search

go-to-k / image-scanner-with-dockle

The AWS CDK Construct library to allow you to scan a container image during CDK deployment layer with Dockle.
https://constructs.dev/packages/image-scanner-with-dockle
Apache License 2.0
1 stars 1 forks source link

Bugs: AccessDeniedException: Resource is not in the state functionActive #5

Open go-to-k opened 1 year ago

go-to-k commented 1 year ago

Version: v1.0.9

When I deployed, I got the following error in CloudFormation Event message.

(This deployment has no changes in Lambda, IAM Role and IAM Policy, only Custom Resource has changes for update.)

ECSConstruct/EcrConstruct/ImageScannerWithDockle/Default/Default (ECSConstructEcrConstructImageScannerWithDockle0DCA0262) Received response status [FAILED] from custom resource. Message returned: AccessDeniedException: Resource is not in the state functionActive
    at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:61:27)
    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:61:8)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14)
    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12) (RequestId: xxxxxxxxxxxxxxxxx)
go-to-k commented 1 year ago

Custom Resource Provider Role Policy missing?

https://stackoverflow.com/questions/76819690/accessdeniedexception-resource-is-not-in-the-state-functionactivev2-at-object-e

go-to-k commented 1 year ago

However, when I retried deployment (after complete updating rollback for UPDATE_ROLLBACK_FAILED), I succeeded...

go-to-k commented 1 year ago

Tried it multiple times with different stacks, but all of them will be the error at first.

And in all, retries are successful.

go-to-k commented 1 year ago

Provider has next policies. But no change after a successful retry.

AWSLambdaBasicExecutionRole

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

Inline

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "lambda:InvokeFunction",
            "Resource": [
                "arn:aws:lambda:ap-northeast-1:123456789012:function:dev-main-BastionTunnel-CustomImageScannerWithDockl-hzy008aOF787",
                "arn:aws:lambda:ap-northeast-1:123456789012:function:dev-main-BastionTunnel-CustomImageScannerWithDockl-hzy008aOF787:*"
            ],
            "Effect": "Allow"
        }
    ]
}
go-to-k commented 1 year ago

Retry succeeds, so I'll close it this time for now...

Yatingambhir85 commented 8 months ago

What policy you have added to your role? I am also getting the same AccessDenied error.

go-to-k commented 8 months ago

Users of this library do not need to specify explicit policies. Apparently this is a bug on the aws-cdk side.

https://github.com/aws/aws-cdk/issues/26838