Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stepfunctions-tasks] Wrong ARN of emr iam policy getting attached in iam role #11503

Closed
pulkitaneja95 opened this issue Nov 16, 2020 · 1 comment · Fixed by #11553
Closed

[stepfunctions-tasks] Wrong ARN of emr iam policy getting attached in iam role #11503

pulkitaneja95 opened this issue Nov 16, 2020 · 1 comment · Fixed by #11553
Assignees
@shivlaks
Labels
@aws-cdk/aws-stepfunctions-tasks bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md in-progress This issue is being actively worked on. p1

Comments

@pulkitaneja95
Copy link

while trying to create step functions using CDK, We pass an iam-role to be used for step function execution.
CDK by default is attaching some policies to the iam role.

In one of the policy statement of the default policy. The partition in the ARN seems to be hard coded to 'aws' which brings the problem that stack deployment fails when a given stack is deployed to any region other than classic. eg- in ZHY

The resultant json in template file which tells the Partition in resultant ARN is hard coded-

"Resource": {
                "Fn::Join": [
                  "",
                  [
                    "arn:aws:elasticmapreduce:",
                    {
                      "Ref": "AWS::Region"
                    },
                    ":",
                    {
                      "Ref": "AWS::AccountId"
                    },
                    ":cluster/*"
                  ]

Reproduction Steps

potential bug location-

arn:aws:elasticmapreduce:${Aws.REGION}:${Aws.ACCOUNT_ID}:cluster/*

The partition in ARN here is not getting picked dynamically.
https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-stepfunctions-tasks/lib/emr/emr-cancel-step.ts#L39

What did you expect to happen?

Ideally the partition should have been picked dynamically like- ${Aws.PARTITION} so that when stack is getting deployed in regions like ZHY, the arn will have the partition "aws-cn" and not "aws".

What actually happened?

the error logs-

Partition "aws" is not valid for resource 
"arn:aws:elasticmapreduce:cn-north-1:<aws-account-id>:cluster/*". 
(Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; 
Request ID: <some-request-id>; Proxy: null)

The partition ideally should have been here "aws-cn".

Environment

  • CDK CLI Version : 1.45
  • Node.js Version: 12.x
  • OS : Mac
  • Language (Version): TypeScript

Other

This is 🐛 Bug Report
@pulkitaneja95 pulkitaneja95 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 16, 2020
@SomayaB SomayaB changed the title [aws-step-functions-task] Wrong ARN of emr iam policy getting attached in iam role [stepfunctions-tasks] Wrong ARN of emr iam policy getting attached in iam role Nov 17, 2020
@shivlaks shivlaks added p1 effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md and removed needs-triage This issue or PR still needs to be triaged. labels Nov 18, 2020
shivlaks added a commit that referenced this issue Nov 18, 2020
@shivlaks
fix(stepfunctions-tasks): policies created for EMR tasks have ARNs th…
d33379a 
…at are not partition-aware

closes #11503
@shivlaks shivlaks mentioned this issue Nov 18, 2020
Merged
@SomayaB SomayaB added the in-progress This issue is being actively worked on. label Nov 26, 2020
@mergify mergify bot closed this as completed in #11553 Dec 14, 2020
mergify bot pushed a commit that referenced this issue Dec 14, 2020
@shivlaks
fix(stepfunctions-tasks): policies created for EMR tasks have ARNs th…
1cf6713 
…at are not partition-aware (#11553)

closes #11503


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

flochaz pushed a commit to flochaz/aws-cdk that referenced this issue Jan 5, 2021
@shivlaks @flochaz
fix(stepfunctions-tasks): policies created for EMR tasks have ARNs th…
7c036fb 
…at are not partition-aware (aws#11553)

closes aws#11503


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shivlaks shivlaks

Labels
@aws-cdk/aws-stepfunctions-tasks bug This issue is a bug. effort/small Small work item – less than a day of effort good first issue Related to contributions. See CONTRIBUTING.md in-progress This issue is being actively worked on. p1
Projects
None yet
Milestone
No milestone
3 participants
@SomayaB @shivlaks @pulkitaneja95