Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CodeBuild: A project with default role results in Not authorized to perform DescribeSecurityGroups #2652

Closed
thesurlydev opened this issue May 27, 2019 · 7 comments · Fixed by #2662
Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild bug This issue is a bug.

Comments

@thesurlydev
Copy link
Contributor

Describe the bug
Creating a new CodeBuild project without defining a role, results in exception during deploy: "Not authorized to perform DescribeSecurityGroups (Service: AWSCodeBuild; Status Code: 400; Error Code: InvalidInputException".

Looking at the generated CF template, it appears there are two IAM policy documents that are generated and reference the CodeBuild project role. One is the default policy with a name similar to codebuildprojectRoleDefaultPolicy4FA15962 and another "CodeBuildEC2Policy" with a name similar to codebuildprojectPolicyDocument1DCF3D9B. Based on the exception it seems the "CodeBuildEC2Policy" is not recognized or perhaps a race condition?

After a brief search on the interwebs, I found this: https://stackoverflow.com/questions/52843460/receive-not-authorized-to-perform-describesecuritygroups-when-creating-new-pro which seems similar to the issue here.

To Reproduce
Using something like the following code will reproduce:

val projectProps = ProjectProps.builder()
            .withEnvironment(buildEnvironment)
            .withProjectName(appName)
            .withSource(gitHubEnterpriseSource)
            .withBuildSpec("buildspec.yml")
            .withVpc(props.vpc)
            .withArtifacts(NoBuildArtifacts())
            .withSecondaryArtifacts(
                listOf(
                    s3BucketBuildArtifacts
                )
            )
            .build()

        val project = Project(this, "code-build-project", projectProps)

Expected behavior
Using default role with CodeBuild project should not result in exception.

Version:

  • Ubuntu 18.04
  • Kotlin using Java CDK artifacts
  • 0.32.0
@thesurlydev
Copy link
Contributor Author

I reported a similar issue as part of #2605

@thesurlydev
Copy link
Contributor Author

This screenshot from CloudFormation events seems to support the fact that the project attempts to get created just prior to the "CodeBuildEC2Policy":

Screenshot from 2019-05-27 12-10-17

@thesurlydev
Copy link
Contributor Author

After further investigation, according to the AWS docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-roles some explicit DependsOn attribute values may need to be added to ensure the policies are available.

@skinny85 skinny85 added the @aws-cdk/aws-codebuild Related to AWS CodeBuild label May 28, 2019
@skinny85
Copy link
Contributor

Yes, there's definitely some race condition happening here (and/or an IAM propagation delay, but I think that's less probable).

@thesurlydev
Copy link
Contributor Author

I've just verified that if I manually add a DependsOn to CodeBuild project of the IAM policy with the ec2:* bits, it works. Is there a way to add a DependsOn attribute via CDK as a workaround until a proper fix is in place?

@skinny85
Copy link
Contributor

Unfortunately, I don't think there is :(

skinny85 added a commit to skinny85/aws-cdk that referenced this issue May 28, 2019
A CodeBuild Project needs to have appropriate EC2 permissions on creation
when it uses a VPC. However, the default Policy that a Project Role has
depends on the Project itself (for CloudWatch Logs permissions).
Because of that, add a dependency between the Policy containing the EC2
permissions and the Project.

Also correctly handle the case when the Project's Role is imported.

Fixes aws#2651
Fixes aws#2652
@thesurlydev
Copy link
Contributor Author

Looks like you already have a fix. In the meantime, I was able to workaround using this super gross code:

val project = app.node.children.find { it.node.stack.name == "bruiser-code-build-bootstrap" }
        ?.node?.children?.find { it.node.typename == "Project" } as Project

    val cfnPolicy = (project.node?.children?.find { it.node.typename == "Policy"} as Policy)
        .node.findChild("Resource") as CfnPolicy

    (project.node.findChild("Resource") as CfnResource).addDependsOn(cfnPolicy)

    app.run()

rix0rrr added a commit that referenced this issue Jun 10, 2019
Now create a Policy and attach it to imported roles as well.

This will only work for imported roles in the same account. If you
need to reference roles in other accounts without trying to add
these policy statements, use an `AwsPrincipal`.

Relates to #2381, #2651, #2652, #2662.
rix0rrr added a commit that referenced this issue Jun 17, 2019
Now create a Policy and attach it to imported roles as well.

This will only work for imported roles in the same account. If you
need to reference roles in other accounts without trying to add
these policy statements, use an `AwsPrincipal`.

Relates to #2381, #2651, #2652, #2662.
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Jun 17, 2019
A CodeBuild Project needs to have appropriate EC2 permissions on creation
when it uses a VPC. However, the default Policy that a Project Role has
depends on the Project itself (for CloudWatch Logs permissions).
Because of that, add a dependency between the Policy containing the EC2
permissions and the Project.

Also correctly handle the case when the Project's Role is imported.

BREAKING CHANGE: the method addToRoleInlinePolicy in CodeBuild's Project class has been removed.

Fixes aws#2651
Fixes aws#2652

comment out the imported check to see if it works now
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Jun 18, 2019
A CodeBuild Project needs to have appropriate EC2 permissions on creation
when it uses a VPC. However, the default Policy that a Project Role has
depends on the Project itself (for CloudWatch Logs permissions).
Because of that, add a dependency between the Policy containing the EC2
permissions and the Project.

BREAKING CHANGE: the method addToRoleInlinePolicy in CodeBuild's Project class has been removed.

Fixes aws#2651
Fixes aws#2652
skinny85 added a commit that referenced this issue Jun 18, 2019
…#2662)

A CodeBuild Project needs to have appropriate EC2 permissions on creation
when it uses a VPC. However, the default Policy that a Project Role has
depends on the Project itself (for CloudWatch Logs permissions).
Because of that, add a dependency between the Policy containing the EC2
permissions and the Project.

BREAKING CHANGE: the method addToRoleInlinePolicy in CodeBuild's Project class has been removed.

Fixes #2651
Fixes #2652
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild bug This issue is a bug.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants