Error when deploy EKS cluster from cdk pipeline

0

I'm trying to deploy an eks cluster stack as part of my pipeline, its a self mutating pipeline, which includes stages to pull the code from gitlab, then build the cdk, update the stack, and then deploy the eks cluster

I can deploy the stack from my pc, but if i let codepipeline run the deployment using CloudFormationCreateUpdateStackAction it fails with the following error

awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454** - create failed - S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html

a bit further on it fails with

The following resource(s) failed to create: [CustomAWSCDKOpenIdConnectProviderCustomResourceProviderRole517FED65, clusterAdmin9FD4BDDE, layer26FEA11C0D, nodeRoleA6A8ECDC, eksclusterControlPlaneSecurityGroupBAB2FC0A, eksclusterKubectlHandlerRole12CC1C9C, AWSCDKCfnUtilsProviderCustomResourceProviderRoleFE0EE867, eksclusterRoleAD55CC89, awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454]. Rollback requested by user.

when i look at the cloudtrail its complaining its unable to find an asset

            {
                PipelineName = pipelineName,
                CrossAccountKeys = true,
                ArtifactBucket = artifactBucket,
                RestartExecutionOnUpdate = true,
            });

I have a number of stages before my deployment stage, first pulls the code using a custom action because we use gitlab, the next does a cdk synth on project, I'm not entirely sure how much code is needed, but i'll give it a go :)

            {
                StageName = "DeployEksClusters",
                Actions = new IAction[]
                {
                    new CloudFormationCreateUpdateStackAction(new CloudFormationCreateUpdateStackActionProps
                    {
                        Account = props.LocalCluster.Account,
                        Region = props.LocalCluster.Region,
                        ActionName = "DeployLocalCluster",
                        StackName = props.LocalCluster.StackName,
                        TemplatePath = pipelineBuildOutput.AtPath("LocalCluster.template.json"),
                        DeploymentRole = cfRole,
                        CfnCapabilities = new CfnCapabilities[] { CfnCapabilities.NAMED_IAM, CfnCapabilities.AUTO_EXPAND },
                        Role = cfRole,
                        AdminPermissions = true
                    }),
              }
            });

the EKS stack looks like this

            {
                Tags = tags,
                Mas ters Role = clusterAdmin,  
                Version = KubernetesVersion.Of("1.26"),
                Vpc = vpc,
                ClusterName = Props.ClusterName,
                VpcSubnets = new[] { subnets },
                AlbController = new AlbControllerOptions { Version = AlbControllerVersion.V2_5_1 },
                EndpointAccess = EndpointAccess.PRIVATE,
                DefaultCapacity = 0,
                KubectlLayer = new KubectlV26Layer(this, "layer26"),
            });

            var managedNodeGroup = cluster.AddNodegroupCapacity("initial-node-group", new NodegroupOptions
            {
                MinSize = 1,
                MaxSize = 5,
                AmiType = NodegroupAmiType.AL2_X86_64,
                InstanceTypes = new[] { new InstanceType("m5.large") },
                CapacityType = CapacityType.SPOT,
                DiskSize = 40,
                NodeRole = nodeRole,
                Tags = tags,
            });

Thanks in advance

Andrew

2 Answers
0

Hello there,

Looking at the below error, the issue was in downloading of the nested stack's template while creating the nested stack.

awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454** - create failed - S3 error: Access Denied For more information check http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html 

awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454 --> This looks like nested stack resource.

Possible causes of the issue and resolutions :

  1. The CloudFormation service role of the stack does not have enough permission to pull the template of the nested stack from its S3 location.

Adding the below permission to CloudFormation service role may help here :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

You can optionally specify only the S3 bucket ARN where the nested stack's template is present in the "Resources" section of the above policy.

  1. Bucket policy on the S3 bucket of the nested stack's template may be restricting the access from the AWS CloudFormation service role. Please check this and allow the CloudFormation service role to get the objects from this bucket.

    https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html --> [1]

  2. If encryption is enabled for the S3 bucket and its using Customer managed KMS key, please provide the permission for the CloudFormation stack service role to use then KMS key.

Policy example is given below :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:DescribeKey",
                "kms:GenerateDataKey*",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:Decrypt"
            ],
            "Resource": "*"
        }
    ]
}

If the KMS key is in different account, you may need to provide permission to access it in AWS KMS key policy for the Cloudformation stack role as well. Please refer to the documentation [2] for more information about KMS key policy.

I hope this information serves you. Further, troubleshooting about this requires checking IAM role policies, S3 bucket policy, KMS and other resources in AWS account. So, if you need additional help on this, you can feel free to reach out to AWS Premium Support.


References :

[1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html

[2] https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

AWS
SUPPORT ENGINEER
answered a year ago
  • Hi, I'm sure that the cloudformation role that i'm using i've granted administrator access to because it was driving me crazy, what role will the nested stack actually run with ?

  • Hello there,

    Nested stack runs with CloudFormation service role [1] ( CFN Service role/stack role will be used to pull the nested stack template from S3 and also used in provisioning all the resources of nested stack).

    The nested stack template URL will be available in "TemplateURL" [2] section of the nested stack resource in parent stack template. This will get you the S3 bucket that stores the nested stack template. You can use that S3 bucket and further troubleshoot the issue with below steps :

    1. Check for explicit deny in CFN service role for s3 related actions.
    2. As commented above, please check the bucket policy and KMS key policy which can also be causing access denied errors.

    References - [1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html [2] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-stack.html#cfn-cloudformation-stack-templateurl

  • how does the nested stack get into the s3 bucket from the artifact bucket, to the cdk assets bucket ??

    this is the bit out of the cluster template, and the file 22906e5b58e08ac2681a028481b574e104676337fc7a7e1b6d0cfb021a645670.json (which is the one that comes up in cloudtrail isn't in the cdk assets bucket ?!)

    "awscdkawseksClusterResourceProviderNestedStackawscdkawseksClusterResourceProviderNestedStackResource9827C454": { "Type": "AWS::CloudFormation::Stack", "Properties": { "TemplateURL": { "Fn::Join": [ "", [ "https://s3.eu-west-2.", { "Ref": "AWS::URLSuffix" }, "/cdk-hnb659fds-assets-715522585778-eu-west-2/22906e5b58e08ac2681a028481b574e104676337fc7a7e1b6d0cfb021a645670.json" ] ] },

    i've removed some bits that reveal internal tags, is this the file that should be placed into the directory ??? But isn't for some reason ??

    UpdateReplacePolicy": "Delete", "DeletionPolicy": "Delete", "Metadata": { "aws:cdk:path": "LocalCluster/@aws-cdk--aws-eks.ClusterResourceProvider.NestedStack/@aws-cdk--aws-eks.ClusterResourceProvider.NestedStackResource", "aws:asset:path": "LocalClusterawscdkawseksClusterResourceProvider87C3D556.nested.template.json", "aws:asset:property": "TemplateURL" }

0

From your error, it looks like the role that is deploying the stack may not have permissions to the S3 bucket or to create the bucket.

Make sure you have provided either the proper permissions to allow your stack to create the bucket or to access the bucket. Here's some additional information - https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example1.html

Hope this helps.

profile picture
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions