Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws_events_targets): AccessDeniedException when calling sendCommandCommand via AwsApi #27412

Closed
FarrOut opened this issue Oct 5, 2023 · 3 comments
Closed

(aws_events_targets): AccessDeniedException when calling sendCommandCommand via AwsApi #27412

FarrOut opened this issue Oct 5, 2023 · 3 comments
Labels
@aws-cdk/aws-events-targets bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. p1 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@FarrOut
Copy link

FarrOut commented Oct 5, 2023
edited
Loading

Describe the bug

When creating an AwsApi EventBridge target to send a sendCommandCommand to SSM service, the CDK-generated Lambda function that performs the work lacks permission to do so.

Expected Behavior

Once the EventBridge rule is triggered, the lambda function's invocation should succeed.

Current Behavior

2023-10-04T10:40:10.606Z    db23b5c3-ee1c-4afd-96b8-xxxxxxxxxxxxxx    ERROR   Invoke Error    
{
    "errorType": "AccessDeniedException",
    "errorMessage": "User: arn:aws:sts::000000000000:assumed-role/EventsStack-EventBridgeNe-AWSb4cf1abd4e4f4bc699441-xxxxxxxxxxxxxx/EventsStack-EventBridgeNe-AWSb4cf1abd4e4f4bc699441-qG7qmvE76UiA is not authorized to perform: ssm:SendCommand on resource: arn:aws:ssm:eu-west-1::document/AWS-ApplyAnsiblePlaybooks because no identity-based policy allows the ssm:SendCommand action",
    "name": "AccessDeniedException",
    "$fault": "client",
    "$metadata": {
        "httpStatusCode": 400,
        "requestId": "c16b5bad-8bbd-4312-bce0-xxxxxxxxxxxxxx",
        "attempts": 1,
        "totalRetryDelay": 0
    },
    "__type": "AccessDeniedException",
    "message": "User: arn:aws:sts::000000000000:assumed-role/EventsStack-EventBridgeNe-AWSb4cf1abd4e4f4bc699441-xxxxxxxxxxxxxx/EventsStack-EventBridgeNe-AWSb4cf1abd4e4f4bc699441-qG7qmvE76UiA is not authorized to perform: ssm:SendCommand on resource: arn:aws:ssm:eu-west-1::document/AWS-ApplyAnsiblePlaybooks because no identity-based policy allows the ssm:SendCommand action",
    "stack": [
        "AccessDeniedException: User: arn:aws:sts::000000000000:assumed-role/EventsStack-EventBridgeNe-AWSb4cf1abd4e4f4bc699441-xxxxxxxxxxxxxx/EventsStack-EventBridgeNe-AWSb4cf1abd4e4f4bc699441-qG7qmvE76UiA is not authorized to perform: ssm:SendCommand on resource: arn:aws:ssm:eu-west-1::document/AWS-ApplyAnsiblePlaybooks because no identity-based policy allows the ssm:SendCommand action",
        "    at throwDefaultError (/var/runtime/node_modules/@aws-sdk/smithy-client/dist-cjs/default-error-handler.js:8:22)",
        "    at deserializeAws_json1_1SendCommandCommandError (/var/runtime/node_modules/@aws-sdk/client-ssm/dist-cjs/protocols/Aws_json1_1.js:6122:51)",
        "    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)",
        "    at async /var/runtime/node_modules/@aws-sdk/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24",
        "    at async /var/runtime/node_modules/@aws-sdk/middleware-signing/dist-cjs/middleware.js:13:20",
        "    at async StandardRetryStrategy.retry (/var/runtime/node_modules/@aws-sdk/middleware-retry/dist-cjs/StandardRetryStrategy.js:51:46)",
        "    at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:6:22",
        "    at async Runtime.Y [as handler] (/var/task/index.js:1:97725)"
    ]
}

2023-10-04T10:40:10.566Z    db23b5c3-ee1c-4afd-96b8-xxxxxxxxxxxxxx    INFO    AccessDeniedException: User: arn:aws:sts::000000000000:assumed-role/EventsStack-EventBridgeNe-AWSb4cf1abd4e4f4bc699441-xxxxxxxxxxxxxx/EventsStack-EventBridgeNe-AWSb4cf1abd4e4f4bc699441-qG7qmvE76UiA is not authorized to perform: ssm:SendCommand on resource: arn:aws:ssm:eu-west-1::document/AWS-ApplyAnsiblePlaybooks because no identity-based policy allows the ssm:SendCommand action
    at throwDefaultError (/var/runtime/node_modules/@aws-sdk/smithy-client/dist-cjs/default-error-handler.js:8:22)
    at deserializeAws_json1_1SendCommandCommandError (/var/runtime/node_modules/@aws-sdk/client-ssm/dist-cjs/protocols/Aws_json1_1.js:6122:51)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /var/runtime/node_modules/@aws-sdk/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24
    at async /var/runtime/node_modules/@aws-sdk/middleware-signing/dist-cjs/middleware.js:13:20
    at async StandardRetryStrategy.retry (/var/runtime/node_modules/@aws-sdk/middleware-retry/dist-cjs/StandardRetryStrategy.js:51:46)
    at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:6:22
    at async Runtime.Y [as handler] (/var/task/index.js:1:97725) {
  '$fault': 'client',
  '$metadata': {
    httpStatusCode: 400,
    requestId: 'c16b5bad-8bbd-4312-bce0-xxxxxxxxxxxxxx',
    extendedRequestId: undefined,
    cfId: undefined,
    attempts: 1,
    totalRetryDelay: 0
  },
  __type: 'AccessDeniedException'
}

Reproduction Steps

from aws_cdk import CfnOutput, Duration, NestedStack, RemovalPolicy, Tags
from aws_cdk import aws_cloudwatch as cloudwatch
from aws_cdk import aws_events as events
from aws_cdk import aws_events_targets as targets
from aws_cdk import aws_iam as iam
from constructs import Construct


class EventBridgeNestedStack(NestedStack):

    def __init__(self, scope: Construct, construct_id: str,
                 removal_policy: RemovalPolicy = RemovalPolicy.RETAIN,
                 **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        target = targets.AwsApi(
            action='sendCommandCommand',
            service="SSM",
            parameters={
                    "DocumentName": 'AWS-ApplyAnsiblePlaybooks',
                    "TimeoutSeconds": 60,
                    "Targets": [
                        {
                            "Key": 'tag:aws:autoscaling:groupName',
                            "Values": [
                                "Figure12",
                            ]
                        },
                    ]
            },
        )

        rule = events.Rule(
            self, "EatYourMeat",
            description='How can you have any pudding if you don\'t eat your meat?!',
            rule_name="EatYourMeat",
            schedule=events.Schedule.rate(Duration.minutes(1)),
            targets=[target],
        )
        rule.apply_removal_policy(removal_policy)

        CfnOutput(self, "RuleArn", value=rule.rule_arn,
                  description='events:us-east-2:123456789012:rule/example')
        CfnOutput(self, "RuleName", value=rule.rule_name,
                  description='The name of the rule.')

Possible Solution

Workaround is to add SendCommand permissions to the event target

            policy_statement=iam.PolicyStatement(
                actions=["ssm:SendCommand"],
                resources=["*"]
            )

        target = targets.AwsApi(
            action='sendCommandCommand',
            service="SSM",
            parameters={
                    "DocumentName": 'AWS-ApplyAnsiblePlaybooks',
                    "TimeoutSeconds": 60,
                    "Targets": [
                        {
                            "Key": 'tag:aws:autoscaling:groupName',
                            "Values": [
                                "Figure12",
                            ]
                        },
                    ]
            },
            policy_statement=iam.PolicyStatement(
                actions=["ssm:SendCommand"],
                resources=["*"]
            )
        )

        rule = events.Rule(
            self, "EatYourMeat",
            description='How can you have any pudding if you don\'t eat your meat?!',
            rule_name="EatYourMeat",
            schedule=events.Schedule.rate(Duration.minutes(1)),
            targets=[target],
        )
        rule.apply_removal_policy(removal_policy)

        CfnOutput(self, "RuleArn", value=rule.rule_arn,
                  description='events:us-east-2:123456789012:rule/example')
        CfnOutput(self, "RuleName", value=rule.rule_name,
                  description='The name of the rule.')

Therefore, likely solution would be to include this permission in the Lambda-function that gets provisioned.

Additional Information/Context

No response

CDK CLI Version

2.99.1 (build b2a895e)

Framework Version

No response

Node.js Version

v18.18.0

OS

Windows 10

Language

Typescript, Python, .NET, Java, Go

Language Version

No response

Other information

No response
@FarrOut FarrOut added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 5, 2023
@FarrOut
Copy link
Author

FarrOut commented Oct 5, 2023

Looks like this may be related to #27313

@indrora indrora added p1 and removed needs-triage This issue or PR still needs to be triaged. labels Oct 5, 2023
@indrora
Copy link
Contributor

indrora commented Oct 5, 2023

Since you've got a workaround that (while it isn't great) does work, we'll give it p1.

If you'd verify that #27313 does in fact clear up the issue, please do report back.

@indrora indrora added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 5, 2023
@github-actions
Copy link

github-actions bot commented Oct 8, 2023

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Oct 8, 2023
@github-actions github-actions bot mentioned this issue Nov 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-events-targets bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. p1 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@indrora @FarrOut