Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-ecs: Partition "BatchCheckLayerAvailability" is not valid for resource "arn:BatchCheckLayerAvailability:*:*:*:*" #31930

Closed
1 task
BwL1289 opened this issue Oct 29, 2024 · 3 comments
Closed
1 task

aws-ecs: Partition "BatchCheckLayerAvailability" is not valid for resource "arn:BatchCheckLayerAvailability:*:*:*:*" #31930

BwL1289 opened this issue Oct 29, 2024 · 3 comments
Assignees
@khushail
Labels
@aws-cdk/aws-ecs Related to Amazon Elastic Container bug This issue is a bug. needs-reproduction This issue needs reproduction.

Comments

@BwL1289
Copy link

BwL1289 commented Oct 29, 2024
edited
Loading

Describe the bug

Running versions:
CDK_CLI_ASM_VERSION: '38.0.1'
CDK_CLI_VERSION: '2.162.1'

On deploying a new stack, I'm seeing

Resource handler returned message: "Partition "BatchCheckLayerAvailability" is not valid for resource "arn:BatchCheckLayerAvailability:*:*:*:*"

Full error:

WsStack \|  26/102 \| 3:06:52 PM \| CREATE_FAILED        \| AWS::IAM::Policy                              \| WsEugoAppApiSvc/WsEugoAppFlaskWebAppService/WsFlaskWebAppTaskDefinitionSvc/WsFlaskWebAppTaskDefinitionSvcFarTDef/ExecutionRole/DefaultPolicy (WsEugoAppApiSvcWsEugoAppFlaskWebAppServiceWsFlaskWebAppTaskDefinitionSvcWsFlaskWebAppTaskDefinitionSvcFarTDefExecutionRoleDefaultPolicyFFB7DEF7) Resource handler returned message: "Partition "BatchCheckLayerAvailability" is not valid for resource "arn:BatchCheckLayerAvailability:*:*:*:*". (Service: Iam, Status Code: 400, Request ID: e2f6c5e1-af05-4cad-a9fd-d354310bff07)" (RequestToken: 517b6cef-15a4-5e68-cac7-ce26899c429c, HandlerErrorCode: InvalidRequest)
--
2997 | new Policy (/tmp/jsii-kernel-kRiBRR/node_modules/aws-cdk-lib/aws-iam/lib/policy.js:1:1565)
2998 | \_ Role.addToPrincipalPolicy (/tmp/jsii-kernel-kRiBRR/node_modules/aws-cdk-lib/aws-iam/lib/role.js:1:8542)
2999 | \_ AwsLogDriver.bind (/tmp/jsii-kernel-kRiBRR/node_modules/aws-cdk-lib/aws-ecs/lib/log-drivers/aws-log-driver.js:1:2002)
3000 | \_ new ContainerDefinition (/tmp/jsii-kernel-kRiBRR/node_modules/aws-cdk-lib/aws-ecs/lib/container-definition.js:1:3254)
3001 | \_ FargateTaskDefinition.addContainer (/tmp/jsii-kernel-kRiBRR/node_modules/aws-cdk-lib/aws-ecs/lib/base/task-definition.js:1:9937)
3002 | \_ /tmp/tmpn5hm_sg7/lib/program.js:8874:172
3003 | \_ Kernel._Kernel_ensureSync (/tmp/tmpn5hm_sg7/lib/program.js:9499:24)
3004 | \_ Kernel.invoke (/tmp/tmpn5hm_sg7/lib/program.js:8874:102)
3005 | \_ KernelHost.processRequest (/tmp/tmpn5hm_sg7/lib/program.js:10715:36)
3006 | \_ KernelHost.run (/tmp/tmpn5hm_sg7/lib/program.js:10675:22)
3007 | \_ Immediate._onImmediate (/tmp/tmpn5hm_sg7/lib/program.js:10676:46)
3008 | \_ process.processImmediate (node:internal/timers:478:21)

Code:

runtime_platform = ecs.RuntimePlatform(
            cpu_architecture=ecs.CpuArchitecture.ARM64,
            operating_system_family=ecs.OperatingSystemFamily.LINUX,
        )

task_def = ecs.FargateTaskDefinition(
            self,
            "FargateTaskDef",
            cpu=cpu,
            ephemeral_storage_gib=ephemeral_storage,
            memory_limit_mib=memory_limit_mib,
            runtime_platform=runtime_platform,
)

# If the user has provided the ecr_repo_docker_asset_svc
if ecr_repo_docker_asset_svc is not None:
    # Ensure the task definition is created after the ECR repo
    task_def.node.add_dependency(ecr_repo_docker_asset_svc)

Synthed policy:

WsEugoAppApiSvcWsEugoAppFlaskWebAppServiceWsFlaskWebAppTaskDefinitionSvcWsFlaskWebAppTaskDefinitionSvcFarTDefExecutionRoleDefaultPolicyFFB7DEF7:
    Type: AWS::IAM::Policy
    Properties:
      PolicyDocument:
        Statement:
          - Action:
              - logs:CreateLogStream
              - logs:PutLogEvents
            Effect: Allow
            Resource:
              Fn::GetAtt:
                - WsEugoAppApiSvcWsEugoAppFlaskWebAppServiceWsFlaskWebAppTaskDefinitionContainerServiceWsFlaskWebAppEcsContainerDefSvcWsFlaskWebAppEcsContainerDefSvcCloudWatchContainerLogGroupF50AFDFE
                - Arn
          - Action: "*"
            Effect: Allow
            Resource:
              - ecr:BatchCheckLayerAvailability
              - ecr:BatchGetImage
              - ecr:GetAuthorizationToken
              - ecr:GetDownloadUrlForLayer
        Version: "2012-10-17"
      PolicyName: WsEugoAppFlaskWebAppServiceWsFlaskWebAppTaskDefinitionSvcWsFlaskWebAppTaskDefinitionSvcFarTDefExecutionRoleDefaultPolicyFFB7DEF7
      Roles:
        - Ref: WsEugoAppApiSvcWsEugoAppFlaskWebAppServiceWsFlaskWebAppTaskDefinitionSvcWsFlaskWebAppTaskDefinitionSvcFarTDefExecutionRole69427A0A
    Metadata:
      aws:cdk:path: WsStack/WsEugoAppApiSvc/WsEugoAppFlaskWebAppService/WsFlaskWebAppTaskDefinitionSvc/WsFlaskWebAppTaskDefinitionSvcFarTDef/ExecutionRole/DefaultPolicy/Resource

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

2.138.0

Expected Behavior

When creating ecs.FargateTaskDefinition, not passing an exec or task role should properly create the roles and associated role policies.

Current Behavior

See above

Reproduction Steps

Create an ecs Fargate task definition.

Possible Solution

No response

Additional Information/Context

    "eventName": "PutRolePolicy",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "cloudformation.amazonaws.com",
    "userAgent": "cloudformation.amazonaws.com",
    "errorCode": "MalformedPolicyDocumentException",
    "errorMessage": "Partition \"BatchCheckLayerAvailability\" is not valid for resource \"arn:BatchCheckLayerAvailability:*:*:*:*\".",
    "requestParameters": {
        "roleName": "WsStack-WsEugoAppApiSvcWsEugoAppFlaskWebAppServiceW-TaKjBSTZCqVq",
        "policyName": "WsEugoAppFlaskWebAppServiceWsFlaskWebAppTaskDefinitionSvcWsFlaskWebAppTaskDefinitionSvcFarTDefExecutionRoleDefaultPolicyFFB7DEF7",
        "policyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"logs:CreateLogStream\",\"logs:PutLogEvents\"],\"Resource\":\"arn:aws:logs:us-east-1:064540118126:log-group:WsStack-WsEugoAppApiSvcWsEugoAppFlaskWebAppServiceWsFlaskWebAppTaskDefinitionContainerServiceWsFlaskWebAppEcsContainerDefSvcWsFlaskWebAppEcsContainerDefSvcCloudWatchContainerLogGroupF50AFDFE-Lu85iJKpsja7:*\",\"Effect\":\"Allow\"},{\"Action\":\"*\",\"Resource\":[\"ecr:BatchCheckLayerAvailability\",\"ecr:BatchGetImage\",\"ecr:GetAuthorizationToken\",\"ecr:GetDownloadUrlForLayer\"],\"Effect\":\"Allow\"}]}"
    },

CDK CLI Version

2.162.1 (build 10aa526)

Framework Version

No response

Node.js Version

20

OS

Amz Linux 2023

Language

Python

Language Version

3.12

Other information

No response
@BwL1289 BwL1289 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 29, 2024
@github-actions github-actions bot added the @aws-cdk/aws-ecs Related to Amazon Elastic Container label Oct 29, 2024
@khushail khushail added needs-reproduction This issue needs reproduction. and removed needs-triage This issue or PR still needs to be triaged. labels Oct 29, 2024
@khushail khushail self-assigned this Oct 29, 2024
@BwL1289
Copy link
Author

BwL1289 commented Oct 29, 2024
edited
Loading

My apologies, this looks to be user error. Once confirmed, will update here and close this issue.

@BwL1289
Copy link
Author

BwL1289 commented Oct 29, 2024

Confirmed this was user error. Closing.

@BwL1289 BwL1289 closed this as completed Oct 29, 2024
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@khushail khushail

Labels
@aws-cdk/aws-ecs Related to Amazon Elastic Container bug This issue is a bug. needs-reproduction This issue needs reproduction.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BwL1289 @khushail