Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(eks): allow describe provisioning lamba to ec2:DescribeVpcs #10917

Closed
wants to merge 1 commit into from

Conversation

dnascimento
Copy link

The EKS provision lambda requires ec2:DescribeVpcs so that it can configure the EKS cluster in an existing VPC

Signed-off-by: Dario Nascimento dfrnascimento@gmail.com


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Oct 16, 2020

@mergify
Copy link
Contributor

mergify bot commented Oct 16, 2020

Title does not follow the guidelines of Conventional Commits. Please adjust title before merge.

The EKS provision lambda requires ec2:DescribeVpcs so that it can configure the EKS cluster in an existing VPC

Signed-off-by: Dario Nascimento <dfrnascimento@gmail.com>
@dnascimento dnascimento changed the title aws-eks: allow describe provisioning lamba to ec2:DescribeVpcs fix(eks): allow describe provisioning lamba to ec2:DescribeVpcs Oct 16, 2020
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 28fda46
  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@@ -141,6 +141,7 @@ export class ClusterResource extends CoreConstruct {
actions: [
'ec2:DescribeSubnets',
'ec2:DescribeRouteTables',
'ec2:DescribeVpcs'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The thing is that this already exists here:

creationRole.addToPolicy(new iam.PolicyStatement({
actions: ['ec2:DescribeVpcs'],
resources: [stack.formatArn({
service: 'ec2',
resource: 'vpc',
resourceName: props.vpc.vpcId,
})],
}));

However, this only grants it for the specific VPC its going to use. Why do we need permissions to describe ALL VPC's?

Also, did you add this because you hit the error described here? Im not sure this explains the sporadic behavior.

@iliapolo iliapolo added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 20, 2020
@github-actions
Copy link

This PR has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Oct 24, 2020
@rfs6
Copy link

rfs6 commented Oct 26, 2020

Hello Guys,

I had the same situation when I tried do launch a EKS cluster during my first attempt, on the second it worked.

I added the permission ec2:Describe* and it worked on the first time, however I don't know if it is too permissive(leat privilege).

Is there somebody from CDK team who can take a look at this?

Thanks in advanced.

@github-actions github-actions bot removed closing-soon This issue will automatically close in 4 days unless further comments are made. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels Oct 27, 2020
@eladb
Copy link
Contributor

eladb commented Nov 15, 2020

How are we doing with this PR?

@iliapolo
Copy link
Contributor

iliapolo commented Dec 6, 2020

I don't believe this error is caused by the fix proposed in this PR. See #9027 (comment).

@dnascimento I'm closing this at the moment, please let me know if you still feel differently.

@iliapolo iliapolo closed this Dec 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants