(cdk-pipelines): Cannot build Docker assets in a VPC: Not authorized to perform DescribeSecurityGroups
See original GitHub issueUse case
We need to be able to access company internal repositories during the Docker build which means they need to run within a VPC.
However, when adding a VPC configuration to a CDK Pipeline the UpdatePipeline
stage fails with:
PipelinemasterAssetsDockerAsset1FDB4A08A Failed to call UpdateProject, reason: Not authorized to perform DescribeSecurityGroups (Service: AWSCodeBuild; Status Code: 400; Error Code: InvalidInputException
Reproduction Steps
const createPipeline = (scope: cdk.Construct, repository: codecommit.IRepository, repositoryName: string, branch: string, sourceArtifact: codepipeline.Artifact) => {
const cloudAssemblyArtifact = new codepipeline.Artifact();
const vpc = ec2.Vpc.fromVpcAttributes(scope, `PipelineVpc-${branch}`, VpcAttrs);
return new pipelines.CdkPipeline(scope, `Pipeline-${branch}`, {
pipelineName: `${repositoryName}-${branch}`,
cloudAssemblyArtifact,
// Adding VPC causes a failure
vpc,
sourceAction: new codepipeline_actions.CodeCommitSourceAction({
actionName: 'Source',
repository,
branch,
output: sourceArtifact,
}),
synthAction: pipelines.SimpleSynthAction.standardNpmSynth({
environment: { privileged: true },
sourceArtifact,
cloudAssemblyArtifact,
buildCommand: 'npm run build',
subdirectory: 'cdk',
}),
});
}
const createPipelineForBranch = (scope: cdk.Construct, repository: codecommit.IRepository, repositoryName: string, branch: string) => {
const pipeline = createPipeline(scope, repository, repositoryName, branch, sourceArtifact);
const stage = new cdk.Stage(scope, 'stage');
const buildStack = new cdk.Stack(stage, `build-stack`);
const dockerAsset = new assets.DockerImageAsset(buildStack, 'app', {
directory: '../app',
});
}
What did you expect to happen?
The Docker asset would be built in the VPC.
What actually happened?
CloudFormation update failed.
Environment
- CDK CLI Version : 1.75.0 (build 7708242)
- Framework Version: 1.75.0 (build 7708242)
- Node.js Version: v14.15.1
- OS : macOs
- Language (Version): TypeScript 4
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:13 (7 by maintainers)
Top Results From Across the Web
Receive "Not authorized to perform DescribeSecurityGroups ...
You are likely missing the VPC related permissions in your service role. You need to update the role to have the following policy:....
Read more >awslabs/aws-cdk - Gitter
The error is CodeBuild (CodeBuild2FDE9E35) Not authorized to perform DescribeSecurityGroups (Service: AWSCodeBuild; Status Code: 400; ...
Read more >AWS Lambda | Noise | Page 16
Lambda will perform signature checks to verify that the code has not been ... get existing VPC information, create security groups, and authorize...
Read more >boto3 | AWS SDK for Python | AWS library - kandi
Implement boto3 with how-to, Q&A, fixes, code snippets. kandi ratings - High ... Create a property property; Create a property ... Cannot find...
Read more >Receive Not authorized to perform DescribeSecurityGroups ...
You are likely missing the VPC related most effective permissions in your service role. You wrong idea need to update the role to...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Using bit older version 1.89.0 and having same issue as described in above post. I was just lazy and tried it manually first and it does not allow me to put build project in VPC. I get same “The trusted principals don’t belong to the service”. This is frustrating because I am pulling docker image from docker hub. Since project is not updated that often It would work perfectly fine just being tied to IP address, but now that it uses random ip amazon gives it it occasionally fails pulling the image.
edit: i have admin privileges to account
@markusl Was this solved for you? I have similar issues on CDK version 1.100.0. Adding the vpc property to my CdkPipeline causes deploy/creation to fail with a similar error message as you reported:
Not authorized to perform DescribeSecurityGroups (Service: AWSCodeBuild; Status Code: 400; Error Code: InvalidInputException;
My pipeline contains a stage with stacks described using PythonFunctions (python lambda built using Docker).