-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CodeBuild: A project with default role results in Not authorized to perform DescribeSecurityGroups
#2652
Comments
I reported a similar issue as part of #2605 |
After further investigation, according to the AWS docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-roles some explicit |
Yes, there's definitely some race condition happening here (and/or an IAM propagation delay, but I think that's less probable). |
I've just verified that if I manually add a |
Unfortunately, I don't think there is :( |
A CodeBuild Project needs to have appropriate EC2 permissions on creation when it uses a VPC. However, the default Policy that a Project Role has depends on the Project itself (for CloudWatch Logs permissions). Because of that, add a dependency between the Policy containing the EC2 permissions and the Project. Also correctly handle the case when the Project's Role is imported. Fixes aws#2651 Fixes aws#2652
Looks like you already have a fix. In the meantime, I was able to workaround using this super gross code:
|
A CodeBuild Project needs to have appropriate EC2 permissions on creation when it uses a VPC. However, the default Policy that a Project Role has depends on the Project itself (for CloudWatch Logs permissions). Because of that, add a dependency between the Policy containing the EC2 permissions and the Project. Also correctly handle the case when the Project's Role is imported. BREAKING CHANGE: the method addToRoleInlinePolicy in CodeBuild's Project class has been removed. Fixes aws#2651 Fixes aws#2652 comment out the imported check to see if it works now
A CodeBuild Project needs to have appropriate EC2 permissions on creation when it uses a VPC. However, the default Policy that a Project Role has depends on the Project itself (for CloudWatch Logs permissions). Because of that, add a dependency between the Policy containing the EC2 permissions and the Project. BREAKING CHANGE: the method addToRoleInlinePolicy in CodeBuild's Project class has been removed. Fixes aws#2651 Fixes aws#2652
…#2662) A CodeBuild Project needs to have appropriate EC2 permissions on creation when it uses a VPC. However, the default Policy that a Project Role has depends on the Project itself (for CloudWatch Logs permissions). Because of that, add a dependency between the Policy containing the EC2 permissions and the Project. BREAKING CHANGE: the method addToRoleInlinePolicy in CodeBuild's Project class has been removed. Fixes #2651 Fixes #2652
Describe the bug
Creating a new CodeBuild project without defining a role, results in exception during deploy: "Not authorized to perform DescribeSecurityGroups (Service: AWSCodeBuild; Status Code: 400; Error Code: InvalidInputException".
Looking at the generated CF template, it appears there are two IAM policy documents that are generated and reference the CodeBuild project role. One is the default policy with a name similar to
codebuildprojectRoleDefaultPolicy4FA15962
and another "CodeBuildEC2Policy" with a name similar tocodebuildprojectPolicyDocument1DCF3D9B
. Based on the exception it seems the "CodeBuildEC2Policy" is not recognized or perhaps a race condition?After a brief search on the interwebs, I found this: https://stackoverflow.com/questions/52843460/receive-not-authorized-to-perform-describesecuritygroups-when-creating-new-pro which seems similar to the issue here.
To Reproduce
Using something like the following code will reproduce:
Expected behavior
Using default role with CodeBuild project should not result in exception.
Version:
The text was updated successfully, but these errors were encountered: