Questions tagged with AWS CloudFormation

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

How to download s3 file to Window 2022 EC2 instance with CloudFormation Init? Getting Access Denied error.

I'm trying to download a file from an S3 bucket onto a EC2 Windows server. I'm set up the IAM role, policy, and profile. In the CloudFormation::Init section of the server, I have different configSets and one of them is downloading a file from the bucket. ``` --- Some items not shown --- "Parameters": { "S3BucketName": { "Description": "The name of an existing S3 bucket that the server needs to access.", "Type": "String", "Default": "ccw-to-rds-poc-1" }, --- Some parameters not shown --- "InstanceRole":{ "Type":"AWS::IAM::Role", "Properties":{ "AssumeRolePolicyDocument":{ "Statement":[ { "Effect":"Allow", "Principal":{ "Service":[ "ec2.amazonaws.com" ] }, "Action":[ "sts:AssumeRole" ] } ] }, "Path":"/" } }, "RolePolicies":{ "Type":"AWS::IAM::Policy", "Properties":{ "PolicyName":"S3Download", "PolicyDocument":{ "Statement":[ { "Action":[ "s3:GetObject" ], "Effect":"Allow", "Resource": {"Fn::Join": ["", ["arn:aws:s3:::", {"Ref": "S3BucketName"}]]} } ] }, "Roles":[ { "Ref":"InstanceRole" } ] } }, "InstanceProfile":{ "Type":"AWS::IAM::InstanceProfile", "Properties":{ "Path":"/", "Roles":[ { "Ref":"InstanceRole" } ] } }, "myAppServer": { "Type": "AWS::EC2::Instance", "Metadata": { "AWS::CloudFormation::Authentication": { "S3AccessCreds": { "type": "S3", "roleName": { "Ref": "InstanceRole" }, "buckets" : [{"Ref": "S3BucketName"}] } }, "AWS::CloudFormation::Init": { "configSets": { "downloadS3Data": ["downloadS3"], "Full": [{"ConfigSet": "downloadS3Data"}, "fullServer"], "default": [ {"ConfigSet": "Full"}], "App": [{"ConfigSet": "downloadS3Data"}, "appServer"], "Interface": [{"ConfigSet": "downloadS3Data"}, "interfaceServer"], "Notification": [{"ConfigSet": "downloadS3Data"}, "notificationServer"] }, "downloadS3": { "files": { "C:\\Users\\Administrator\\Documents\\s3download.bak": { "source": "https://ccw-to-rds-poc-1.s3.us-east-2.amazonaws.com/test.txt", "authentication": "S3AccessCreds" } } }, "fullServer": { "commands": { "test": { "command": "echo \"$MAGIC\"", "env": {"MAGIC": "I am from the full server env"}, "cwd": "C:\\Users\\Administrator\\Desktop" } } }, --- Some config sets not shown --- } }, "Properties": { "IamInstanceProfile": { "Ref": "InstanceProfile" }, "ImageId": "ami-012bb86d0081c5240", "InstanceType": "t2.small", "KeyName": {"Ref": "keypair"}, "SecurityGroupIds": ["sg-0d0b50ca1774707b7"], "UserData" : { "Fn::Base64" : { "Fn::Join" : [ "", [ "<powershell>\n", "cfn-init.exe -v -s ", {"Ref" : "AWS::StackId"}, " -r YourInstance -c ", {"Ref": "CCWServerType"} , " --region ", {"Ref" : "AWS::Region"}, "\n", "</powershell>\n", "<persist>true</persist>" ] ] } } } } ``` When the server runs `"cfn-init.exe -v -s ", {"Ref" : "AWS::StackId"}, " -r YourInstance -c ", {"Ref": "CCWServerType"} , " --region ", {"Ref" : "AWS::Region"}, "\n",`, It creates the `s3download.bak`, but it is empty and gives an Access Denied, (HTTP Error 403). Is there something I'm not doing correctly with the IAM configurations that is causing this? EDIT: I thought that because I am accessing the entire bucket and not just a specific item, like mentioned in [this article](https://aws.amazon.com/blogs/devops/authenticated-file-downloads-with-cloudformation/) that might be the issue. However, after trying `"Action":["s3:*Object"]` and `"Action":["s3.Get*"]`, I still get the same access denied error.
2
answers
0
votes
58
views
asked 2 months ago

The AthenaJdbcConnector serverless application is no longer available on the serverless repo

The AthenaJdbcConnector seems to be gone from the aws serverless repo. As a result it is not possible to deploy it. To reproduce with the CLI: ``` aws --region us-east-1 serverlessrepo get-application --application-id arn:aws:serverlessrepo:us-east-1:292517598671:applications/AthenaJdbcConnector An error occurred (AccessDeniedException) when calling the GetApplication operation: User: arn:aws:sts::REDACTED:REDACTED is not authorized to perform: serverlessrepo:GetApplication on resource: arn:aws:serverlessrepo:us-east-1:292517598671:applications/AthenaJdbcConnector ``` Cloudformation: ``` AthenaJdbcConnector: Type: AWS::Serverless::Application Properties: Location: ApplicationId: arn:aws:serverlessrepo:us-east-1:292517598671:applications/AthenaJdbcConnector SemanticVersion: 2022.2.1 Parameters: DefaultConnectionString: !Sub "mysql://jdbc:mysql://${RdsEndpoint}:${RdsPort}/${DatabaseName}?${!${RdsSecretName}}" LambdaFunctionName: datacatalogname SecretNamePrefix: !Ref RdsSecretName SecurityGroupIds: !Ref SecurityGroupId SpillBucket: !Ref SpillBucketName SubnetIds: !Join [",", [!Ref PrivateSubnet1, !Ref PrivateSubnet2, !Ref PrivateSubnet3]] ``` Cloudformation Error: ``` Transform AWS::Serverless-2016-10-31 failed with: Invalid Serverless Application Specification document. Number of errors found: 1. Resource with id [AthenaJdbcConnector] is invalid. User: arn:aws:sts::REDACTED:REDACTED is not authorized to perform: serverlessrepo:CreateCloudFormationTemplate on resource: arn:aws:serverlessrepo:us-east-1:292517598671:applications/AthenaJdbcConnector ``` Moreover, the [web page of the AthenaJdbcConnector](https://serverlessrepo.aws.amazon.com/applications/us-east-1/292517598671/AthenaJdbcConnector) while still being indexed by search engines, is no longer available. While it might seem like a permission error, the fact that the application page is gone and that we get the same error even with a user with admin privileges makes us think that the application was removed/retired/made-private.
1
answers
1
votes
58
views
asked 2 months ago

CloudFront not sending custom headers to origin for additional behavior

# Situation I am currently in the process of migrating on of my pet projects from another provider to AWS. As a first step, I have created a CloudFront distribution sending all requests as-is to the loadbalancer my application is currently running on (external provider). The CDK stack I started with looks like follows: ```java package mypackagename; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.certificatemanager.Certificate; import software.amazon.awscdk.services.cloudfront.*; import software.amazon.awscdk.services.cloudfront.origins.HttpOrigin; import software.constructs.Construct; import java.util.List; import java.util.Map; public class MyServiceNameCloudfrontCdkStack extends Stack { public MyServiceNameCloudfrontCdkStack(final Construct scope, final String id, final StackProps props, final Config config) { super(scope, id, props); Distribution.Builder.create(this, "cloudfront") .priceClass(PriceClass.PRICE_CLASS_ALL) .httpVersion(HttpVersion.HTTP2) .enableIpv6(true) .domainNames(List.of(config.domain())) .certificate(Certificate.fromCertificateArn(this, "sslcert", config.sslCertArn())) .minimumProtocolVersion(SecurityPolicyProtocol.TLS_V1_2_2021) .defaultBehavior( BehaviorOptions.builder() .origin( HttpOrigin.Builder.create("<hostname of the LB at external provider>") .protocolPolicy(OriginProtocolPolicy.HTTP_ONLY) .httpPort(8080) .customHeaders(Map.of( "Forwarded", String.format("host=%s;proto=https", config.domain()), "X-Forwarded-Host", config.domain(), "X-Forwarded-Proto", "https", "X-Forwarded-Port", "443" )) .build() ) .compress(true) .viewerProtocolPolicy(ViewerProtocolPolicy.REDIRECT_TO_HTTPS) .allowedMethods(AllowedMethods.ALLOW_ALL) .cachePolicy(CachePolicy.CACHING_DISABLED) .originRequestPolicy(OriginRequestPolicy.ALL_VIEWER) .build() ) .enableLogging(false) .enabled(true) .build(); } public record Config(String domain, String sslCertArn) {} } ``` With this stack, everything works as expected. As a second step, I updated the CDK stack to have separate behaviors for each of the components I'm planning to split my logic to in the future. They all still use the same origin but with some minor changes to the behavior. The updated CDK stack looks like follows: ```java package mypackagename; import software.amazon.awscdk.Stack; import software.amazon.awscdk.StackProps; import software.amazon.awscdk.services.certificatemanager.Certificate; import software.amazon.awscdk.services.cloudfront.*; import software.amazon.awscdk.services.cloudfront.origins.HttpOrigin; import software.constructs.Construct; import java.util.LinkedHashMap; import java.util.List; import java.util.Map; public class MyServiceNameCloudfrontCdkStack extends Stack { public MyServiceNameCloudfrontCdkStack(final Construct scope, final String id, final StackProps props, final Config config) { super(scope, id, props); // region custom response headers for the fallthrough behaviour (ui stuff) final ResponseHeadersPolicy uiResponseHeadersPolicy = ResponseHeadersPolicy.Builder.create(this, "ui-response-headers-policy") .securityHeadersBehavior( ResponseSecurityHeadersBehavior.builder() .frameOptions( ResponseHeadersFrameOptions.builder() .frameOption(HeadersFrameOption.DENY) .override(true) .build() ) .contentSecurityPolicy( ResponseHeadersContentSecurityPolicy.builder() .contentSecurityPolicy(String.join("; ", "default-src 'self'", "connect-src 'self' https://api.guildwars2.com", "script-src 'self' 'unsafe-inline'", "style-src 'self' 'unsafe-inline'", "img-src 'self' https://icons-gw2.darthmaim-cdn.com/ data:", "frame-src https://www.youtube.com/embed/" )) .override(true) .build() ) .build() ) .build(); // endregion // region the external loadbalancer origin config final IOrigin externalLBOrigin = HttpOrigin.Builder.create("<hostname of the LB at external provider>") .protocolPolicy(OriginProtocolPolicy.HTTP_ONLY) .httpPort(8080) .customHeaders(Map.of( "Forwarded", String.format("host=%s;proto=https", config.domain()), "X-Forwarded-Host", config.domain(), "X-Forwarded-Proto", "https", "X-Forwarded-Port", "443" )) .build(); // endregion // region additional behaviours (everything except ui) final Map <String , BehaviorOptions> additionalBehaviors = new LinkedHashMap<>(); additionalBehaviors.put( "/api*", BehaviorOptions.builder() .origin(externalLBOrigin) .compress(true) .viewerProtocolPolicy(ViewerProtocolPolicy.REDIRECT_TO_HTTPS) .allowedMethods(AllowedMethods.ALLOW_ALL) .cachePolicy(CachePolicy.CACHING_DISABLED) .originRequestPolicy(OriginRequestPolicy.ALL_VIEWER) .build() ); additionalBehaviors.put( "/oauth2*", BehaviorOptions.builder() .origin(externalLBOrigin) .compress(true) .viewerProtocolPolicy(ViewerProtocolPolicy.REDIRECT_TO_HTTPS) .allowedMethods(AllowedMethods.ALLOW_ALL) .cachePolicy(CachePolicy.CACHING_DISABLED) .originRequestPolicy(OriginRequestPolicy.ALL_VIEWER) .build() ); additionalBehaviors.put( "/.well-known/oauth-authorization-server", BehaviorOptions.builder() .origin(externalLBOrigin) .compress(true) .viewerProtocolPolicy(ViewerProtocolPolicy.REDIRECT_TO_HTTPS) .allowedMethods(AllowedMethods.ALLOW_GET_HEAD) .cachePolicy(CachePolicy.CACHING_DISABLED) .build() ); // endregion Distribution.Builder.create(this, "cloudfront") .priceClass(PriceClass.PRICE_CLASS_ALL) .httpVersion(HttpVersion.HTTP2) .enableIpv6(true) .domainNames(List.of(config.domain())) .certificate(Certificate.fromCertificateArn(this, "sslcert", config.sslCertArn())) .minimumProtocolVersion(SecurityPolicyProtocol.TLS_V1_2_2021) .defaultBehavior( BehaviorOptions.builder() .origin(externalLBOrigin) .compress(true) .viewerProtocolPolicy(ViewerProtocolPolicy.REDIRECT_TO_HTTPS) .allowedMethods(AllowedMethods.ALLOW_GET_HEAD) .cachePolicy(CachePolicy.CACHING_OPTIMIZED) .originRequestPolicy(OriginRequestPolicy.ALL_VIEWER) .responseHeadersPolicy(uiResponseHeadersPolicy) .build() ) .additionalBehaviors(additionalBehaviors) .enableLogging(false) .enabled(true) .build(); } public record Config(String domain, String sslCertArn) {} } ``` # Issue Most of the changes work as expected (for example, I see that caching now takes place for the default behavior). BUT: For `/oauth2*` requests, CloudFront does not send all or at least *some* of the defined `customHeaders` to the origin server. I don't know if it also affects the other behaviors, but I know for sure it does affect the `/oauth2*` behavior. This is especially weird because (as expected) the resulting CloudFront Distribution shows only one Origin, which correctly lists the Custom Headers I have set in CDK code. When rolling back to the previous version of my CDK stack everything works as expected again. ### EDIT: I further tested this weird behavior using a HTTP Echo server instead of the Loadbalancer as a origin. CloudFront does not *always* send the custom header `X-Forwarded-Proto` to the origin. This is can be seen almost 100% on the default behavior in the updated CDK stack (since I enabled caching for this behavior there). For all other behaviors (where caching is disabled), the `X-Forwarded-Proto` is being sent by CloudFront frequently, but not always. # Versions Maven Versions: ``` <cdk.version>2.46.0</cdk.version> <constructs.version>[10.0.0,11.0.0)</constructs.version> ``` `cdk.out`: ``` {"version":"21.0.0"} ```
1
answers
0
votes
68
views
Felix
asked 2 months ago

ApplicationLoadBalancedFargateService - use existing certificate

I have a certificate which supports subdomains which I would like to use as part of a fargate deployment. The certificate known to work for the root domain and proposed subdomin (tested by applying to a cloudfront distribution). When I try to apply the certificate to my stack I get the following error (elements redacted: ``` Stack Deployments Failed: Error: The stack named MyStack failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Certificate ARN 'arn:aws:acm:us-east-1:nnnnnnnnnnnn:certificate/x-x-x-x-x' is not valid (Service: ElasticLoadBalancingV2, Status Code: 400, Request ID: XXXX, Extended Request ID: null)" (RequestToken: XXXX, HandlerErrorCode: InvalidRequest) ``` Without the `redirect_http` and `certificate` parameters the stack deploys. ```python3 BASENAME="secure-stack" DOMAIN_APEX = "example.org.uk" SUBDOMAIN_NAME = f"costs.{DOMAIN_APEX}" CERT_ARN='arn:aws:acm:us-east-1:nnnnnnnnnnnn:certificate/x-x-x-x-x' class CynapseCostStack(Stack): def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: super().__init__(scope, construct_id, **kwargs) vpc = ec2.Vpc(self, f"{BASENAME}-vpc", max_azs=2,) cluster = ecs.Cluster(self, f"{BASENAME}-cluster", vpc=vpc) task_image_options = ecs_patterns.ApplicationLoadBalancedTaskImageOptions(...) ecs_patterns.ApplicationLoadBalancedFargateService( self, f"{BASENAME}-service", service_name=f"{BASENAME}-service", cluster=cluster, cpu=256, desired_count=1, task_image_options=task_image_options, memory_limit_mib=512, public_load_balancer=True, load_balancer_name=f"{BASENAME}-lb", domain_name=SUBDOMAIN_NAME, domain_zone=route53.HostedZone.from_lookup(self, f"{BASENAME}-zone", domain_name=DOMAIN_APEX), redirect_http=True, certificate=acm.Certificate.from_certificate_arn(self, f"{BASENAME}-cert", CERT_ARN), ) ```
1
answers
0
votes
30
views
asked 2 months ago