Skip to content
This repository has been archived by the owner on May 31, 2024. It is now read-only.

ecr:SetRepositoryPolicy missing for account activate with minimum permissions #573

Open
ArlindNocaj opened this issue Nov 22, 2022 · 1 comment
Open

ecr:SetRepositoryPolicy missing for account activate with minimum permissions #573

ArlindNocaj opened this issue Nov 22, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@ArlindNocaj
Copy link

ArlindNocaj commented Nov 22, 2022
edited
Loading

Describe the Bug
agc account activate not working due to missing permissions of admin policy described in https://aws.github.io/amazon-genomics-cli/docs/best-practices/iampermissions/

Steps to Reproduce

Relevant Logs

Admin:~/environment $ agc account activate
2022-11-22T08:36:14Z 𝒊  Activating AGC with bucket '' and VPC ''
Bootstrapping CDK... [--o-] 57s                                                                                               2022-11-22T08:37:10Z ✘  [WARNING] aws-cdk-lib.aws_ssm.StringParameterProps#type is deprecated.
2022-11-22T08:37:10Z ✘    - type will always be 'String'
2022-11-22T08:37:10Z ✘    This API will be removed in the next major release.
2022-11-22T08:37:10Z ✘  [WARNING] aws-cdk-lib.aws_ssm.ParameterType is deprecated.
2022-11-22T08:37:10Z ✘    these types are no longer used
2022-11-22T08:37:10Z ✘    This API will be removed in the next major release.
2022-11-22T08:37:10Z ✘  [WARNING] aws-cdk-lib.aws_ssm.ParameterType#STRING is deprecated.
2022-11-22T08:37:10Z ✘    
2022-11-22T08:37:10Z ✘    This API will be removed in the next major release.
2022-11-22T08:37:10Z ✘  current credentials could not be used to assume 'arn:aws:iam::287209812789:role/cdk-agc-lookup-role-287209812789-us-east-1', but are for the right account. Proceeding anyway.
2022-11-22T08:37:10Z ✘  [WARNING] aws-cdk-lib.aws_ssm.StringParameterProps#type is deprecated.
2022-11-22T08:37:10Z ✘    - type will always be 'String'
2022-11-22T08:37:10Z ✘    This API will be removed in the next major release.
2022-11-22T08:37:10Z ✘  [WARNING] aws-cdk-lib.aws_ssm.ParameterType is deprecated.
2022-11-22T08:37:10Z ✘    these types are no longer used
2022-11-22T08:37:10Z ✘    This API will be removed in the next major release.
2022-11-22T08:37:10Z ✘  [WARNING] aws-cdk-lib.aws_ssm.ParameterType#STRING is deprecated.
2022-11-22T08:37:10Z ✘    
2022-11-22T08:37:10Z ✘    This API will be removed in the next major release.
2022-11-22T08:37:10Z ✘   ⏳  Bootstrapping environment aws://287209812789/us-east-1...
2022-11-22T08:37:10Z ✘  Using default execution policy of 'arn:aws:iam::aws:policy/AdministratorAccess'. Pass '--cloudformation-execution-policies' to customize.
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit: creating CloudFormation changeset...
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  0/12 | 8:36:36 AM | REVIEW_IN_PROGRESS   | AWS::CloudFormation::Stack | Agc-CDKToolkit User Initiated
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  0/12 | 8:36:42 AM | CREATE_IN_PROGRESS   | AWS::CloudFormation::Stack | Agc-CDKToolkit User Initiated
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  0/12 | 8:36:47 AM | CREATE_IN_PROGRESS   | AWS::S3::Bucket       | StagingBucket 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  0/12 | 8:36:47 AM | CREATE_IN_PROGRESS   | AWS::IAM::Role        | FilePublishingRole 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  0/12 | 8:36:47 AM | CREATE_IN_PROGRESS   | AWS::IAM::Role        | LookupRole 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  0/12 | 8:36:47 AM | CREATE_IN_PROGRESS   | AWS::IAM::Role        | ImagePublishingRole 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  0/12 | 8:36:47 AM | CREATE_IN_PROGRESS   | AWS::ECR::Repository  | ContainerAssetsRepository 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  0/12 | 8:36:47 AM | CREATE_IN_PROGRESS   | AWS::IAM::Role        | CloudFormationExecutionRole 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  0/12 | 8:36:47 AM | CREATE_IN_PROGRESS   | AWS::SSM::Parameter   | CdkBootstrapVersion 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  0/12 | 8:36:48 AM | CREATE_IN_PROGRESS   | AWS::IAM::Role        | FilePublishingRole Resource creation Initiated
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  0/12 | 8:36:48 AM | CREATE_IN_PROGRESS   | AWS::IAM::Role        | ImagePublishingRole Resource creation Initiated
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  0/12 | 8:36:48 AM | CREATE_IN_PROGRESS   | AWS::S3::Bucket       | StagingBucket Resource creation Initiated
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  0/12 | 8:36:48 AM | CREATE_IN_PROGRESS   | AWS::IAM::Role        | CloudFormationExecutionRole Resource creation Initiated
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  0/12 | 8:36:48 AM | CREATE_IN_PROGRESS   | AWS::IAM::Role        | LookupRole Resource creation Initiated
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  0/12 | 8:36:49 AM | CREATE_IN_PROGRESS   | AWS::SSM::Parameter   | CdkBootstrapVersion Resource creation Initiated
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  1/12 | 8:36:50 AM | CREATE_COMPLETE      | AWS::SSM::Parameter   | CdkBootstrapVersion 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  1/12 | 8:36:51 AM | CREATE_IN_PROGRESS   | AWS::ECR::Repository  | ContainerAssetsRepository Resource creation Initiated
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  1/12 | 8:36:51 AM | CREATE_FAILED        | AWS::ECR::Repository  | ContainerAssetsRepository Resource handler returned message: "User: arn:aws:sts::287209812789:assumed-role/agc-admin/MySessionName is not authorized to perform: ecr:SetRepositoryPolicy on resource: arn:aws:ecr:us-east-1:287209812789:repository/cdk-agc-container-assets-287209812789-us-east-1 because no identity-based policy allows the ecr:SetRepositoryPolicy action (Service: Ecr, Status Code: 400, Request ID: 4750e529-31ca-487f-b3e3-f88dda553ff4, Extended Request ID: null)" (RequestToken: d7a04c03-36c1-2d51-82e5-b49b43c7a035, HandlerErrorCode: GeneralServiceException)
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  1/12 | 8:36:52 AM | CREATE_FAILED        | AWS::S3::Bucket       | StagingBucket Resource creation cancelled
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  1/12 | 8:36:52 AM | CREATE_FAILED        | AWS::IAM::Role        | ImagePublishingRole Resource creation cancelled
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  1/12 | 8:36:52 AM | CREATE_FAILED        | AWS::IAM::Role        | FilePublishingRole Resource creation cancelled
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  1/12 | 8:36:52 AM | CREATE_FAILED        | AWS::IAM::Role        | CloudFormationExecutionRole Resource creation cancelled
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  1/12 | 8:36:52 AM | CREATE_FAILED        | AWS::IAM::Role        | LookupRole Resource creation cancelled
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  1/12 | 8:36:53 AM | ROLLBACK_IN_PROGRESS | AWS::CloudFormation::Stack | Agc-CDKToolkit The following resource(s) failed to create: [ImagePublishingRole, FilePublishingRole, LookupRole, StagingBucket, CloudFormationExecutionRole, ContainerAssetsRepository]. Rollback requested by user.
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  1/12 | 8:37:03 AM | DELETE_IN_PROGRESS   | AWS::IAM::Role        | FilePublishingRole 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  1/12 | 8:37:03 AM | DELETE_IN_PROGRESS   | AWS::IAM::Role        | ImagePublishingRole 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  1/12 | 8:37:03 AM | DELETE_IN_PROGRESS   | AWS::IAM::Role        | LookupRole 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  1/12 | 8:37:03 AM | DELETE_IN_PROGRESS   | AWS::ECR::Repository  | ContainerAssetsRepository 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  1/12 | 8:37:03 AM | DELETE_IN_PROGRESS   | AWS::IAM::Role        | CloudFormationExecutionRole 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  1/12 | 8:37:03 AM | DELETE_IN_PROGRESS   | AWS::SSM::Parameter   | CdkBootstrapVersion 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  1/12 | 8:37:03 AM | DELETE_SKIPPED       | AWS::S3::Bucket       | StagingBucket 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  2/12 | 8:37:04 AM | DELETE_COMPLETE      | AWS::IAM::Role        | FilePublishingRole 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  3/12 | 8:37:04 AM | DELETE_COMPLETE      | AWS::IAM::Role        | ImagePublishingRole 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  4/12 | 8:37:05 AM | DELETE_COMPLETE      | AWS::IAM::Role        | CloudFormationExecutionRole 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  5/12 | 8:37:05 AM | DELETE_COMPLETE      | AWS::ECR::Repository  | ContainerAssetsRepository 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  4/12 | 8:37:05 AM | DELETE_COMPLETE      | AWS::SSM::Parameter   | CdkBootstrapVersion 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  5/12 | 8:37:06 AM | DELETE_COMPLETE      | AWS::IAM::Role        | LookupRole 
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit |  6/12 | 8:37:07 AM | ROLLBACK_COMPLETE    | AWS::CloudFormation::Stack | Agc-CDKToolkit 
2022-11-22T08:37:10Z ✘  
2022-11-22T08:37:10Z ✘  Failed resources:
2022-11-22T08:37:10Z ✘  Agc-CDKToolkit | 8:36:51 AM | CREATE_FAILED        | AWS::ECR::Repository  | ContainerAssetsRepository Resource handler returned message: "User: arn:aws:sts::287209812789:assumed-role/agc-admin/MySessionName is not authorized to perform: ecr:SetRepositoryPolicy on resource: arn:aws:ecr:us-east-1:287209812789:repository/cdk-agc-container-assets-287209812789-us-east-1 because no identity-based policy allows the ecr:SetRepositoryPolicy action (Service: Ecr, Status Code: 400, Request ID: 4750e529-31ca-487f-b3e3-f88dda553ff4, Extended Request ID: null)" (RequestToken: d7a04c03-36c1-2d51-82e5-b49b43c7a035, HandlerErrorCode: GeneralServiceException)
2022-11-22T08:37:10Z ✘   ❌  Environment aws://287209812789/us-east-1 failed bootstrapping: Error: The stack named Agc-CDKToolkit failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "User: arn:aws:sts::287209812789:assumed-role/agc-admin/MySessionName is not authorized to perform: ecr:SetRepositoryPolicy on resource: arn:aws:ecr:us-east-1:287209812789:repository/cdk-agc-container-assets-287209812789-us-east-1 because no identity-based policy allows the ecr:SetRepositoryPolicy action (Service: Ecr, Status Code: 400, Request ID: 4750e529-31ca-487f-b3e3-f88dda553ff4, Extended Request ID: null)" (RequestToken: d7a04c03-36c1-2d51-82e5-b49b43c7a035, HandlerErrorCode: GeneralServiceException)
2022-11-22T08:37:10Z ✘      at FullCloudFormationDeployment.monitorDeployment (/home/ec2-user/.agc/cdk/node_modules/aws-cdk/lib/api/deploy-stack.ts:496:13)
2022-11-22T08:37:10Z ✘      at processTicksAndRejections (node:internal/process/task_queues:96:5)
2022-11-22T08:37:10Z ✘      at /home/ec2-user/.agc/cdk/node_modules/aws-cdk/lib/cdk-toolkit.ts:626:24
2022-11-22T08:37:10Z ✘      at async Promise.all (index 0)
2022-11-22T08:37:10Z ✘      at CdkToolkit.bootstrap (/home/ec2-user/.agc/cdk/node_modules/aws-cdk/lib/cdk-toolkit.ts:623:5)
2022-11-22T08:37:10Z ✘      at initCommandLine (/home/ec2-user/.agc/cdk/node_modules/aws-cdk/lib/cli.ts:357:12)
2022-11-22T08:37:10Z ✘  
2022-11-22T08:37:10Z ✘  The stack named Agc-CDKToolkit failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "User: arn:aws:sts::287209812789:assumed-role/agc-admin/MySessionName is not authorized to perform: ecr:SetRepositoryPolicy on resource: arn:aws:ecr:us-east-1:287209812789:repository/cdk-agc-container-assets-287209812789-us-east-1 because no identity-based policy allows the ecr:SetRepositoryPolicy action (Service: Ecr, Status Code: 400, Request ID: 4750e529-31ca-487f-b3e3-f88dda553ff4, Extended Request ID: null)" (RequestToken: d7a04c03-36c1-2d51-82e5-b49b43c7a035, HandlerErrorCode: GeneralServiceException)
2022-11-22T08:37:10Z ✘   error="exit status 1"

Expected Behavior

Actual Behavior

Screenshots

Additional Context

Operating System:
AGC Version:
Was AGC setup with a custom bucket:
Was AGC setup with a custom VPC:
@ArlindNocaj ArlindNocaj added the bug Something isn't working label Nov 22, 2022
@vvalleru
Copy link
Contributor

Because the previous deployment/cleanup failed unsuccessfully. You need to delete this manually first before attempting to deploy it again.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ArlindNocaj @vvalleru