Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(integ-tests-alpha): ForbiddenException: UnknownError when using awsApiCall('IotData', 'publish', ...) #26645

Open
yamatatsu opened this issue Aug 5, 2023 · 1 comment
Open

(integ-tests-alpha): ForbiddenException: UnknownError when using awsApiCall('IotData', 'publish', ...) #26645

yamatatsu opened this issue Aug 5, 2023 · 1 comment
Labels
@aws-cdk/aws-iot Related to AWS IoT bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@yamatatsu
Copy link
Contributor

yamatatsu commented Aug 5, 2023
edited
Loading

Describe the bug

ForbiddenException: UnknownError occurs when using awsApiCall('IotData', 'publish', ...).

Expected Behavior

Publish without error.

Current Behavior

It causes a CFn error as following;

snstopicactiontestDefaultTestDeployAssert7CEC369B | 2/5 | 17:17:50 | CREATE_FAILED        | Custom::DeployAssert@SdkCallIotDatapublish    | sns-topic-action-test/DefaultTest/DeployAssert/AwsApiCallIotDatapublish0e02a766e2fbbaa9d608b52a8e174d10/Default/Default (AwsApiCallIotDatapublish0e02a766e2fbbaa9d608b52a8e174d10) Received response status [FAILED] from custom resource. Message returned: UnknownError (RequestId: 0274816b-6937-4120-9387-6a49a46d7085)

At this time, the following error occurs in Lambda;

2023-08-05T08:17:48.674Z	af822d34-a72d-4a59-bdf2-b680dc4cde03	INFO	ForbiddenException: UnknownError
    at throwDefaultError (/var/runtime/node_modules/@aws-sdk/smithy-client/dist-cjs/default-error-handler.js:8:22)
    at deserializeAws_restJson1PublishCommandError (/var/runtime/node_modules/@aws-sdk/client-iot-data-plane/dist-cjs/protocols/Aws_restJson1.js:473:51)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /var/runtime/node_modules/@aws-sdk/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24
    at async /var/runtime/node_modules/@aws-sdk/middleware-signing/dist-cjs/middleware.js:13:20
    at async StandardRetryStrategy.retry (/var/runtime/node_modules/@aws-sdk/middleware-retry/dist-cjs/StandardRetryStrategy.js:51:46)
    at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:6:22
    at async AwsApiCallHandler.processEvent (/var/task/index.js:31779:22)
    at async AwsApiCallHandler.handle (/var/task/index.js:31459:26)
    at async Runtime.handler (/var/task/index.js:31836:20) {
  '$fault': 'client',
  '$metadata': {
    httpStatusCode: 403,
    requestId: '43e28e61-c146-23b3-c37f-e452f61fc45b',
    extendedRequestId: undefined,
    cfId: undefined,
    attempts: 1,
    totalRetryDelay: 0
  },
  traceId: '43e28e61-c146-23b3-c37f-e452f61fc45b'
}

Reproduction Steps

Use IntegTest as follofing;

const iotPublishCall = integ.assertions.awsApiCall('IotData', 'publish', {
  topic: 'device/test-device-id/data',
});

Possible Solution

It can be fixed changing the prefix of IotData in sdk-api-metadata.json to iot instead of iot-data.

aws-cdk/packages/@aws-cdk/integ-tests-alpha/lib/assertions/providers/sdk-api-metadata.json

Line 266 in 972a06f

"prefix": "iot-data",

This json file is used for setting an action of a policy of CustomResource;

aws-cdk/packages/@aws-cdk/integ-tests-alpha/lib/assertions/providers/provider.ts

Lines 159 to 172 in c8258a6

public addPolicyStatementFromSdkCall(service: string, api: string, resources?: string[]): void {
if (SDK_METADATA === undefined) {
// eslint-disable-next-line
SDK_METADATA = require('./sdk-api-metadata.json');
}
const srv = service.toLowerCase();
const iamService = (SDK_METADATA[srv] && SDK_METADATA[srv].prefix) || srv;
const iamAction = api.charAt(0).toUpperCase() + api.slice(1);
this.lambdaFunction.addPolicies([{
Action: [`${iamService}:${iamAction}`],
Effect: 'Allow',
Resource: resources || ['*'],
}]);
}

From the document, all commands of IotData are below;

  • DeleteThingShadow
  • GetRetainedMessage
  • GetThingShadow
  • ListNamedShadowsForThing
  • ListRetainedMessages
  • Publish
  • UpdateThingShadow

All policy actions of these command need iot prefix not iot-data. It can be confirmed with this documentation.

Additional Information/Context

No response

CDK CLI Version

v2.90.0 (git hash 972a06f07e861fcd71b2ebb6ca72a72c97bda0d9)

Framework Version

No response

Node.js Version

v20.4.0

OS

mac m1

Language

Typescript

Language Version

v1.22.19

Other information

No response
@yamatatsu yamatatsu added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 5, 2023
@github-actions github-actions bot added the @aws-cdk/aws-iot Related to AWS IoT label Aug 5, 2023
@yamatatsu yamatatsu mentioned this issue Aug 5, 2023
Closed
@peterwoodworth peterwoodworth added p1 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Aug 7, 2023
@peterwoodworth
Copy link
Contributor

Thanks for the report and PR

@github-actions github-actions bot mentioned this issue Sep 1, 2023
Closed
@pahud pahud added p2 and removed p1 labels Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-iot Related to AWS IoT bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
3 participants
@pahud @yamatatsu @peterwoodworth