* because no identity-based policy allows the rds:DescribeDBInstances action
    at throwDefaultError (/usr/local/bin/pireporter/node_modules/@smithy/smithy-client/dist-cjs/index.js:838:20)
    at /usr/local/bin/pireporter/node_modules/@smithy/smithy-client/dist-cjs/index.js:847:5
    at de_DescribeDBInstancesCommandError (/usr/local/bin/pireporter/node_modules/@aws-sdk/client-rds/dist-cjs/protocols/Aws_query.js:4438:20)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /usr/local/bin/pireporter/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:20
    at async /usr/local/bin/pireporter/node_modules/@aws-sdk/middleware-signing/dist-cjs/awsAuthMiddleware.js:30:20
    at async /usr/local/bin/pireporter/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:38
    at async /usr/local/bin/pireporter/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:7:26 {
  '$fault': 'client',
  '$metadata': {
    httpStatusCode: 403,
    requestId: '<redacted>',
    extendedRequestId: undefined,
    cfId: undefined,
    attempts: 1,
    totalRetryDelay: 0
  },
  Type: 'Sender',
  Code: 'AccessDenied'
}
aychin-aws commented 22 hours ago

The message "Cannot find the instance undefined" is caught my attention. Maybe something related to instance name? Did you tried to trace it?