We Keep Coding

Could not create an AWS Lambda function using CDK

I am new to CDK, I want to create simple lamda function using CDK.cdk synth gives no error but when I run cdk deploy --profile myprofile getting this error
Resource handler returned message: "User:
arn:aws:sts::xxxxx:assumed-role/cdk-hnb659fds-cfn-exec-role-xxxx-ap-south-1/AWSCloudFormation
is not authorized to perform: lambda:CreateFunction on resource:
arn:aws:lambda:ap-south-1:xxxxx:function:ApiLamdaStack-helloLamda938CC02A-jS7q9y9UlOUa
because no identity-based policy allows the lambda:CreateFunction
action (Service: Lambda, Status Code: 403, Request ID:
61895893-bf12-48bf-a51a-dbcf11fc17d8)" (RequestToken:
0e3ec851-6bd2-9ef3-751c-a3a947a72668, HandlerErrorCode: AccessDenied)
Here is source code
bin/api_lamda.ts
#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { ApiLamdaStack } from '../lib/api_lamda-stack';
const app = new cdk.App();
new ApiLamdaStack(app, 'ApiLamdaStack', {
env: { account: 'xxx', region: 'yyy' },
});
lib\api_lamda-stack.ts
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import { Code, Function as LamdaFunction, Runtime } from 'aws-cdk-lib/aws-lambda';
import { join } from 'path';
import { Effect, PolicyStatement, CfnPolicy } from 'aws-cdk-lib/aws-iam';
export class ApiLamdaStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
new iam.Role(this, 'example-iam-role', {
assumedBy: new iam.ServicePrincipal('cloudformation.amazonaws.com'),
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName(
'AWSLambda_FullAccess',
),
],
});
const helloLamda = new LamdaFunction(this, 'helloLamda', {
runtime: Runtime.NODEJS_16_X,
code: Code.fromAsset(join(__dirname, '..', 'services', 'hello')),
handler: 'hello.main'
})
}
}
cdk.json
{
"app": "npx ts-node --prefer-ts-exts bin/apiLamda.ts",
"watch": {
"include": [
"**"
],
"exclude": [
"README.md",
"cdk*.json",
"**/*.d.ts",
"**/*.js",
"tsconfig.json",
"package*.json",
"yarn.lock",
"node_modules",
"test"
]
},
"context": {
"#aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": true,
"#aws-cdk/core:stackRelativeExports": true,
"#aws-cdk/aws-rds:lowercaseDbIdentifier": true,
"#aws-cdk/aws-lambda:recognizeVersionProps": true,
"#aws-cdk/aws-lambda:recognizeLayerVersion": true,
"#aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": true,
"#aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver": true,
"#aws-cdk/aws-ec2:uniqueImdsv2TemplateName": true,
"#aws-cdk/core:checkSecretUsage": true,
"#aws-cdk/aws-iam:minimizePolicies": true,
"#aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
"#aws-cdk/core:validateSnapshotRemovalPolicy": true,
"#aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName": true,
"#aws-cdk/aws-s3:createDefaultLoggingPolicy": true,
"#aws-cdk/aws-sns-subscriptions:restrictSqsDescryption": true,
"#aws-cdk/aws-apigateway:disableCloudWatchRole": true,
"#aws-cdk/core:enablePartitionLiterals": true,
"#aws-cdk/core:target-partitions": [
"aws",
"aws-cn"
]
}
}
All I want to do is create lamda via CDK, can someone please suggest me what to do?
The solution seems to attach role to cloudformation to be able to create lambda function, I have altered the lib\api_lamda-stack.ts please take a look

The problem is not in your cdk code. It says cdk role cdk-hnb659fds-cfn-exec-role-xxxx-ap-south-1/AWSCloudFormation is not authorized to lambda:CreateFunction.
Check your profile permissions.

Thanks gshpychka and Mehmet, indeed cdk bootstrap was having issue, I has to completely wipe out rescources created by cdktoolkit stack including s3 and ssm parameter store, they were causing hindrance by not getting removed, so cleaning completely ensured creation complete of bootstrap then deploy succeeded.

CodeBuild failed for cross-account CI/CD pipeline

I'm trying to follow this guide to setup a cross accounts pipeline: https://taimos.de/blog/create-a-cicd-pipeline-for-your-cdk-app
I have Alpha account 111111 which will hold the pipeline, that is going to deploy to Alpha account 111111 and Prod account 222222. I did the bootstrap below to establish a trust relationship to the CI/CD account to allow cross-account deployments.
cdk bootstrap --profile=eCommerceService-Prod --bootstrap-customer-key --cloudformation-execution-policies 'arn:aws:iam::aws:policy/AdministratorAccess' --trust 111111 --trust-for-lookup 111111 aws://222222/us-east-1
The pipeline is setup correctly, however, the ColdBuild failed:
User: arn:aws:sts::111111:assumed-role/eCommerceDatabaseCdk-Pipe-PipelineBuildSynthCdkBui-JE7GJT5LX3SC/AWSCodeBuild-32197845-1f33-44c4-a9ff-d33aae93448e is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::222222:role/cdk-hnb659fds-lookup-role-222222-us-east-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
I checked that arn:aws:iam::222222:role/cdk-hnb659fds-lookup-role-222222-us-east-1 exists in prod account. So it seems to me that there is a missing permission in the codebuild step. However, I did not find anything particular for CodeBuild step in this blog: https://taimos.de/blog/create-a-cicd-pipeline-for-your-cdk-app.
The permissions for role arn:aws:iam::222222:role/cdk-hnb659fds-lookup-role-222222-us-east-1 mentioned in the error message is here:
It's trust entities is:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111:root"
},
"Action": "sts:AssumeRole"
}
]
}
Any idea what am I missing here?
Code
Pipeline config:
export const pipelineStageInfoList: PipelineStageInfo[] = [
{
stageName: "ALPHA",
awsAccount: "111111",
awsRegion: "us-east-1"
},
{
stageName: "PROD",
awsAccount: "222222",
awsRegion: "us-east-1"
}
]
Pipeline stack:
export class PipelineStack extends Cdk.Stack {
constructor(scope: Cdk.App, id: string, props: PipelineStackProps) {
super(scope, id, props);
// Initialize the pipeline
const pipeline = new pipelines.CodePipeline(this, "Pipeline", {
pipelineName: "eCommerceDatabasePipeline",
// Create KMS keys for the artifact buckets,
// allowing cross-account deployments
crossAccountKeys: true,
// allow the pipeline to reconfigure itself when assets or stages
// are being added to it
selfMutation: true,
// synth is expected to produce the CDK Cloud Assembly as its output
synth: new pipelines.ShellStep("Synth", {
input: pipelines.CodePipelineSource.gitHub(
"pandanyc/eCommerceDatabaseCdk",
"main",
{
authentication: Cdk.SecretValue.secretsManager('github-token')
}
),
// Install dependencies, build and run cdk synth
commands: [
'npm ci',
'npm run build',
'npx cdk synth'
],
}),
});
// Add stages to this pipeline.
pipelineStageInfoList.forEach((pipelineStage: PipelineStageInfo) => {
pipeline.addStage(
new ApplicationStage(this, pipelineStage.stageName, {
stageName: pipelineStage.stageName,
pipelineName: props.pipelineName,
env: {
account: pipelineStage.awsAccount,
region: pipelineStage.awsRegion,
},
})
);
});
}
}

If you want to perform lookups in the pipeline itself, your synth step has to have the explicit permission to assume the lookup role. You would add it like this:
synth: new pipelines.CodeBuildStep("Synth", {
input: pipelines.CodePipelineSource.gitHub(
"pandanyc/eCommerceDatabaseCdk",
"main",
{
authentication: Cdk.SecretValue.secretsManager('github-token')
}
),
// Install dependencies, build and run cdk synth
commands: [
'npm ci',
'npm run build',
'npx cdk synth'
],
rolePolicyStatements: [ iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['sts:AssumeRole'],
resources: ['*'],
conditions: { StringEquals: { 'iam:ResourceTag/aws-cdk:bootstrap-role': 'lookup' } }
}]
}),
It is also worth noting, however, that this is advised against in the Best Practices. Here's an excerpt, but I suggest you check out the whole thing:
AWS CDK includes a mechanism called context providers to record a
snapshot of non-deterministic values, allowing future synthesis
operations produce exactly the same template. The only changes in the
new template are the changes you made in your code. When you use a
construct's .fromLookup() method, the result of the call is cached in
cdk.context.json, which you should commit to version control along
with the rest of your code to ensure future executions of your CDK app
use the same value.
What this means in practice is that you should run cdk synth once locally, which will perform all the necessary lookups and store the results in cdk.context.json. You should then commit that, and your pipeline will use these cached values instead of doing the lookup every time.
As a result, your synth step also won't need to assume the lookup role.

Zappa deployment successful without url

I am trying to deploy a django application through zappa. When I deploy the application everything works correctly and I also get the message "Your updated Zappa deployment is live". But I can't seem to find the url to access the live application.

You can access the url by typing zappa status <stage>, where <stage> is probably something like dev. See also https://github.com/Miserlou/Zappa#status for details.
The printout will have your url as well as other status details of your lambda function.
This works provided you give full permission access to the IAM user (for testing purpose only) though.

I had to configure my zappa_settigs.json by adding these lines:
"apigateway_enabled": true,
"manage_roles": true,
"cors": true,
**so the final zappa settings:**
{
"dev": {
"django_settings": "zappatest.settings",
"apigateway_enabled": true,
"manage_roles": true,
"role_arn": "Role_name",
"role_arn": "arn_name",
"profile_name": "default",
"project_name": "project_name",
"runtime": "python3.8",
"s3_bucket": "bucket_name",
"aws_region": "region_name",
"cors": true,
}
}

ansible environment variables error when connecting to aws

I am trying to execute playbook for stopping ec2 instances and other playbooks
when i execute a playbook i get the following error
fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "invocation": {"module_args": {"aws_access_key": null, "aws_secret_key": null, "ec2_url": null, "key_material": null, "name": "ansible-sae", "profile": null, "region": "us-east-1", "security_token": null, "state": "present", "validate_certs": true, "wait": false, "wait_timeout": "300"}, "module_name": "ec2_key"}, "msg": "No handler was ready to authenticate. 1 handlers were checked. ['HmacAuthV4Handler'] Check your credentials"}
i have added the environment variables in my .bashrc file but still i am getting the error my .bashrc file, but when i include the aws access key and secret key in playbook it's executing with out error i have given poweruser access to the credentials i have provided and i can see env variables when i open .bashrc meaning i have saved env. variables correctly i am not able to understand why i got this error
you can see the aws acces key and secret access key variable:
# .bashrc
# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi
# Uncomment the following line if you don't like systemctl's auto-paging
feature:
# export SYSTEMD_PAGER=
# User specific aliases and functions
export AWS_ACCESS_KEY_ID='XXXXXXXXXXXX'
export AWS_SECRET_ACCESS_KEY='XXXXXXXXXXXXXXX'
and the playbook would be something like
Playbook format
- hosts: local
connection: local
remote_user: ansible_user
become: yes
gather_facts: no
tasks:
- name: Create a new key pair
ec2_key:
name: ansible-sae
region: us-east-1
state: present
When i put the same creds in playbook it works
Ansible version 2.1.0.0, rhel 7.2(maipo)

i was going through git and found it was a bug, seems like many people were having this problem.
https://github.com/ansible/ansible/issues/10638

ACL not getting enabled in consul

I have setup consul on a single instance. The web-ui is running perfectly but the ACL are not enabled. Previously I was not having any config file but now I have created a config.json file in /etc/consul.d/bootstrap/ with the following content.
{
"bootstrap": true,
"server": true,
"datacenter": "dc1",
"acl_datacenter": "dc1",
"data_dir": "/var/consul",
"encrypt": "consul keygen output",
"ca_file": "/etc/consul.d/ssl/ca.cert",
"cert_file": "/etc/consul.d/ssl/consul.cert",
"key_file": "/etc/consul.d/ssl/consul.key",
"verify_incoming": true,
"verify_outgoing": true,
"log_level": "INFO",
"enable_syslog": true
}
Than I ran the following command
consul agent -server -bootstrap -data-dir /tmp/consul -ui-dir
/home/ubuntu/dist/ -client=X.X.X.X
where X.X.X.X is the private ip of my instance
But the ACL are not getting enabled.
/etc/consul.d/server/config.json
{
"bootstrap": false,
"server": false,
"log_level": "DEBUG",
"enable_syslog": true,
"datacenter": "dc1",
"data_dir": "/var/consul",
"ui_dir": "/home/ubuntu/dist",
"acl_datacenter": "dc1"
"encrypt": "SECRET"
}
/etc/consul.d/server/config.json
{
"bootstrap": false,
"server": true,
"log_level": "DEBUG",
"enable_syslog": true,
"datacenter": "dc1",
"data_dir": "/var/consul",
"acl_datacenter": "dc1",
"acl_default_policy": "allow",
"encrypt": "SECRET"
}
Working config file
{
"bootstrap": true,
"server": true,
"log_level": "DEBUG",
"enable_syslog": true,
"datacenter": "dc1",
"addresses" : {
"http": "X.X.X.X"
},
"bind_addr": "X.X.X.X",
"node_name": "X.X.X.X",
"data_dir": "/tmp/consul",
"ui_dir": "~/dist",
"acl_datacenter": "dc1",
"acl_master_token": "secret",
"encrypt": "secret"
}
Now run the following command
consul agent -config-dir ~/server -ui-dir ~/dist -bootstrap true -client=X.X.X.X

You are missing the master token in your configuration. If you add this,
"acl_master_token": "secret", and use the same token in your UI, you should be able to use the ACL.
Note: If you are using a single node instance, do not set the acl_token property same as your master token. This would mean anyone with access to the UI would have access to the master token, essentially bypassing all your ACL rules. This property should only be set only on server nodes.
After getting it running well, I created a screencast to demonstrate how to setup consul on a single server. Here is the link