Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CodeBuild: A project with default role results in Not authorized to perform DescribeSecurityGroups #2652

Closed
thesurlydev opened this issue May 27, 2019 · 7 comments · Fixed by #2662
Closed

CodeBuild: A project with default role results in Not authorized to perform DescribeSecurityGroups #2652

thesurlydev opened this issue May 27, 2019 · 7 comments · Fixed by #2662
Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild bug This issue is a bug.

Comments

@thesurlydev
Copy link
Contributor

Describe the bug
Creating a new CodeBuild project without defining a role, results in exception during deploy: "Not authorized to perform DescribeSecurityGroups (Service: AWSCodeBuild; Status Code: 400; Error Code: InvalidInputException".

Looking at the generated CF template, it appears there are two IAM policy documents that are generated and reference the CodeBuild project role. One is the default policy with a name similar to codebuildprojectRoleDefaultPolicy4FA15962 and another "CodeBuildEC2Policy" with a name similar to codebuildprojectPolicyDocument1DCF3D9B. Based on the exception it seems the "CodeBuildEC2Policy" is not recognized or perhaps a race condition?

After a brief search on the interwebs, I found this: https://stackoverflow.com/questions/52843460/receive-not-authorized-to-perform-describesecuritygroups-when-creating-new-pro which seems similar to the issue here.

To Reproduce
Using something like the following code will reproduce:

val projectProps = ProjectProps.builder()
            .withEnvironment(buildEnvironment)
            .withProjectName(appName)
            .withSource(gitHubEnterpriseSource)
            .withBuildSpec("buildspec.yml")
            .withVpc(props.vpc)
            .withArtifacts(NoBuildArtifacts())
            .withSecondaryArtifacts(
                listOf(
                    s3BucketBuildArtifacts
                )
            )
            .build()

        val project = Project(this, "code-build-project", projectProps)

Expected behavior
Using default role with CodeBuild project should not result in exception.

Version:

  • Ubuntu 18.04
  • Kotlin using Java CDK artifacts
  • 0.32.0
@thesurlydev thesurlydev added the bug This issue is a bug. label May 27, 2019
@thesurlydev thesurlydev mentioned this issue May 27, 2019
Closed
@thesurlydev
Copy link
Contributor Author

I reported a similar issue as part of #2605

@thesurlydev
Copy link
Contributor Author

This screenshot from CloudFormation events seems to support the fact that the project attempts to get created just prior to the "CodeBuildEC2Policy":

Screenshot from 2019-05-27 12-10-17

@thesurlydev
Copy link
Contributor Author

After further investigation, according to the AWS docs: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-policy.html#cfn-iam-policy-roles some explicit DependsOn attribute values may need to be added to ensure the policies are available.

@skinny85 skinny85 added the @aws-cdk/aws-codebuild Related to AWS CodeBuild label May 28, 2019
@skinny85
Copy link
Contributor

Yes, there's definitely some race condition happening here (and/or an IAM propagation delay, but I think that's less probable).

@thesurlydev
Copy link
Contributor Author

I've just verified that if I manually add a DependsOn to CodeBuild project of the IAM policy with the ec2:* bits, it works. Is there a way to add a DependsOn attribute via CDK as a workaround until a proper fix is in place?

@skinny85
Copy link
Contributor

Unfortunately, I don't think there is :(

skinny85 added a commit to skinny85/aws-cdk that referenced this issue May 28, 2019
@skinny85
fix(codebuild): correctly handle permissions for Projects inside VPC.
2eef183 
A CodeBuild Project needs to have appropriate EC2 permissions on creation
when it uses a VPC. However, the default Policy that a Project Role has
depends on the Project itself (for CloudWatch Logs permissions).
Because of that, add a dependency between the Policy containing the EC2
permissions and the Project.

Also correctly handle the case when the Project's Role is imported.

Fixes aws#2651
Fixes aws#2652
@skinny85 skinny85 mentioned this issue May 28, 2019
Merged
4 tasks
@thesurlydev
Copy link
Contributor Author

Looks like you already have a fix. In the meantime, I was able to workaround using this super gross code:

val project = app.node.children.find { it.node.stack.name == "bruiser-code-build-bootstrap" }
        ?.node?.children?.find { it.node.typename == "Project" } as Project

    val cfnPolicy = (project.node?.children?.find { it.node.typename == "Policy"} as Policy)
        .node.findChild("Resource") as CfnPolicy

    (project.node.findChild("Resource") as CfnResource).addDependsOn(cfnPolicy)

    app.run()

rix0rrr added a commit that referenced this issue Jun 10, 2019
@rix0rrr
fix(iam): support adding permissions to imported roles
a26f7ee 
Now create a Policy and attach it to imported roles as well.

This will only work for imported roles in the same account. If you
need to reference roles in other accounts without trying to add
these policy statements, use an `AwsPrincipal`.

Relates to #2381, #2651, #2652, #2662.
@rix0rrr rix0rrr mentioned this issue Jun 10, 2019
Merged
4 tasks
rix0rrr added a commit that referenced this issue Jun 17, 2019
@rix0rrr
fix(iam): support adding permissions to imported roles (#2805)
936464f 
Now create a Policy and attach it to imported roles as well.

This will only work for imported roles in the same account. If you
need to reference roles in other accounts without trying to add
these policy statements, use an `AwsPrincipal`.

Relates to #2381, #2651, #2652, #2662.
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Jun 17, 2019
@skinny85
fix(codebuild): correctly handle permissions for Projects inside VPC.
cc7aa81 
A CodeBuild Project needs to have appropriate EC2 permissions on creation
when it uses a VPC. However, the default Policy that a Project Role has
depends on the Project itself (for CloudWatch Logs permissions).
Because of that, add a dependency between the Policy containing the EC2
permissions and the Project.

Also correctly handle the case when the Project's Role is imported.

BREAKING CHANGE: the method addToRoleInlinePolicy in CodeBuild's Project class has been removed.

Fixes aws#2651
Fixes aws#2652

comment out the imported check to see if it works now
skinny85 added a commit to skinny85/aws-cdk that referenced this issue Jun 18, 2019
@skinny85
fix(codebuild): correctly handle permissions for Projects inside VPC.
d2d4b87 
A CodeBuild Project needs to have appropriate EC2 permissions on creation
when it uses a VPC. However, the default Policy that a Project Role has
depends on the Project itself (for CloudWatch Logs permissions).
Because of that, add a dependency between the Policy containing the EC2
permissions and the Project.

BREAKING CHANGE: the method addToRoleInlinePolicy in CodeBuild's Project class has been removed.

Fixes aws#2651
Fixes aws#2652
skinny85 added a commit that referenced this issue Jun 18, 2019
@skinny85
fix(codebuild): correctly handle permissions for Projects inside VPC. (
390baf1 
…#2662)

A CodeBuild Project needs to have appropriate EC2 permissions on creation
when it uses a VPC. However, the default Policy that a Project Role has
depends on the Project itself (for CloudWatch Logs permissions).
Because of that, add a dependency between the Policy containing the EC2
permissions and the Project.

BREAKING CHANGE: the method addToRoleInlinePolicy in CodeBuild's Project class has been removed.

Fixes #2651
Fixes #2652
This was referenced Aug 22, 2019
Open
Open
Open
Open
Open
This was referenced Dec 12, 2019
Closed
Closed
Closed
Merged
Closed
Closed
This was referenced Dec 12, 2019
Open
Open
Open
Open
Open
Open
Open
Open
Open
Open
This was referenced Jan 20, 2020
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-codebuild Related to AWS CodeBuild bug This issue is a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(codebuild): correctly handle permissions for Projects inside a VPC skinny85/aws-cdk
2 participants
@thesurlydev @skinny85