Error during the SAM pipeline bootstrap

[aleguern-azivko]

Bug Report

Description

I encountered an error during the SAM pipeline bootstrap process in CloudFormation when using GitHub Actions.

Steps to Reproduce

1. Run sam pipeline init command to initialize the SAM pipeline.
2. Execute sam pipeline bootstrap command to bootstrap the pipeline.
3. The following error appears during the CloudFormation deployment:
   Invalid principal in policy: "AWS":"arn:aws:iam::ACCOUNT_ID:user/aws-sam-cli-managed-dev-pipeline-reso-PipelineUser-ID" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: Proxy: null)

Expected Behavior

I expected the SAM pipeline bootstrap process to complete without any errors and successfully deploy the CloudFormation stack.

Actual Behavior

The CloudFormation deployment fails with the "MalformedPolicyDocument" error, specifically due to an invalid principal in the policy document.

Error Message/Logs

Invalid principal in policy: "AWS":"arn:aws:iam::ACCOUNT:user/aws-sam-cli-managed-dev-pipeline-reso-PipelineUser-ID" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: Proxy: null)

Environment

• AWS SAM CLI version: 1.90.0
• GitHub Actions configuration: The sam pipeline init and sam pipeline bootstrap commands are executed within a GitHub Actions workflow.

Additional Information

I am using the default configuration for the SAM pipeline initialization and bootstrap process. No additional modifications were made to the pipeline or IAM roles.

Please let me know if you need any further information. Thank you for your assistance!
Please note that the provided text is a generated example, and you may need to revie

[hawflau]

Hi @aleguern-azivko thanks for raising the issue.
Can you share your GH Actions yml? Trying to understand which code path it's hitting.

[aleguern-azivko]

name: Pipeline

on:
  push:
    branches:
      - "main"
      - "feature**"
  delete:
    branches:
      - "feature**"

env:
  PIPELINE_USER_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
  PIPELINE_USER_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
  SAM_TEMPLATE: template.yaml
  TESTING_STACK_NAME: backend
  TESTING_PIPELINE_EXECUTION_ROLE: ""
  TESTING_CLOUDFORMATION_EXECUTION_ROLE: ""
  TESTING_ARTIFACTS_BUCKET: ""
  TESTING_REGION: eu-west-1
  PROD_STACK_NAME: backend
  PROD_PIPELINE_EXECUTION_ROLE: ""
  PROD_CLOUDFORMATION_EXECUTION_ROLE: ""
  PROD_ARTIFACTS_BUCKET: ""
  PROD_REGION: eu-west-1

jobs:
  test:
    if: github.event_name == 'push'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - run: |
          # trigger the tests here

  delete-feature:
    if: startsWith(github.event.ref, 'feature') && github.event_name == 'delete'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: aws-actions/setup-sam@v2
        with:
          use-installer: true

      - name: Assume the testing pipeline user role
        uses: aws-actions/configure-aws-credentials@v1-node16
        with:
          aws-access-key-id: ${{ env.PIPELINE_USER_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ env.PIPELINE_USER_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.TESTING_REGION }}
          role-to-assume: ${{ env.TESTING_PIPELINE_EXECUTION_ROLE }}
          role-session-name: testing-packaging
          role-duration-seconds: 3600
          role-skip-session-tagging: true

      - name: Delete feature branch stack
        env:
          FEATURE_BRANCH_NAME: ${{ github.event.ref }}
        run: |
          sam delete \
            --stack-name $(echo ${FEATURE_BRANCH_NAME##*/} | tr -cd '[a-zA-Z0-9-]') \
            --region ${TESTING_REGION} \
            --no-prompts

  build-and-deploy-feature:
    if: startsWith(github.ref, 'refs/heads/feature')
    needs: [test]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: aws-actions/setup-sam@v2
        with:
          use-installer: true
      - run: sam build --template ${SAM_TEMPLATE} --use-container

      - name: Assume the testing pipeline user role
        uses: aws-actions/configure-aws-credentials@v1-node16
        with:
          aws-access-key-id: ${{ env.PIPELINE_USER_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ env.PIPELINE_USER_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.TESTING_REGION }}
          role-to-assume: ${{ env.TESTING_PIPELINE_EXECUTION_ROLE }}
          role-session-name: feature-deployment
          role-duration-seconds: 3600
          role-skip-session-tagging: true

      - name: Deploy to feature stack in the testing account
        shell: bash
        run: |
          sam deploy --stack-name $(echo ${GITHUB_REF##*/} | tr -cd '[a-zA-Z0-9-]') \
            --capabilities CAPABILITY_IAM \
            --region ${TESTING_REGION} \
            --s3-bucket ${TESTING_ARTIFACTS_BUCKET} \
            --no-fail-on-empty-changeset \
            --role-arn ${TESTING_CLOUDFORMATION_EXECUTION_ROLE}

  build-and-package:
    if: github.ref == 'refs/heads/main'
    needs: [test]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: aws-actions/setup-sam@v2
        with:
          use-installer: true

      - name: Build resources
        run: sam build --template ${SAM_TEMPLATE} --use-container

      - name: Assume the testing pipeline user role
        uses: aws-actions/configure-aws-credentials@v1-node16
        with:
          aws-access-key-id: ${{ env.PIPELINE_USER_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ env.PIPELINE_USER_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.TESTING_REGION }}
          role-to-assume: ${{ env.TESTING_PIPELINE_EXECUTION_ROLE }}
          role-session-name: testing-packaging
          role-duration-seconds: 3600
          role-skip-session-tagging: true

      - name: Upload artifacts to testing artifact buckets
        run: |
          sam package \
            --s3-bucket ${TESTING_ARTIFACTS_BUCKET} \
            --region ${TESTING_REGION} \
            --output-template-file packaged-testing.yaml

      - uses: actions/upload-artifact@v3
        with:
          name: packaged-testing.yaml
          path: packaged-testing.yaml

      - name: Assume the prod pipeline user role
        uses: aws-actions/configure-aws-credentials@v1-node16
        with:
          aws-access-key-id: ${{ env.PIPELINE_USER_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ env.PIPELINE_USER_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.PROD_REGION }}
          role-to-assume: ${{ env.PROD_PIPELINE_EXECUTION_ROLE }}
          role-session-name: prod-packaging
          role-duration-seconds: 3600
          role-skip-session-tagging: true

      - name: Upload artifacts to production artifact buckets
        run: |
          sam package \
            --s3-bucket ${PROD_ARTIFACTS_BUCKET} \
            --region ${PROD_REGION} \
            --output-template-file packaged-prod.yaml

      - uses: actions/upload-artifact@v3
        with:
          name: packaged-prod.yaml
          path: packaged-prod.yaml

  deploy-testing:
    if: github.ref == 'refs/heads/main'
    needs: [build-and-package]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: aws-actions/setup-sam@v2
        with:
          use-installer: true
      - uses: actions/download-artifact@v3
        with:
          name: packaged-testing.yaml

      - name: Assume the testing pipeline user role
        uses: aws-actions/configure-aws-credentials@v1-node16
        with:
          aws-access-key-id: ${{ env.PIPELINE_USER_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ env.PIPELINE_USER_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.TESTING_REGION }}
          role-to-assume: ${{ env.TESTING_PIPELINE_EXECUTION_ROLE }}
          role-session-name: testing-deployment
          role-duration-seconds: 3600
          role-skip-session-tagging: true

      - name: Deploy to testing account
        run: |
          sam deploy --stack-name ${TESTING_STACK_NAME} \
            --template packaged-testing.yaml \
            --capabilities CAPABILITY_IAM \
            --region ${TESTING_REGION} \
            --s3-bucket ${TESTING_ARTIFACTS_BUCKET} \
            --no-fail-on-empty-changeset \
            --role-arn ${TESTING_CLOUDFORMATION_EXECUTION_ROLE}

  integration-test:
    if: github.ref == 'refs/heads/main'
    needs: [deploy-testing]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - run: |
          # trigger the integration tests here

  deploy-prod:
    if: github.ref == 'refs/heads/main'
    needs: [integration-test]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: aws-actions/setup-sam@v2
        with:
          use-installer: true
      - uses: actions/download-artifact@v3
        with:
          name: packaged-prod.yaml

      - name: Assume the prod pipeline user role
        uses: aws-actions/configure-aws-credentials@v1-node16
        with:
          aws-access-key-id: ${{ env.PIPELINE_USER_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ env.PIPELINE_USER_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.PROD_REGION }}
          role-to-assume: ${{ env.PROD_PIPELINE_EXECUTION_ROLE }}
          role-session-name: prod-deployment
          role-duration-seconds: 3600
          role-skip-session-tagging: true

      - name: Deploy to production account
        run: |
          sam deploy --stack-name ${PROD_STACK_NAME} \
            --template packaged-prod.yaml \
            --capabilities CAPABILITY_IAM \
            --region ${PROD_REGION} \
            --s3-bucket ${PROD_ARTIFACTS_BUCKET} \
            --no-fail-on-empty-changeset \
            --role-arn ${PROD_CLOUDFORMATION_EXECUTION_ROLE}

[hawflau]

Thanks for providing the GH Actions yml. It seems like I've misunderstood - I thought it was the GH Actions running the sam pipeline commands. Seems like the GH Actions yml is created by running sam pipeline init instead.

I looked up here:

The IAM user or role must be an existing identity

If the IAM role trust policy uses IAM users or roles as principals, then confirm that those IAM identities aren't deleted. The "Invalid principal in policy" error occurs if you modify the IAM trust policy and the principal was deleted.

Can you confirm if the IAM user actually exists?

[aleguern-azivko]

No the user is not created by the command sam pipeline init. I guess it's an issue because it does not mention anywhere to create such a role.

[aleguern-azivko]

If you have a quick fix to create the user and the access keys with the right permissions it would be great also ! I would be able to manually create the user in my template for now.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.