search

spinnaker-plugins / aws-lambda-deployment-plugin-spinnaker

Spinnaker plugin to support deployment of AWS Lambda functions via Spinnaker pipelines
Apache License 2.0
23 stars 22 forks source link

Could not find lambda to update event config for #51

Closed joetancy closed 3 years ago

joetancy commented 3 years ago

This happens when the aws user has any deny policy in lambda:ListVersionsByFunction on any function that is not the application in Spinnaker.

com.amazonaws.services.lambda.model.AWSLambdaException: User: arn:aws:sts::<<aws account id>>:assumed-role/SpinnakerManaged/Spinnaker is not authorized to perform: lambda:ListVersionsByFunction on resource: arn:aws:lambda:ap-southeast-1:<<aws account id>>:function:<<aws function name>> with an explicit deny (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: a80dbfcc-9827-431f-9903-bb6552905522; Proxy: null)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1828) ~[aws-java-sdk-core-1.11.901.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1412) ~[aws-java-sdk-core-1.11.901.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1374) ~[aws-java-sdk-core-1.11.901.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1145) ~[aws-java-sdk-core-1.11.901.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:802) ~[aws-java-sdk-core-1.11.901.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770) ~[aws-java-sdk-core-1.11.901.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744) ~[aws-java-sdk-core-1.11.901.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:704) ~[aws-java-sdk-core-1.11.901.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686) ~[aws-java-sdk-core-1.11.901.jar:na]
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550) ~[aws-java-sdk-core-1.11.901.jar:na]
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530) ~[aws-java-sdk-core-1.11.901.jar:na]
    at com.amazonaws.services.lambda.AWSLambdaClient.doInvoke(AWSLambdaClient.java:4015) ~[aws-java-sdk-lambda-1.11.901.jar:na]
    at com.amazonaws.services.lambda.AWSLambdaClient.invoke(AWSLambdaClient.java:3982) ~[aws-java-sdk-lambda-1.11.901.jar:na]
    at com.amazonaws.services.lambda.AWSLambdaClient.invoke(AWSLambdaClient.java:3971) ~[aws-java-sdk-lambda-1.11.901.jar:na]
    at com.amazonaws.services.lambda.AWSLambdaClient.executeListVersionsByFunction(AWSLambdaClient.java:2895) ~[aws-java-sdk-lambda-1.11.901.jar:na]
    at com.amazonaws.services.lambda.AWSLambdaClient.listVersionsByFunction(AWSLambdaClient.java:2864) ~[aws-java-sdk-lambda-1.11.901.jar:na]
    at com.netflix.spinnaker.clouddriver.lambda.provider.agent.LambdaCachingAgent.listFunctionRevisions(LambdaCachingAgent.java:205) ~[clouddriver-lambda.jar:na]
    at com.netflix.spinnaker.clouddriver.lambda.provider.agent.LambdaCachingAgent.loadData(LambdaCachingAgent.java:142) ~[clouddriver-lambda.jar:na]
    at com.netflix.spinnaker.cats.agent.CachingAgent$CacheExecution.executeAgentWithoutStore(CachingAgent.java:87) ~[clouddriver-api.jar:na]
    at com.netflix.spinnaker.cats.agent.CachingAgent$CacheExecution.executeAgent(CachingAgent.java:77) ~[clouddriver-api.jar:na]
    at com.netflix.spinnaker.cats.redis.cluster.ClusteredAgentScheduler$AgentExecutionAction.execute(ClusteredAgentScheduler.java:338) ~[cats-redis.jar:na]
    at com.netflix.spinnaker.cats.redis.cluster.ClusteredAgentScheduler$AgentJob.run(ClusteredAgentScheduler.java:308) ~[cats-redis.jar:na]
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) ~[na:na]
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) ~[na:na]
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) ~[na:na]
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) ~[na:na]
    at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]

Apparently, this also affects the UI component, where when the aws account has a deny policy like above, even though there's a cluster group created (to get around the UI big mentioned here https://github.com/spinnaker/spinnaker/issues/6271), this same exception still appears.

I have no fix for this and is looking for advice. will also attempt to fix if someone could point me in the right direction. thank you!

joetancy commented 3 years ago

this issue isnt coming from this plugin, but instead from clouddriver https://github.com/spinnaker/clouddriver/blob/master/clouddriver-lambda/src/main/java/com/netflix/spinnaker/clouddriver/lambda/provider/agent/LambdaCachingAgent.java