A comprehensive tool for capturing performance metrics and workload snapshots, and generating in-depth comparison reports for Amazon Aurora PostgreSQL databases. Helps to troubleshoot problems, optimize instance size and cost.
Apache License 2.0
8
stars
4
forks
source link
Additional unnecessary and failing call to rds:DescribeDBInstances for db:* #8
The file https://github.com/awslabs/pireporter/blob/master/pireporterPolicy.json only allows rds:DescribeDBInstance on a filtered condition on instances with the tag "pireporter": "allow" I am assuming a role with that policy and have put that tag on all my rds clusters and databases yet I get an error still as pireporter appears to make a call against db:* potentially? It is continuing past the error and succeeding.
This error results though it seems to be ignored as the create snapshot process continues.
Cannot find the instance undefined
AccessDenied: User: arn:aws:sts::<redacted>:assumed-role/r/i-<redacted> is not authorized to perform: rds:DescribeDBInstances on resource: arn:aws:rds:us-east-1:<redacted>:db:* because no identity-based policy allows the rds:DescribeDBInstances action
at throwDefaultError (/usr/local/bin/pireporter/node_modules/@smithy/smithy-client/dist-cjs/index.js:838:20)
at /usr/local/bin/pireporter/node_modules/@smithy/smithy-client/dist-cjs/index.js:847:5
at de_DescribeDBInstancesCommandError (/usr/local/bin/pireporter/node_modules/@aws-sdk/client-rds/dist-cjs/protocols/Aws_query.js:4438:20)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async /usr/local/bin/pireporter/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:20
at async /usr/local/bin/pireporter/node_modules/@aws-sdk/middleware-signing/dist-cjs/awsAuthMiddleware.js:30:20
at async /usr/local/bin/pireporter/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:38
at async /usr/local/bin/pireporter/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:7:26 {
'$fault': 'client',
'$metadata': {
httpStatusCode: 403,
requestId: '<redacted>',
extendedRequestId: undefined,
cfId: undefined,
attempts: 1,
totalRetryDelay: 0
},
Type: 'Sender',
Code: 'AccessDenied'
}
The file https://github.com/awslabs/pireporter/blob/master/pireporterPolicy.json only allows rds:DescribeDBInstance on a filtered condition on instances with the tag
"pireporter": "allow"
I am assuming a role with that policy and have put that tag on all my rds clusters and databases yet I get an error still as pireporter appears to make a call against db:* potentially? It is continuing past the error and succeeding.From pireporterPolicy.json:
This error results though it seems to be ignored as the create snapshot process continues.