By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Policy creation failure on CDK Deployment through Identity Center Profile

0

I am getting error while creating S3 BucketPolicy and IAM Policy. I am trying to deploy my stack from my local using Identity Center Profile having "Administrator Access" Permission set. I have latest version of aws-cdk and have bootstrapped my environment with it. Command line details as follows.

D:\website\infra>cdk deploy --require-approval never

✨  Synthesis time: 20.34s

BaseWebsiteStack:  start: Building 3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961:601111111110-us-east-1
BaseWebsiteStack:  success: Built 3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961:601111111110-us-east-1
BaseWebsiteStack:  start: Building e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00:601111111110-us-east-1
BaseWebsiteStack:  success: Built e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00:601111111110-us-east-1
BaseWebsiteStack:  start: Publishing 3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961:601111111110-us-east-1
BaseWebsiteStack:  start: Building 73b6cb84ab8bfac4c6a2ea28808b1f87f2de290283a5b44fc08f3118d01192b0:601111111110-us-east-1
BaseWebsiteStack:  success: Built 73b6cb84ab8bfac4c6a2ea28808b1f87f2de290283a5b44fc08f3118d01192b0:601111111110-us-east-1
BaseWebsiteStack:  start: Publishing e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00:601111111110-us-east-1
BaseWebsiteStack:  start: Building 56ab77d73f3cdb303af9e0608d58cdf6bef2dd642972bf65e8cd7b2dee2238f9:601111111110-us-east-1
BaseWebsiteStack:  success: Built 56ab77d73f3cdb303af9e0608d58cdf6bef2dd642972bf65e8cd7b2dee2238f9:601111111110-us-east-1
BaseWebsiteStack:  start: Publishing 73b6cb84ab8bfac4c6a2ea28808b1f87f2de290283a5b44fc08f3118d01192b0:601111111110-us-east-1
BaseWebsiteStack:  start: Publishing 56ab77d73f3cdb303af9e0608d58cdf6bef2dd642972bf65e8cd7b2dee2238f9:601111111110-us-east-1
BaseWebsiteStack:  success: Published 56ab77d73f3cdb303af9e0608d58cdf6bef2dd642972bf65e8cd7b2dee2238f9:601111111110-us-east-1
BaseWebsiteStack:  success: Published e976a796f036a5efbf44b99e44cfb5a961df08d8dbf7cd37e60bf216fb982a00:601111111110-us-east-1
BaseWebsiteStack:  success: Published 73b6cb84ab8bfac4c6a2ea28808b1f87f2de290283a5b44fc08f3118d01192b0:601111111110-us-east-1
BaseWebsiteStack:  success: Published 3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961:601111111110-us-east-1
BaseWebsiteStack: deploying... [1/1]
BaseWebsiteStack: creating CloudFormation changeset...
BaseWebsiteStack | 0/9 | 7:59:42 pm | REVIEW_IN_PROGRESS   | AWS::CloudFormation::Stack  | BaseWebsiteStack User Initiated
BaseWebsiteStack | 0/9 | 7:59:51 pm | CREATE_IN_PROGRESS   | AWS::CloudFormation::Stack  | BaseWebsiteStack User Initiated
BaseWebsiteStack | 0/9 | 7:59:54 pm | CREATE_IN_PROGRESS   | AWS::Lambda::LayerVersion   | RootDomainWebsite/BucketDeployment/AwsCliLayer (RootDomainWebsiteBucketDeploymentAwsCliLayerF90FDA26)
BaseWebsiteStack | 0/9 | 7:59:54 pm | CREATE_IN_PROGRESS   | AWS::IAM::Role              | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265)
BaseWebsiteStack | 0/9 | 7:59:54 pm | CREATE_IN_PROGRESS   | AWS::CDK::Metadata          | CDKMetadata/Default (CDKMetadata)
BaseWebsiteStack | 0/9 | 7:59:54 pm | CREATE_IN_PROGRESS   | AWS::S3::Bucket             | RootDomainWebsite/Bucket (RootDomainWebsiteBucket30F4EC37)
BaseWebsiteStack | 0/9 | 7:59:55 pm | CREATE_IN_PROGRESS   | AWS::IAM::Role              | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265) Resource creation Initiated
BaseWebsiteStack | 0/9 | 7:59:55 pm | CREATE_IN_PROGRESS   | AWS::CDK::Metadata          | CDKMetadata/Default (CDKMetadata) Resource creation Initiated
BaseWebsiteStack | 1/9 | 7:59:55 pm | CREATE_COMPLETE      | AWS::CDK::Metadata          | CDKMetadata/Default (CDKMetadata)
BaseWebsiteStack | 1/9 | 7:59:55 pm | CREATE_IN_PROGRESS   | AWS::S3::Bucket             | RootDomainWebsite/Bucket (RootDomainWebsiteBucket30F4EC37) Resource creation Initiated
BaseWebsiteStack | 1/9 | 8:00:00 pm | CREATE_IN_PROGRESS   | AWS::Lambda::LayerVersion   | RootDomainWebsite/BucketDeployment/AwsCliLayer (RootDomainWebsiteBucketDeploymentAwsCliLayerF90FDA26) Resource creation Initiated
BaseWebsiteStack | 2/9 | 8:00:00 pm | CREATE_COMPLETE      | AWS::Lambda::LayerVersion   | RootDomainWebsite/BucketDeployment/AwsCliLayer (RootDomainWebsiteBucketDeploymentAwsCliLayerF90FDA26)
BaseWebsiteStack | 3/9 | 8:00:11 pm | CREATE_COMPLETE      | AWS::IAM::Role              | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265)
BaseWebsiteStack | 4/9 | 8:00:18 pm | CREATE_COMPLETE      | AWS::S3::Bucket             | RootDomainWebsite/Bucket (RootDomainWebsiteBucket30F4EC37)
BaseWebsiteStack | 4/9 | 8:00:26 pm | DELETE_IN_PROGRESS   | AWS::IAM::Role              | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265)
BaseWebsiteStack | 4/9 | 8:00:26 pm | DELETE_IN_PROGRESS   | AWS::S3::Bucket             | RootDomainWebsite/Bucket (RootDomainWebsiteBucket30F4EC37)
BaseWebsiteStack | 3/9 | 8:00:27 pm | DELETE_COMPLETE      | AWS::S3::Bucket             | RootDomainWebsite/Bucket (RootDomainWebsiteBucket30F4EC37)
BaseWebsiteStack | 3/9 | 8:00:20 pm | CREATE_IN_PROGRESS   | AWS::S3::BucketPolicy       | RootDomainWebsite/Bucket/Policy (RootDomainWebsiteBucketPolicy7BE8379F)
BaseWebsiteStack | 3/9 | 8:00:20 pm | CREATE_IN_PROGRESS   | AWS::IAM::Policy            | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF)
BaseWebsiteStack | 3/9 | 8:00:21 pm | CREATE_IN_PROGRESS   | AWS::IAM::Policy            | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF) Resource creation Initiated
BaseWebsiteStack | 3/9 | 8:00:21 pm | CREATE_IN_PROGRESS   | AWS::S3::BucketPolicy       | RootDomainWebsite/Bucket/Policy (RootDomainWebsiteBucketPolicy7BE8379F) Resource creation Initiated
BaseWebsiteStack | 3/9 | 8:00:22 pm | CREATE_FAILED        | AWS::S3::BucketPolicy       | RootDomainWebsite/Bucket/Policy (RootDomainWebsiteBucketPolicy7BE8379F) Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID: R6GEEC9K5PB70TYH, Extended Request ID: AiOcFc3qNOLDSD1GLfsLWjeLwwugtjyH/m0R+KR2AOjJbLQ3Tk1V5Z+F05VzCLhctR+czwqCk5s=)" (RequestToken: b111d11f-d2g2-5v42-e35h-12sdf845g21y, HandlerErrorCode: AccessDenied)
BaseWebsiteStack | 3/9 | 8:00:22 pm | CREATE_FAILED        | AWS::IAM::Policy            | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF) Resource creation cancelled
BaseWebsiteStack | 3/9 | 8:00:22 pm | ROLLBACK_IN_PROGRESS | AWS::CloudFormation::Stack  | BaseWebsiteStack The following resource(s) failed to create: [CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF, RootDomainWebsiteBucketPolicy7BE8379F]. Rollback requested by user.
BaseWebsiteStack | 3/9 | 8:00:25 pm | DELETE_IN_PROGRESS   | AWS::CDK::Metadata          | CDKMetadata/Default (CDKMetadata)
BaseWebsiteStack | 3/9 | 8:00:25 pm | DELETE_IN_PROGRESS   | AWS::IAM::Policy            | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF)
BaseWebsiteStack | 3/9 | 8:00:25 pm | DELETE_IN_PROGRESS   | AWS::Lambda::LayerVersion   | RootDomainWebsite/BucketDeployment/AwsCliLayer (RootDomainWebsiteBucketDeploymentAwsCliLayerF90FDA26)
BaseWebsiteStack | 3/9 | 8:00:25 pm | DELETE_IN_PROGRESS   | AWS::S3::BucketPolicy       | RootDomainWebsite/Bucket/Policy (RootDomainWebsiteBucketPolicy7BE8379F)
BaseWebsiteStack | 4/9 | 8:00:26 pm | DELETE_COMPLETE      | AWS::IAM::Policy            | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/DefaultPolicy (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF)
BaseWebsiteStack | 3/9 | 8:00:26 pm | DELETE_COMPLETE      | AWS::CDK::Metadata          | CDKMetadata/Default (CDKMetadata)
BaseWebsiteStack | 4/9 | 8:00:26 pm | DELETE_COMPLETE      | AWS::S3::BucketPolicy       | RootDomainWebsite/Bucket/Policy (RootDomainWebsiteBucketPolicy7BE8379F)
BaseWebsiteStack | 3/9 | 8:00:26 pm | DELETE_COMPLETE      | AWS::Lambda::LayerVersion   | RootDomainWebsite/BucketDeployment/AwsCliLayer (RootDomainWebsiteBucketDeploymentAwsCliLayerF90FDA26)
BaseWebsiteStack | 2/9 | 8:00:39 pm | DELETE_COMPLETE      | AWS::IAM::Role              | Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole (CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265)
BaseWebsiteStack | 3/9 | 8:00:40 pm | ROLLBACK_COMPLETE    | AWS::CloudFormation::Stack  | BaseWebsiteStack

Failed resources:
BaseWebsiteStack | 8:00:22 pm | CREATE_FAILED        | AWS::S3::BucketPolicy       | RootDomainWebsite/Bucket/Policy (RootDomainWebsiteBucketPolicy7BE8379F) Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID: R6GEEC9K5PB70TYH, Extended Request ID: AiOcFc3qNOLDSD1GLfsLWjeLwwugtjyH/m0R+KR2AOjJbLQ3Tk1V5Z+F05VzCLhctR+czwqCk5s=)" (RequestToken: b111d11f-d2g2-5v42-e35h-12sdf845g21y, HandlerErrorCode: AccessDenied)

 ❌  BaseWebsiteStack failed: Error: The stack named BaseWebsiteStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID: R6GEEC9K5PB70TYH, Extended Request ID: AiOcFc3qNOLDSD1GLfsLWjeLwwugtjyH/m0R+KR2AOjJbLQ3Tk1V5Z+F05VzCLhctR+czwqCk5s=)" (RequestToken: b111d11f-d2g2-5v42-e35h-12sdf845g21y, HandlerErrorCode: AccessDenied)
    at FullCloudFormationDeployment.monitorDeployment (C:\Users\omkar\AppData\Roaming\npm\node_modules\aws-cdk\lib\index.js:427:10615)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (C:\Users\omkar\AppData\Roaming\npm\node_modules\aws-cdk\lib\index.js:430:196919)
    at async C:\Users\omkar\AppData\Roaming\npm\node_modules\aws-cdk\lib\index.js:430:178888

 ❌ Deployment failed: Error: The stack named BaseWebsiteStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID: R6GEEC9K5PB70TYH, Extended Request ID: AiOcFc3qNOLDSD1GLfsLWjeLwwugtjyH/m0R+KR2AOjJbLQ3Tk1V5Z+F05VzCLhctR+czwqCk5s=)" (RequestToken: b111d11f-d2g2-5v42-e35h-12sdf845g21y, HandlerErrorCode: AccessDenied)
    at FullCloudFormationDeployment.monitorDeployment (C:\Users\omkar\AppData\Roaming\npm\node_modules\aws-cdk\lib\index.js:427:10615)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Object.deployStack2 [as deployStack] (C:\Users\omkar\AppData\Roaming\npm\node_modules\aws-cdk\lib\index.js:430:196919)
    at async C:\Users\omkar\AppData\Roaming\npm\node_modules\aws-cdk\lib\index.js:430:178888

The stack named BaseWebsiteStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Access Denied (Service: S3, Status Code: 403, Request ID: R6GEEC9K5PB70TYH, Extended Request ID: AiOcFc3qNOLDSD1GLfsLWjeLwwugtjyH/m0R+KR2AOjJbLQ3Tk1V5Z+F05VzCLhctR+czwqCk5s=)" (RequestToken: b111d11f-d2g2-5v42-e35h-12sdf845g21y, HandlerErrorCode: AccessDenied)

D:\website\infra>
  • Omkar
    2 months ago

    I am using only following construct in my stack.

    import * as s3 from 'aws-cdk-lib/aws-s3'; import * as s3deploy from 'aws-cdk-lib/aws-s3-deployment'; import { RemovalPolicy } from 'aws-cdk-lib'; import { Construct } from 'constructs';

    export interface S3WebsiteBucketProps { bucketName: string; indexDocument?: string; errorDocument?: string; websiteContentPath?: string; }

    export class S3WebsiteBucket extends Construct { public readonly bucket: s3.Bucket;

    constructor(scope: Construct, id: string, props: S3WebsiteBucketProps) { super(scope, id);

    // Create the S3 bucket
this.bucket = new s3.Bucket(this, 'Bucket', {
  bucketName: props.bucketName,
  websiteIndexDocument: props.indexDocument || 'index.html',
  websiteErrorDocument: props.errorDocument || props.indexDocument || 'error.html',
  publicReadAccess: true,
  removalPolicy: RemovalPolicy.DESTROY,
});

// Deploy the content to the bucket only when website content path is provided
if (props.websiteContentPath) {
  new s3deploy.BucketDeployment(this, 'BucketDeployment', {
    sources: [s3deploy.Source.asset(props.websiteContentPath)],
    destinationBucket: this.bucket,
  });
}

    } }

Topics
StorageManagement & GovernanceSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Command Line InterfaceAWS CloudFormationAWS IAM Identity CenterIAM Policies
Language
English
Omkar
asked 2 months ago164 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content