(ec2.KeyPair): Provide better descriptive response than showing "Resource handler returned message: "null""

[ThePlenkov]

Describe the bug

I have a following message when creating a new keypair:

Resource handler returned message: "null" (RequestToken: e736f836-0250-d35d-3b71-9762d9a7f44a, HandlerErrorCode: InternalFailure)

here is how I create it:

//create keypair
    const keyPairName = 'solace-keypair';
    const keyPair = new KeyPair(this, 'solaceKeypair', {
      keyPairName,
    });

What could go wrong?

Expected Behavior

It's ok if it fails, I expect that returned message from the resource is not null

Current Behavior

Currently it is hard to guess what happens because message is null

Reproduction Steps

may be to apply mentioned code. Not sure, may be it depends on my account/permissions

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.142.1 (build ed4e152)

Framework Version

No response

Node.js Version

v20.12.0

OS

Debian GNU/Linux 11 (bullseye)

Language

TypeScript

Language Version

No response

Other information

No response

[khushail]

Hey @ThePlenkov ,thanks for reaching out .

it works fine for me and I could see the EC2.KeyPair being created in my account -

const keypair = new ec2.KeyPair(this, "keypair", {
  keyPairName: "keypair",
});

[ThePlenkov]

That part I understand that this constructor should work because it's described in the documentation. What I want to say is that if something doesn't work ( may be no privilege) - then in certain cases ( as it happens for me in our enterprise service account) it may return response null - which is indeed not a good response. It would be great if someone could review this resource and check if that could happen

[khushail]

I agree with you @ThePlenkov that error should be displayed accordingly. AFAIK, if its related to credentials or something , it should come up like that.

In your case (with shared snippet), its not clear from where error is coming. To understand which part of execution is producing this error, I might have to repro that on my side and then look up the source code to identify from where null is being returned. I hope you understand my point of view here. So It would be great if you could share the complete code which produced this error.

[khushail]

You could also use --debug to see the verbose logging if that is helpful.

[ThePlenkov]

I did it different instead and I left only keypair in my stack, error is there.

// create keypair via cdk
import * as cdk from 'aws-cdk-lib';
import { type Construct } from 'constructs';
import { KeyPair } from 'aws-cdk-lib/aws-ec2';

export class TestKeyPairStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    //create keypair
    new KeyPair(this, 'test-keypair', {
      keyPairName: 'test-keypair',
    });
  }
}

#!/usr/bin/env node
import 'source-map-support/register';
import * as cdk from 'aws-cdk-lib';
import { TestKeyPairStack } from '../lib/keypair';

const app = new cdk.App();

new TestKeyPairStack(app, 'test-keypair-stack', {
  stackName: process.env['STACK_NAME'],
  env: {
    account: process.env['CDK_DEPLOY_ACCOUNT'],
    region: process.env['CDK_DEPLOY_REGION'],
  },
  synthesizer: new cdk.DefaultStackSynthesizer({
    generateBootstrapVersionRule: false,
  }),
});

I cannot change the command we deploy with because it's in the Harness pipeline. Do you think there is a way to change it programmatically? Will cdk.json help may be? Thanks!

[ThePlenkov]

yes I already found that debug is possible to enable via cdk.json too

[ThePlenkov]

debug: true in cdk.json didn't help to have better logs in Harness, however it won't help me because there we create a stack from a compiled json file already via aws create-stack. I asked our deployment team if we can enable debug mode somehow.

[ThePlenkov]

So I tried to deploy such a template to my personal sandbox account and it worked.
test-keypair-stack.template.json

But this template fails when deploying to a private service account. I checked permission boundaries of the deployment account and it looks good - keypair is not restricted.

So it must be something else..

[ThePlenkov]

@khushail is it possible if you can try to run this code without permission to create key pair? Thanks!

[ThePlenkov]

@khushail I can confirm that - after adding missing permissions to the deployment policy everything works now.

Resource handler returned message: "null" (RequestToken: e736f836-0250-d35d-3b71-9762d9a7f44a, HandlerErrorCode: InternalFailure)

this is the message which is shown if the account doesn't have permissions.

To me it seems like a place for improvement to provide better message rather than null.

[khushail]

@ThePlenkov , Thanks for diving deep and sharing your inputs.

It would be helpful if you could share which permissions you added to your account to make it work.

[ThePlenkov]

Just ec2*

[khushail]

So just to confirm, the ask is to provide a better messaging when error response is null due to missing permissions.

I still think it should not be a bug rather enhancement or feature request on error message display. wdyt @ThePlenkov