I'm trying to create ECS Fargate deployment using Cloudformation script, but the script fails during creation of ECS Cluster with error saying that unable to assume service role. I'm not able to figure out what I'm missing in the script, I have tried many ways none of them seem to be working.
Here is the link to cloud formation script as I'm not able to post it here due to character limitation.
ECS Cloudformation script
the error where the resource creation fails.
Resource handler returned message: "Invalid request provided: CreateCluster Invalid Request: Unable to assume the service linked role. Please verify that the ECS service linked role exists. (Service: AmazonECS; Status Code: 400; Error Code: InvalidParameterException; Request ID: e08ab312-4bd8-4c21-852f-ae5d49cc5932; Proxy: null)" (RequestToken: a686f226-e1d3-7b4c-13f1-66fa0a516c51, HandlerErrorCode: InvalidRequest
I'm able to get it working if I create an ECS cluster from aws console, as it creates a service liked role. But I want to work without creating the cluster manually from Console, enerything building up from Cloudformation. I tried looking over aws docs and did dig up Internet but couldn't get it working.Can anyone please help me out.
I'm using CDK version 1.139.0, and I had a waf earlier added in my previous deployment.
Now I tried to add the logging configuration for that waf. So I added the below code in cdk and generated the template.
new CfnLoggingConfiguration(scope,'WafLoggingConfig',{
resourceArn:webAcl.attrArn, // here I attached the wabacl using wabacl code reference.
logDestinationConfigs:[arn:aws:logs:${region}:${accountId}:log-group:aws-waf-logs-for-app],
})
Note: I have already created the log group for waf named as aws-waf-logs-for-app (which has the expected prefix need for waf)
After synthesizing/generating the template I did cdk deploy to update the Cloud formation.
List of policies I have already attached to the Cloudformation :
'wafv2:AssociateWebACL',
'wafv2:CreateWebACL',
'wafv2:DeleteWebACL',
'wafv2:DescribeManagedRuleGroup',
'wafv2:DisassociateWebACL',
'wafv2:Get*',
'wafv2:List*',
'wafv2:UpdateWebACL',
'wafv2:GetLoggingConfiguration',
'wafv2:ListLoggingConfiguration',
'wafv2:PutLoggingConfiguration',
'wafv2:DeleteLoggingConfiguration',
'cloudwatch:DeleteAlarms',
'cloudwatch:Describe*',
'cloudwatch:DisableAlarmActions',
'cloudwatch:EnableAlarmActions',
'cloudwatch:GetDashboard',
'cloudwatch:ListDashboards',
'cloudwatch:PutDashboard',
'cloudwatch:DeleteDashboards',
'cloudwatch:GetMetricData',
'cloudwatch:GetMetricStatistics',
'cloudwatch:ListMetrics',
'cloudwatch:PutMetricAlarm',
'cloudwatch:PutMetricData',
and other policies for other resources.
But my cloud formation fails to deploy the logging configuration for waf and displays the below error in Cloudformation events page.
Resource handler returned message: "You don't have the permissions that are required to perform this operation. (Service: Wafv2, Status Code: 400, Request ID: {12474621823782738}, Extended Request ID: null)" (RequestToken: {9732489732849732878973}, HandlerErrorCode: GeneralServiceException)
Note: In the above error I have modified the value of the Request ID: and RequestToken.
I believe I have given the needed policies for the cloud formation.
Is it a bug in cdk ? Did cdk failed to create any role needed for this ? can someone help me with this?
You have wafv2:PutLoggingConfiguration action allowed in your policy but this by itself is not sufficient to allow the action. This is because wafv2:PutLoggingConfiguration has iam:CreateServiceLinkedRole as a dependent action.
References
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html Refer the dependent actions column
https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
The Dependent actions column includes any additional permissions that you must have, in addition to the permission for the action itself, to successfully call the action. This can be required if the action accesses more than one resource.
I am trying to deploy AWS API Gateway Developer Portal using serverless repo
The Cloud formation fails and triggers rollback of the deployment. The error that causes the failure is as follows:
Logical ID: StaticAssetUploader
Status: CREATE_FAILED
Reason: CloudFormation did not receive a response from your Custom Resource. Please check your logs for requestId [ea5b3458-f29c-4950-b068-d0a3f352ad5f]. If you are using the Python cfn-response module, you may need to update your Lambda function code so that CloudFormation can attach the updated version.
Help is appreciated
We have a CodePipeline process set up, and all stages work except the CodeDeploy stage.
Our pipeline stage is as follows:
GenerateChangeSet for CloudFormation
ExecuteChangeSet for CloudFormation
Deploy for CodeDeploy
These stages were set up and configured by CodeStar.
Our GenerateChangeSet stage tries to access s3 to get our BuildArtifact, but fails with the following error:
Action execution failed
Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 40P7HSHQGWXSRA72; S3 Extended Request ID: I6hiCC7xx+YmnQMLfUnMzZziLDz/5b8uJWzOqWNZwSiVRCS14Q6UyVfss6q80teO5MAGuR9Xft4=; Proxy: null)
This suggests that CloudFormation cannot access s3, but I've checked and rechecked the policy that it uses and it definitely has the correct permissions for accessing s3.
I'm not quite sure why this error is happening, given that the role policy does indeed have access to s3. I even went with the nuclear option of granting this role full control over s3 (with a view to reverting once I solved the issue), but to no avail, the error still occurs.
Has anyone encountered this before? Anyone know why it might be happening?
I discovered the issue. The CloudFormation template file (template.yml and template-configuration.yml) was reading the one from the repo, but that had been removed at some point prior, so I was getting access denied errors from that resource.
I wish the error message was more explicit, it would have saved hours.
Error: The Build Lambda Function receives the following error.
AccessDeniedExceptionnull (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: 7a8c9e0e-61db-403b-9448-0f5e61beddd4; Proxy: null)
I am trying to run a cloudformation template using below link. While the stack is executing it rollbacks giving above mentioned error.
What may be the probable cause for this issue??
Using this git repo:https://github.com/aws-samples/serverless-machine-learning-on-aws
using this cloudformation template link:https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=serverless-ml&templateURL=https://aws-ml-blog.s3.amazonaws.com/artifacts/serverless-machine-learning-on-aws/template.json
using this blog for creating cloudformation template:https://aws.amazon.com/blogs/machine-learning/deploying-machine-learning-models-as-serverless-apis/
The answer has something to do with the default vpc not being correctly configured in the particular region.
If you try with any other region or another aws account it will definitely work.