-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws-chatbot): SlackChannelConfiguration deployed to us-east-1 tries to chatbot:CreateSlackChannelConfiguration in us-east-2 #24675
Comments
Yes I can reproduce this. Looks like the CFN execution role is trying to run I will try reach out internally but I can't guarantee any response here. If this is an urgent case I will recommend subscribe a support plan and submit a support case for this. |
I can work around this for now, so it's not urgent. Thanks for bringing this up internally. |
HI @blimmer I got the response from the relevant team. According to this:
You will need to grant your CFN execution role with the affected permission on |
Huh, interesting. Usually, global services mean "it's really in us-east-1" 😄 (e.g., CloudFront, ACM, etc.). The problem here is that, as Control Tower users, we have explicit region deny controls set up for us-east-2. I think that means we just can't use ChatBot, which is kinda a bummer. But, it seems like this is a limitation of ChatBot, not CDK. @pahud , is there a good place (other than the support plan, which we don't have) to open an issue about this with the ChatBot team? For instance, a public GitHub repo, etc.? In any case, it's probably safe to close this issue, as there's nothing CDK is doing wrong! EDIT: Also thank you for reaching out to the team for me, I really appreciate your time 😄 💯 🏆 |
Hey @blimmer no worry. I will share this issue with the ChatBot team and make sure they receive your feedback. I doubt they have public issue report on GitHub but I'll let you know if any. |
Hi @blimmer This might be helpful for regarding the control tower region denylist: https://aws.amazon.com/about-aws/whats-new/2022/07/aws-control-tower-region-deny-guardrail-expands-aws-chatbot-s3-storage-lens-s3-multi-region-access-points-apis/. There are some exemptions for global services which can be put in place by updating landing zone to version 3.0. Hope it helps! I am closing this now. Feel free to let us know if you have any further issues around CDK. |
|
Thank you for all of these details and working with the chatbot team on my behalf! |
Describe the bug
I use a custom bootstrapping script to reduce what the CfnExec role can do. Here's the policy:
As you can see
chatbot:*
is allowed, but only in our bootstrapped regions (us-east-1
andus-west-2
).However, when I try to create a
SlackChannelConfiguration
, it tries to write a resource inus-east-2
. This breaks because the role does not allow access to us-east-2 (see error in section below).Expected Behavior
I expected the resources to be created in the target region,
us-east-1
.Current Behavior
I receive this error:
Reproduction Steps
To reproduce this error, you'll need the use a custom IAM policy for the CfnExec role. The one I'm using is:
The important part is that access to us-east-2 is not configured in the
AllowAccessToServicesViaCloudFormation
statement.Then, try to deploy this stack:
When you try to deploy, you'll encounter the error listed above.
Possible Solution
Looking at the generated template, it doesn't seem like CDK is explicitly doing anything wrong. However, I wasn't sure how to report this directly to CloudFormation (since I don't have a support plan on this account).
I figured, worst case, the CDK team could direct me to the proper place.
Additional Information/Context
Here's the CDK template, it doesn't specify
us-east-2
anywhere...CDK CLI Version
2.69.0 (build 60a5b2a)
Framework Version
No response
Node.js Version
v18.12.1
OS
MacOS
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: