Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
(cdk-pipelines): Cannot build Docker assets in a VPC: Not authorized to perform DescribeSecurityGroups
See original GitHub issueUse case
We need to be able to access company internal repositories during the Docker build which means they need to run within a VPC.
However, when adding a VPC configuration to a CDK Pipeline the UpdatePipeline stage fails with:
PipelinemasterAssetsDockerAsset1FDB4A08A Failed to call UpdateProject, reason: Not authorized to perform DescribeSecurityGroups (Service: AWSCodeBuild; Status Code: 400; Error Code: InvalidInputException
Reproduction Steps
const createPipeline = (scope: cdk.Construct, repository: codecommit.IRepository, repositoryName: string, branch: string, sourceArtifact: codepipeline.Artifact) => {
const cloudAssemblyArtifact = new codepipeline.Artifact();
const vpc = ec2.Vpc.fromVpcAttributes(scope, `PipelineVpc-${branch}`, VpcAttrs);
return new pipelines.CdkPipeline(scope, `Pipeline-${branch}`, {
pipelineName: `${repositoryName}-${branch}`,
cloudAssemblyArtifact,
// Adding VPC causes a failure
vpc,
sourceAction: new codepipeline_actions.CodeCommitSourceAction({
actionName: 'Source',
repository,
branch,
output: sourceArtifact,
}),
synthAction: pipelines.SimpleSynthAction.standardNpmSynth({
environment: { privileged: true },
sourceArtifact,
cloudAssemblyArtifact,
buildCommand: 'npm run build',
subdirectory: 'cdk',
}),
});
}
const createPipelineForBranch = (scope: cdk.Construct, repository: codecommit.IRepository, repositoryName: string, branch: string) => {
const pipeline = createPipeline(scope, repository, repositoryName, branch, sourceArtifact);
const stage = new cdk.Stage(scope, 'stage');
const buildStack = new cdk.Stack(stage, `build-stack`);
const dockerAsset = new assets.DockerImageAsset(buildStack, 'app', {
directory: '../app',
});
}
What did you expect to happen?
The Docker asset would be built in the VPC.
What actually happened?
CloudFormation update failed.
Environment
- CDK CLI Version : 1.75.0 (build 7708242)
- Framework Version: 1.75.0 (build 7708242)
- Node.js Version: v14.15.1
- OS : macOs
- Language (Version): TypeScript 4
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:13 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Using bit older version 1.89.0 and having same issue as described in above post. I was just lazy and tried it manually first and it does not allow me to put build project in VPC. I get same “The trusted principals don’t belong to the service”. This is frustrating because I am pulling docker image from docker hub. Since project is not updated that often It would work perfectly fine just being tied to IP address, but now that it uses random ip amazon gives it it occasionally fails pulling the image.
edit: i have admin privileges to account
@markusl Was this solved for you? I have similar issues on CDK version 1.100.0. Adding the vpc property to my CdkPipeline causes deploy/creation to fail with a similar error message as you reported:
Not authorized to perform DescribeSecurityGroups (Service: AWSCodeBuild; Status Code: 400; Error Code: InvalidInputException;My pipeline contains a stage with stacks described using PythonFunctions (python lambda built using Docker).