Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Policy creation failure on CDK Deployment through Identity Center Profile

0

I am getting error while creating S3 BucketPolicy and IAM Policy. I am trying to deploy my stack from my local using Identity Center Profile having "Administrator Access" Permission set. I have latest version of aws-cdk and have bootstrapped my environment with it. Command line details as follows.

D:\website\infra>cdk deploy --require-approval never

✨  Synthesis time: 20.34s

BaseWebsiteStack:  start: Building 3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961:601111111110-us-east-1
BaseWebsiteStack:  success: Built 3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961:601111111110-us-east-1
BaseWebsiteStack:  start: Building e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00:601111111110-us-east-1
BaseWebsiteStack:  success: Built e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00:601111111110-us-east-1
BaseWebsiteStack:  start: Publishing 3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961:601111111110-us-east-1
BaseWebsiteStack:  start: Building 73b6cb84ab8bfac4c6a2ea28808b1f87f2de290283a5b44fc08f3118d01192b0:601111111110-us-east-1
BaseWebsiteStack:  success: Built 73b6cb84ab8bfac4c6a2ea28808b1f87f2de290283a5b44fc08f3118d01192b0:601111111110-us-east-1
BaseWebsiteStack:  start: Publishing e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00:601111111110-us-east-1
BaseWebsiteStack:  start: Building 56ab77d73f3cdb303af9e0608d58cdf6bef2dd642972bf65e8cd7b2dee2238f9:601111111110-us-east-1
BaseWebsiteStack:  success: Built 56ab77d73f3cdb303af9e0608d58cdf6bef2dd642972bf65e8cd7b2dee2238f9:601111111110-us-east-1
BaseWebsiteStack:  start: Publishing 73b6cb84ab8bfac4c6a2ea28808b1f87f2de290283a5b44fc08f3118d01192b0:601111111110-us-east-1
BaseWebsiteStack:  start: Publishing 56ab77d73f3cdb303af9e0608d58cdf6bef2dd642972bf65e8cd7b2dee2238f9:601111111110-us-east-1
BaseWebsiteStack:  success: Published 56ab77d73f3cdb303af9e0608d58cdf6bef2dd642972bf65e8cd7b2dee2238f9:601111111110-us-east-1
BaseWebsiteStack:  success: Published e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00:601111111110-us-east-1
BaseWebsiteStack:  success: Published 73b6cb84ab8bfac4c6a2ea28808b1f87f2de290283a5b44fc08f3118d01192b0:601111111110-us-east-1
BaseWebsiteStack:  success: Published 3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961:601111111110-us-east-1
BaseWebsiteStack: deploying... [1/1]
BaseWebsiteStack: creating CloudFormation changeset...
BaseWebsiteStack | 0/9 | 7:59:42 pm | REVIEW_IN_PROGRESS   | AWS::CloudFormation::Stack  | BaseWebsiteStack User Initiated
BaseWebsiteStack | 0/9 | 7:59:51 pm | CREATE_IN_PROGRESS   | AWS::CloudFormation::Stack  | BaseWebsiteStack User Initiated
BaseWebsiteStack | 0/9 | 7:59:54 pm | CREATE_IN_PROGRESS   | AWS::Lambda::LayerVersion   | RootDomainWebsite/BucketDeployment/AwsCliLayer (RootDomainWebsiteBucketDeploymentAwsCliLayerF90FDA26)
BaseWebsiteStack | 0/9 | 7:59:54 pm | CREATE_IN_PROGRESS   | AWS::IAM::Role              | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265)
BaseWebsiteStack | 0/9 | 7:59:54 pm | CREATE_IN_PROGRESS   | AWS::CDK::Metadata          | CDKMetadata/Default (CDKMetadata)
BaseWebsiteStack | 0/9 | 7:59:54 pm | CREATE_IN_PROGRESS   | AWS::S3::Bucket             | RootDomainWebsite/Bucket (RootDomainWebsiteBucket30F4EC37)
BaseWebsiteStack | 0/9 | 7:59:55 pm | CREATE_IN_PROGRESS   | AWS::IAM::Role              | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265) Resource creation Initiated
BaseWebsiteStack | 0/9 | 7:59:55 pm | CREATE_IN_PROGRESS   | AWS::CDK::Metadata          | CDKMetadata/Default (CDKMetadata) Resource creation Initiated
BaseWebsiteStack | 1/9 | 7:59:55 pm | CREATE_COMPLETE      | AWS::CDK::Metadata          | CDKMetadata/Default (CDKMetadata)
BaseWebsiteStack | 1/9 | 7:59:55 pm | CREATE_IN_PROGRESS   | AWS::S3::Bucket             | RootDomainWebsite/Bucket (RootDomainWebsiteBucket30F4EC37) Resource creation Initiated
BaseWebsiteStack | 1/9 | 8:00:00 pm | CREATE_IN_PROGRESS   | AWS::Lambda::LayerVersion   | RootDomainWebsite/BucketDeployment/AwsCliLayer (RootDomainWebsiteBucketDeploymentAwsCliLayerF90FDA26) Resource creation Initiated
BaseWebsiteStack | 2/9 | 8:00:00 pm | CREATE_COMPLETE      | AWS::Lambda::LayerVersion   | RootDomainWebsite/BucketDeployment/AwsCliLayer (RootDomainWebsiteBucketDeploymentAwsCliLayerF90FDA26)
BaseWebsiteStack | 3/9 | 8:00:11 pm | CREATE_COMPLETE      | AWS::IAM::Role              | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265)
BaseWebsiteStack | 4/9 | 8:00:18 pm | CREATE_COMPLETE      | AWS::S3::Bucket             | RootDomainWebsite/Bucket (RootDomainWebsiteBucket30F4EC37)
BaseWebsiteStack | 4/9 | 8:00:26 pm | DELETE_IN_PROGRESS   | AWS::IAM::Role              | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265)
BaseWebsiteStack | 4/9 | 8:00:26 pm | DELETE_IN_PROGRESS   | AWS::S3::Bucket             | RootDomainWebsite/Bucket (RootDomainWebsiteBucket30F4EC37)
BaseWebsiteStack | 3/9 | 8:00:27 pm | DELETE_COMPLETE      | AWS::S3::Bucket             | RootDomainWebsite/Bucket (RootDomainWebsiteBucket30F4EC37)
BaseWebsiteStack | 3/9 | 8:00:20 pm | CREATE_IN_PROGRESS   | AWS::S3::BucketPolicy       | RootDomainWebsite/Bucket/Policy (RootDomainWebsiteBucketPolicy7BE8379F)
BaseWebsiteStack | 3/9 | 8:00:20 pm | CREATE_IN_PROGRESS   | AWS::IAM::Policy            | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF)
BaseWebsiteStack | 3/9 | 8:00:21 pm | CREATE_IN_PROGRESS   | AWS::IAM::Policy            | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF) Resource creation Initiated
BaseWebsiteStack | 3/9 | 8:00:21 pm | CREATE_IN_PROGRESS   | AWS::S3::BucketPolicy       | RootDomainWebsite/Bucket/Policy (RootDomainWebsiteBucketPolicy7BE8379F) Resource creation Initiated
BaseWebsiteStack | 3/9 | 8:00:22 pm | CREATE_FAILED        | AWS::S3::BucketPolicy       | RootDomainWebsite/Bucket/Policy (RootDomainWebsiteBucketPolicy7BE8379F) Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID: R6GEEC9K5PB70TYH, Extended Request ID: AiOcFc3qNOLDSD1GLfsLWjeLwwugtjyH/m0R+KR2AOjJbLQ3Tk1V5Z+F05VzCLhctR+czwqCk5s=)" (RequestToken: b111d11f-d2g2-5v42-e35h-12sdf845g21y, HandlerErrorCode: AccessDenied)
BaseWebsiteStack | 3/9 | 8:00:22 pm | CREATE_FAILED        | AWS::IAM::Policy            | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF) Resource creation cancelled
BaseWebsiteStack | 3/9 | 8:00:22 pm | ROLLBACK_IN_PROGRESS | AWS::CloudFormation::Stack  | BaseWebsiteStack The following resource(s) failed to create: [CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF, RootDomainWebsiteBucketPolicy7BE8379F]. Rollback requested by user.
BaseWebsiteStack | 3/9 | 8:00:25 pm | DELETE_IN_PROGRESS   | AWS::CDK::Metadata          | CDKMetadata/Default (CDKMetadata)
BaseWebsiteStack | 3/9 | 8:00:25 pm | DELETE_IN_PROGRESS   | AWS::IAM::Policy            | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF)
BaseWebsiteStack | 3/9 | 8:00:25 pm | DELETE_IN_PROGRESS   | AWS::Lambda::LayerVersion   | RootDomainWebsite/BucketDeployment/AwsCliLayer (RootDomainWebsiteBucketDeploymentAwsCliLayerF90FDA26)
BaseWebsiteStack | 3/9 | 8:00:25 pm | DELETE_IN_PROGRESS   | AWS::S3::BucketPolicy       | RootDomainWebsite/Bucket/Policy (RootDomainWebsiteBucketPolicy7BE8379F)
BaseWebsiteStack | 4/9 | 8:00:26 pm | DELETE_COMPLETE      | AWS::IAM::Policy            | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF)
BaseWebsiteStack | 3/9 | 8:00:26 pm | DELETE_COMPLETE      | AWS::CDK::Metadata          | CDKMetadata/Default (CDKMetadata)
BaseWebsiteStack | 4/9 | 8:00:26 pm | DELETE_COMPLETE      | AWS::S3::BucketPolicy       | RootDomainWebsite/Bucket/Policy (RootDomainWebsiteBucketPolicy7BE8379F)
BaseWebsiteStack | 3/9 | 8:00:26 pm | DELETE_COMPLETE      | AWS::Lambda::LayerVersion   | RootDomainWebsite/BucketDeployment/AwsCliLayer (RootDomainWebsiteBucketDeploymentAwsCliLayerF90FDA26)
BaseWebsiteStack | 2/9 | 8:00:39 pm | DELETE_COMPLETE      | AWS::IAM::Role              | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265)
BaseWebsiteStack | 3/9 | 8:00:40 pm | ROLLBACK_COMPLETE    | AWS::CloudFormation::Stack  | BaseWebsiteStack

Failed resources:
BaseWebsiteStack | 8:00:22 pm | CREATE_FAILED        | AWS::S3::BucketPolicy       | RootDomainWebsite/Bucket/Policy (RootDomainWebsiteBucketPolicy7BE8379F) Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID: R6GEEC9K5PB70TYH, Extended Request ID: AiOcFc3qNOLDSD1GLfsLWjeLwwugtjyH/m0R+KR2AOjJbLQ3Tk1V5Z+F05VzCLhctR+czwqCk5s=)" (RequestToken: b111d11f-d2g2-5v42-e35h-12sdf845g21y, HandlerErrorCode: AccessDenied)

 ❌  BaseWebsiteStack failed: Error: The stack named BaseWebsiteStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID: R6GEEC9K5PB70TYH, Extended Request ID: AiOcFc3qNOLDSD1GLfsLWjeLwwugtjyH/m0R+KR2AOjJbLQ3Tk1V5Z+F05VzCLhctR+czwqCk5s=)" (RequestToken: b111d11f-d2g2-5v42-e35h-12sdf845g21y, HandlerErrorCode: AccessDenied)
    at FullCloudFormationDeployment.monitorDeployment (C:\Users\omkar\AppData\Roaming\npm\node_modules\aws-cdk\lib\index.js:427:10615)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (C:\Users\omkar\AppData\Roaming\npm\node_modules\aws-cdk\lib\index.js:430:196919)
    at async C:\Users\omkar\AppData\Roaming\npm\node_modules\aws-cdk\lib\index.js:430:178888

 ❌ Deployment failed: Error: The stack named BaseWebsiteStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID: R6GEEC9K5PB70TYH, Extended Request ID: AiOcFc3qNOLDSD1GLfsLWjeLwwugtjyH/m0R+KR2AOjJbLQ3Tk1V5Z+F05VzCLhctR+czwqCk5s=)" (RequestToken: b111d11f-d2g2-5v42-e35h-12sdf845g21y, HandlerErrorCode: AccessDenied)
    at FullCloudFormationDeployment.monitorDeployment (C:\Users\omkar\AppData\Roaming\npm\node_modules\aws-cdk\lib\index.js:427:10615)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (C:\Users\omkar\AppData\Roaming\npm\node_modules\aws-cdk\lib\index.js:430:196919)
    at async C:\Users\omkar\AppData\Roaming\npm\node_modules\aws-cdk\lib\index.js:430:178888

The stack named BaseWebsiteStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID: R6GEEC9K5PB70TYH, Extended Request ID: AiOcFc3qNOLDSD1GLfsLWjeLwwugtjyH/m0R+KR2AOjJbLQ3Tk1V5Z+F05VzCLhctR+czwqCk5s=)" (RequestToken: b111d11f-d2g2-5v42-e35h-12sdf845g21y, HandlerErrorCode: AccessDenied)

D:\website\infra>
  • Omkar
    vor 2 Monaten

    I am using only following construct in my stack.

    import * as s3 from 'aws-cdk-lib/aws-s3'; import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment'; import { RemovalPolicy } from 'aws-cdk-lib'; import { Construct } from 'constructs';

    export interface S3WebsiteBucketProps { bucketName: string; indexDocument?: string; errorDocument?: string; websiteContentPath?: string; }

    export class S3WebsiteBucket extends Construct { public readonly bucket: s3.Bucket;

    constructor(scope: Construct, id: string, props: S3WebsiteBucketProps) { super(scope, id);

    // Create the S3 bucket
this.bucket = new s3.Bucket(this, 'Bucket', {
  bucketName: props.bucketName,
  websiteIndexDocument: props.indexDocument || 'index.html',
  websiteErrorDocument: props.errorDocument || props.indexDocument || 'error.html',
  publicReadAccess: true,
  removalPolicy: RemovalPolicy.DESTROY,
});

// Deploy the content to the bucket only when website content path is provided
if (props.websiteContentPath) {
  new s3deploy.BucketDeployment(this, 'BucketDeployment', {
    sources: [s3deploy.Source.asset(props.websiteContentPath)],
    destinationBucket: this.bucket,
  });
}

    } }

Themen
SpeicherManagement & UnternehmensführungSicherheit, Identität & Konformität
Tags
Amazon Simple Storage ServiceAWS BefehlszeilenschnittstelleAWS CloudFormationAWS IAM IdentitätszentrumIAM-Richtlinien
Sprache
English
Omkar
gefragt vor 2 Monaten167 Aufrufe
Keine Antworten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt