(cdk-pipelines): Build fails after updating CDK to 1.87.0 - not authorized to perform: ssm:GetParameters on resource: arn:aws:ssm:eu-central-1:88888888:parameter/ENV_VARIABLE status code: 400, request id

[markusl]

It seems handling of the secrets has been changed in AWS CDK 1.87.0 so that the required ssm:GetParameters policy is not created any more.

Reproduction Steps

  const secrets = { 
    'ENV_VARIABLE': ecs.Secret.fromSsmParameter(ssmParameters.envVariable),
  };

  const taskDefinition = new ecs.FargateTaskDefinition(scope, `${serviceName}TaskDefinition`);
  const mainContainer = taskDefinition.addContainer('main', {
    image: ecs.ContainerImage.fromAsset('../service',
      {
        buildArgs: {
        }
      }),
    logging,
    secrets,
  });

What did you expect to happen?

I would not expect to see any diff in IAM roles after upgrading.

What actually happened?

Decrypted Variables Error: AccessDeniedException: User: arn:aws:sts::88888888:assumed-role/build/AWSCodeBuild-bc7324e2-a3f5-4638-9675-54d90553cc3a is not authorized to perform: ssm:GetParameters on resource: arn:aws:ssm:eu-central-1:207507657282:parameter/dev/ENV_VARIABLE status code: 400, request id: cada8842-0a21-473c-be49-7b16f580f60c

Environment

• CDK CLI Version : 1.87.0
• Framework Version: 1.87.0
• Node.js Version:
• OS : macOS
• Language (Version): TypeScript

Other

---

This is 🐛 Bug Report

[rix0rrr]

This seems to be an ECS issue, agreed?

[rix0rrr]

You did not say WHEN the error occurred.

During a synth, or during the CloudFormation deployment, or during the run of the ECS container that is a result of the deployment, or... ?

[markusl]

@rix0rrr This happened during the build of the Docker asset in question

[markusl]

Also the following code specifying environmentVariables seems to fail with 1.87.0

    synthAction: pipelines.SimpleSynthAction.standardNpmSynth({
      sourceArtifact,
      cloudAssemblyArtifact,

      subdirectory: 'cdk',
      environmentVariables: {
        NPM_TOKEN: {
          type: codebuild.BuildEnvironmentVariableType.PARAMETER_STORE,
          value: 'npm-token'
        },
      },
    }),

Is it possibly due to this? 736b260#diff-d3cb29eee3f26a140a30213c958a5739b9abbae4ba62f3d6318417ef6ac8f930L323

[skinny85]

Thanks for reporting @markusl. You are correct about the reason. PR with a fix posted.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[markusl]

@skinny85 @rix0rrr is the fix going to be included in v1.87.1?

[skinny85]

Unfortunately no - 1.87.1 was just a hotfix for a serious bug in 1.87.0. This fix should be included in 1.88.0, which should be out next week.

Apologies for the inconvenience this caused @markusl!

[skinny85]

Perhaps rolling back to 1.86.0 until 1.88.0 is out will get you unblocked...?

[markusl]

@skinny85 our CDK Pipelines rollout for container apps has been blocked and waiting for #11815 to be fixed. Now it's fixed but our other pipelines, and I guess most of them, got broken because of the permission error (we try to always update to the latest version).

Since this is a regression in a stable module (codepipeline) I would like to understand why it is not considered worth fixing as a hotfix to retain previous functionality?

Br,
Markus

[skinny85]

@markusl this is actually not a regression in the CodePipeline module, as this never properly worked 😜. It is a regression in the Pipelines module, though.

Can you see if the workaround described in this comment can help you on 1.87.0 / 1.87.1 until this fix is released?