-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
custom_resources: Provider Lambda function is missing lambda:GetFunctionConfiguration #26838
Comments
this is probably related to #24358 The custom resource essentially check the aws-cdk/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts Lines 61 to 80 in 47df704
But it should work as expected. Which region did you deploy? Instead of running the LZA, are you able to provide a smallest code snippet that reproduces this issue? |
@pahud Agreed on it likely being related to #24358, I'll work on a smaller snippet to reproduce the error. The error has been seen in at least us-east-1 and ap-southeast-2, but we've heard reports from 5+ customers so I believe the error to be region-agnostic. I'll work on a smaller snippet to reproduce the behavior more predictably. |
Are you able to see how many custom resources of this will be created in your LZA deployment? |
@pahud Still working on a smaller reproducible snippet. LZA creates 6 individual custom resources to create the service-linked roles. |
I've added some more details below, please advise whether it's still necessary to provide a reproducible code-snippet. This issue is exacerbated by logic that may run these custom resources on every pipeline run, for instance: awslabs/landing-zone-accelerator-on-aws#237 The following line and the surrounding retry logic requires the as mentioned However only invokeFunction is granted on the onEventHandler Lambda function: aws-cdk/packages/aws-cdk-lib/custom-resources/lib/provider-framework/provider.ts Line 233 in c695b60
I believe the above |
Encountered same problem with EKS Blueprint, which is using The error message on Cloudformation said:
Also found the following error message in CloudTrail:
After added |
The waiter call changed in c3a4b7b from aws-cdk/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts Lines 60 to 72 in c3a4b7b
|
@markhankins Yes, it looks like the original PR was abandoned. I am not prepared to create one anytime soon. I was just commenting to inform any would-be submitters or reviewers that the API call and therefore required fix have changed somewhat since the original title and description of this issue were written. |
any solution for this |
probably related to #24358 @blinkdaffer @ejt4x @markhankins Can you tell me which region(s) are you seeing this error? Are you able to provide a very tiny CDK app that we can deploy in that region and reproduce this error? |
@pahud Here's my simplest way of producing this error. const thisLambdaDoesNotExist = Function.fromFunctionName(this, 'NonExistentLambda', 'fakelambda');
const provider = new Provider(this, 'Provider', {
onEventHandler: thisLambdaDoesNotExist,
});
new CustomResource(this, 'Resource1', { serviceToken: provider.serviceToken }); The actual exception (throttling, function does not exist, whatever) is swallowed by the try/except block, leaving the following error on the CFN event log:
If we go digging in CloudTrail, we find this IAM error
All these errors mask the actual issue - the user lambda invocation failed due to throttling, non-existence, or some other reason. The missing IAM permission prevents this from being discovered by the user |
Yes when deploying export class ProviderStack extends Stack {
constructor(scope: Construct, id: string, props?: StackProps) {
super(scope, id, props);
// Import a non-existent Lambda function
const thisLambdaDoesNotExist = lambda.Function.fromFunctionName(this, 'NonExistentLambda', 'fakelambda');
// Create a custom resource provider using the non-existent Lambda
const provider = new cr.Provider(this, 'Provider', {
onEventHandler: thisLambdaDoesNotExist,
});
// Create a custom resource using the provider
new CustomResource(this, 'Resource1', {
serviceToken: provider.serviceToken
});
}
} In 2.173.0 we'll get
Looking at the provider framework log:
affected code: aws-cdk/packages/aws-cdk-lib/custom-resources/lib/provider-framework/runtime/outbound.ts Line 73 in 26b361d
My take:
Making this a p1. |
internal: V1631223300 |
Describe the bug
The Landing Zone Accelerator solution leverages the custom_resources module to create service-linked roles via CDK custom resources. When this custom resource Lambda function is invoked several times in succession, users intermittently receive the following error:
We believe this is the result of queuing incoming requests and the role attached to the
cdk.custom_resources.Provider
function is missing the permission:lambda:GetFunctionConfiguration
Expected Behavior
Custom resource provider implements appropriate permissions and retries to execute successfully when invoked several times in succession.
Current Behavior
Transient failures:
Reproduction Steps
Deploy v1.4.3 of the Landing Zone Accelerator on AWS.
For a smaller sample that can be extracted without deploying the entire LZA solution, you may use this custom resource construct that is used by LZA to create the service-linked roles:
https://github.com/awslabs/landing-zone-accelerator-on-aws/blob/1614a01824c5a43f97fadfb8ec0c3627a0f343dd/source/packages/%40aws-accelerator/constructs/lib/aws-iam/service-linked-role.ts#L87
Possible Solution
Add
lambda:GetFunctionConfiguration
permission to the provider Lambda function's IAM role.Additional Information/Context
No response
CDK CLI Version
2.79
Framework Version
No response
Node.js Version
16.20.1
OS
Amazon Linux
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: