[config] Trying to get arn for service linked role not working
See original GitHub issuedescription of the bug:
Trying to get arn for service linked role
Reproduction Steps
minimal amount of code that causes the bug (if possible) or a reference:
self.config_service_role = iam.CfnServiceLinkedRole(self,
id='AWS Config Service Linked Role',
aws_service_name='config.amazonaws.com'
)
self.config_recorder = aws_config.CfnConfigurationRecorder(self,
id='AWS Config Configuration Recorder',
name='default',
role_arn=self.config_service_role.get_att('arn') # or ('resource.arn)
)
What did you expect to happen?
What were you trying to achieve by performing the steps above?
I expected to get the Service Linked Role ARN or reference to it.
What actually happened?
What is the unexpected behavior you were seeing? If you got an error, paste it here.
jsii.errors.JavaScriptError:
Error: Expected a string, got {"$jsii.byref":"@aws-cdk/core.Reference@10008"}
at Object.deserialize (C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_embedded\jsii\jsii-runtime.js:6737:23)
at Kernel._toSandbox (C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_embedded\jsii\jsii-runtime.js:8328:61)
at C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_embedded\jsii\jsii-runtime.js:6959:29
at mapValues (C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_embedded\jsii\jsii-runtime.js:7231:27)
at Object.deserialize (C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_embedded\jsii\jsii-runtime.js:6955:20)
at Kernel._toSandbox (C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_embedded\jsii\jsii-runtime.js:8328:61)
at C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_embedded\jsii\jsii-runtime.js:8381:33
at Array.map (<anonymous>)
at Kernel._boxUnboxParameters (C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_embedded\jsii\jsii-runtime.js:8381:19)
at Kernel._wrapSandboxCode (C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_embedded\jsii\jsii-runtime.js:8422:19)
at Kernel._create (C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_embedded\jsii\jsii-runtime.js:7934:26)
at Kernel.create (C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_embedded\jsii\jsii-runtime.js:7678:21)
at KernelHost.processRequest (C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_embedded\jsii\jsii-runtime.js:7458:28)
at KernelHost.run (C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_embedded\jsii\jsii-runtime.js:7396:14)
at Immediate._onImmediate (C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_embedded\jsii\jsii-runtime.js:7399:37)
at processImmediate (internal/timers.js:456:21)
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "app.py", line 29, in <module>
config_stack = ConfigStack(main_stack, 'config-stack')
File "C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_runtime.py", line 69, in __call__
inst = super().__call__(*args, **kwargs)
File "C:\repos\aws\healthcare-hipaa-compliance-ns\healthcare_hipaa_compliance_ns\config_stack.py", line 88, in __init__
self.config_recorder = aws_config.CfnConfigurationRecorder(self,
File "C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_runtime.py", line 69, in __call__
inst = super().__call__(*args, **kwargs)
File "C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\aws_cdk\aws_config\__init__.py", line 1400, in __init__
jsii.create(CfnConfigurationRecorder, self, [scope, id, props])
File "C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_kernel\__init__.py", line 250, in create
response = self.provider.create(
File "C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_kernel\providers\process.py", line 336, in create
return self._process.send(request, CreateResponse)
File "C:\repos\aws\healthcare-hipaa-compliance-ns\hchcns\lib\site-packages\jsii\_kernel\providers\process.py", line 321, in send
raise JSIIError(resp.error) from JavaScriptError(resp.stack)
jsii.errors.JSIIError: Expected a string, got {"$jsii.byref":"@aws-cdk/core.Reference@10008"}
Subprocess exited with error 1
Environment
- **CLI Version 😗*1.69.0 (build 2b474b9)
- **Framework Version:**1.69.0
- Node.js Version: v12.18.3
- OS : Windows 10
- Language (Version): Python 3.8.5
Other
Some objects come with a property to pull the arn attribute like S3 buckets. Service Linked Roles don’t seem to have this capability. I don’t have a fix for this.
ex: self.config_bucket.attr_arn
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Using Service-Linked Roles for AWS Config
Ensure that you do not have ConfigurationRecorders using the service-linked role. You can use the AWS Config console to stop the configuration recorder....
Read more >aws_iam_service_linked_role | Resources | hashicorp/aws
To find the full list of services that support service-linked roles, check the docs. ... arn - The Amazon Resource Name (ARN) specifying...
Read more >Service-Linked Roles - AWS Well-Architected Labs
In this screenshot, the service linked role for AutoScaling exists ( AWSServiceRoleForAutoScaling ), but the roles for Elastic Load Balancing and RDS do...
Read more >Troubleshooting Errors in Log Hub - Open Source at AWS
Error: Failed to assume service-linked role arn:x:x:x:/AWSServiceRoleForAppSync ... You can get more information from Amazon EKS IAM role configuration ...
Read more >AWS Config service role is not authorized to perform
According the above message, it looks like the AWS Config service role was trying to create the service linked role for Global Accelerator....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Yes they do have ARNs.
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.