New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wip - aws.ecr - log warning on access denied instead of raising #3618
base: main
Are you sure you want to change the base?
Conversation
maybe not for this pr, but i feel like we really need to have these captured and a way to track signal a policy's failure on a partial like this. warning log messages just haven't been cutting at it scale, i don't get the sense any one looks at the logs typically. |
@kapilt yeah, I was originally going to add in the c7n:DeniedMethods attribute to cross-account but in the case that the resource fails to get a repository policy, you would never be able to see it in the output. Additionally, when you wrap the cross account filter in a not block, the annotated key is removed. |
wrt to tests, perhaps worth looking at how i was doing it for ebs snapshot not found when tagging pr |
if e.response['Error']['Code'] == 'AccessDeniedException': | ||
self.log.warning('Access Denied on GetLifecyclePolicy for repository: %s' % | ||
r['repositoryName']) | ||
r[self.policy_annotation] = {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some changes got pushed to this that now unconditionally and without logging swallow all other exceptions ...
ECR's resource level IAM policies causes custodian to error out if a single repository denies access to custodian's role. This pr logs the error as a warning in the logs and continues on to the rest of the resources. Also fixes this for get lifecycle policy