Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

@aws-cdk/aws-logs: Resource handler returned message: "Invalid request provided: AWS::Logs::ResourcePolicy"

See original GitHub issue

What is the problem?

I am trying to create a custom log group for my CodeBuild project as follows (sample code):

// Create Log Group
const myLogGroup = new log.LogGroup(this, 'my-log-group-label', {
  logGroupName         : 'my-log-group-name',
  removalPolicy        : cdk.RemovalPolicy.RETAIN,
  retention            : log.RetentionDays.ONE_WEEK,

// Create CodeBuild Project
this.project = new codebuild.PipelineProject(this, 'my-build-project-label', {
  projectName          : 'my-build-project-name',
  role                 : myRole,
  buildSpec            : myBuildSpec,
  environmentVariables : myBuildEnv,
  environment          : {
    buildImage         : codebuild.LinuxBuildImage.STANDARD_5_0,
    privileged         : true,
  logging              : {
    cloudWatch         : {
      logGroup         : myLogGroup,
  timeout              : cdk.Duration.minutes(30),
  concurrentBuildLimit : 2,

…which produces the following cdk diff output:

[+] AWS::Logs::LogGroup my-build-project-label/my-log-group-label mybuildprojectlabelnmyloggrouplabelC60E4D49 
[+] AWS::Logs::ResourcePolicy my-build-project-label/my-log-group-label/Policy/ResourcePolicy mybuildprojectlabelnmyloggrouplabelPolicyResourcePolicyBF9984F2 
[~] AWS::CodeBuild::Project my-build-project-label/nginx-base-codebuild mybuildprojectlabelnginxbasecodebuild03689A42 
 └─ [+] LogsConfig
     └─ {"CloudWatchLogs":{"GroupName":{"Ref":"mybuildprojectlabelnmyloggrouplabelC60E4D49"},"Status":"ENABLED"}}

Reproduction Steps

Create Log Group using the code above and associate it with a CodeBuild Project with:

  logging              : {
    cloudWatch         : {
      logGroup         : myLogGroup,

What did you expect to happen?

I expect that Log Group would be created with the parameters I specified.

What actually happened?

When I run cdk deploy my-pipeline --role-arn some-role-arn I am getting:

9:54:58 AM | CREATE_FAILED        | AWS::Logs::ResourcePolicy                    | nginx...urcePolicyBF9984F2
Resource handler returned message: "Invalid request provided: AWS::Logs::ResourcePolicy" (RequestToken: 4d4d5fe5-844a-cc6a-7e8
5-28dcb059b695, HandlerErrorCode: InvalidRequest)

        new ResourcePolicy (/Users/myuser/Development/nginx-base/node_modules/@aws-cdk/aws-logs/lib/policy.ts:25:5)
        \_ LogGroup.addToResourcePolicy (/Users/myuser/Development/nginx-base/node_modules/@aws-cdk/aws-logs/lib/log-group.tlowing resource(s) failed to create: [nginxbasepipelinecodebuildnginxbasepipelineloggroupPoli
        \_ Function.addToPrincipalOrResource (/Users/myuser/Development/nginx-base/node_modules/@aws-cdk/aws-iam/lib/grant.t
        \_ LogGroup.grant (/Users/myuser/Development/nginx-base/node_modules/@aws-cdk/aws-logs/lib/log-group.ts:103:22)
        \_ LogGroup.grantWrite (/Users/myuser/Development/nginx-base/node_modules/@aws-cdk/aws-logs/lib/log-group.ts:98:17)
        \_ PipelineProject.renderLoggingConfiguration (/Users/myuser/Development/nginx-base/node_modules/@aws-cdk/aws-codebu
        \_ new Project (/Users/myuser/Development/nginx-base/node_modules/@aws-cdk/aws-codebuild/lib/project.ts:718:24)
        \_ new PipelineProject (/Users/myuser/Development/nginx-base/node_modules/@aws-cdk/aws-codebuild/lib/pipeline-projec
        \_ new NginxBaseCodeBuildProject (/Users/myuser/Development/nginx-base/lib/nginx-base-codepipeline.ts:244:20)
        \_ new NginxBaseCodePipelineStack (/Users/myuser/Development/nginx-base/lib/nginx-base-codepipeline.ts:112:31)
        \_ Object.<anonymous> (/Users/myuser/Development/nginx-base/bin/nginx-base.ts:35:1)
        \_ Module._compile (internal/modules/cjs/loader.js:1068:30)
        \_ Module.m._compile (/Users/myuser/Development/nginx-base/node_modules/ts-node/src/index.ts:1371:23)
        \_ Module._extensions..js (internal/modules/cjs/loader.js:1097:10)
        \_ Object.require.extensions.<computed> [as .ts] (/Users/myuser/Development/nginx-base/node_modules/ts-node/src/inde
        \_ Module.load (internal/modules/cjs/loader.js:933:32)
        \_ Function.Module._load (internal/modules/cjs/loader.js:774:14)
        \_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:72:12)
        \_ main (/Users/myuser/Development/nginx-base/node_modules/ts-node/src/bin.ts:331:12)
        \_ Object.<anonymous> (/Users/myuser/Development/nginx-base/node_modules/ts-node/src/bin.ts:482:3)
        \_ Module._compile (internal/modules/cjs/loader.js:1068:30)
        \_ Object.Module._extensions..js (internal/modules/cjs/loader.js:1097:10)
        \_ Module.load (internal/modules/cjs/loader.js:933:32)
        \_ Function.Module._load (internal/modules/cjs/loader.js:774:14)
        \_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:72:12)
        \_ internal/main/run_main_module.js:17:47

 ❌  my-pipeline failed: Error: The stack named my-pipeline failed to deploy: UPDATE_ROLLBACK_COMPLETE
    at Object.waitForStackDeploy (/usr/local/lib/node_modules/aws-cdk/lib/api/util/cloudformation.ts:309:11)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at prepareAndExecuteChangeSet (/usr/local/lib/node_modules/aws-cdk/lib/api/deploy-stack.ts:351:26)
    at CdkToolkit.deploy (/usr/local/lib/node_modules/aws-cdk/lib/cdk-toolkit.ts:194:24)
    at initCommandLine (/usr/local/lib/node_modules/aws-cdk/bin/cdk.ts:267:9)
The stack named my-pipeline failed to deploy: UPDATE_ROLLBACK_COMPLETE

CDK CLI Version

1.133.0 (build 2dea31a)

Framework Version

No response

Node.js Version



MacOS Monterey 12.0.1



Language Version

TypeScript 4.5.2

Other information

No response

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:10
  • Comments:8 (1 by maintainers)

github_iconTop GitHub Comments

Kevmo92commented, Nov 23, 2021

I’m seeing this as well when creating an ecs LogGroup and trying to deploy it.

einstein-github-usercommented, Jan 13, 2022

Upgraded to v1.139.0, the same issue.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Resource handler returned message: "Invalid request provided
I'm creating a CloudFormation stack for ECS automation and I'm using an internal NLB. I'm having a problem with the ListenerRule that returns...
Read more >
How to troubleshoot Cloudformation "Invalid request provided
My Cloudformation Template is running into this Error when trying to create a ListenerRule.: >Resource handler returned message: "Invalid request provided: ...
Read more >
Handler error codes - CloudFormation Command Line Interface
One of the following error codes MUST be returned from the handler ... The credentials provided by the user are invalid. Type: Terminal....
Read more >
AWS CloudFormation returning "Invalid request" when trying ...
Beyond TTL and DependsOn, the main idea is to make sure that the system does not attempt to create the recordset using references...
Read more >
You're getting "Invalid request provided: AWS::CloudFront
Resource handler returned message : “Invalid request provided: AWS::CloudFront::PublicKey”. Like me, you might be working on a ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found