Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

policyName longer than 128 characters for auto generated AWS::IAM::Policy for CodeBuild project

See original GitHub issue

Note: for support questions, please first reference our documentation, then use Stackoverflow. This repository’s issues are intended for feature requests and bug reports.

  • I’m submitting a …

    • [x ] 🪲 bug report
    • 🚀 feature request
    • 📚 construct library gap
    • ☎️ security issue or vulnerability => Please see policy
    • ❓ support request => Please see note at the top of this template.

  • What is the current behavior? If the current behavior is a 🪲bug🪲: Please provide the steps to reproduce new codebuild.Project I’m using CDK 1.0.0 to setup several code build projects. We have to run the same tests in different environments, so I have done something similar to travis build matrix, by having a TestMatrix construct that contains several instantiations of a TestSuite construct that creates a CodeBuild project with the required IAM permissions. As a result I get long cdk paths

The problem is that when I deploy the stack to my dev account the deployment fails because tje name of the IAM policies associated to each CodeBuild project is too long

1 validation error detected: Value '***********************' at 'policyName' failed to satisfy constraint: Member must have length less than or equal to 128 (Service: AmazonIdentityManagement; Status Code: 400; Error Code: ValidationError; Request ID: ad619787-ad6f-11e9-bfef-a3a40d689eaf)

However I haven’t defined that policy explicitly, I just called codeBuildProject.addToRolePolicy to add additional PolicyStatement objects, and CDK added permissions automatically for accessing a CodeCommit repository that is used as source.

  • What is the expected behavior (or behavior of feature suggested)? There is no validation error when deploying the Cfn stack

  • What is the motivation / use case for changing the behavior or adding this feature? The policy name is defined automatically by CDK

  • Please tell us about your environment:

    • CDK CLI Version: 1.0.0
    • Module Version: 1.0.0
    • OS: Ubuntu
    • Language: TypeScript

  • Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, eg. associated pull-request, stackoverflow, gitter, etc)

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:6 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
skinny85commented, Jul 30, 2019

Hey @juanrh ,

sorry for the late response. If your workaround works fine, then I don’t see a problem with it.

I’ll work on a fix for this issue.

Thanks, Adam

0reactions
juanrhcommented, Jul 31, 2019

I’m using this as a workaround

this.node.findAll().forEach(child => {
    // HACK for https://github.com/aws/aws-cdk/issues/3402
    // Cannot check the actual policy name, because the token hasn't been expanded yet
    const childClass = child.constructor.name;
    if (childClass == 'CfnPolicy') {
        const policy = child as CfnPolicy;
        const maxPolicyNameLength = 128;					
        const newPolicyName = `policy-${uuid4()}${uuid4()}${uuid4()}${uuid4()}`.slice(0, maxPolicyNameLength);
        console.warn(`Renaming policy ${newPolicyName} to ensure the policy name passes validation`)
        policy.addOverride("Properties.PolicyName", newPolicyName);
    }
});

running from the stack constructor. I understand this means CDK will always generate new policy names, so each time I deploy a change for any resource, all the IAM policies will be regenerated too. That should be ok because there is no state associated to policies AFAIK, it will just make deployments slower.

Does this workaround sound good, or do you think there can be any problems with this approach?

Thanks

Read more comments on GitHub >

github_iconTop Results From Across the Web

Using identity-based policies for AWS CodeBuild
This topic provides examples of identity-based policies that demonstrate how an account administrator can attach permissions policies to IAM identities ...
Read more >
Using CloudFormation to Automate Build, Test, and Deploy ...
Using Infrastructure as Code, we'll create a CodePipeline to build, test, and deploy a Node.js/Express app to an EC2 instance.
Read more >
aws_codebuild_project | Resources | hashicorp/aws
The identifier can only contain alphanumeric characters and underscores, and must be less than 128 characters in length. type - (Required) Type of...
Read more >
Create a build project (console) - Amazon CodeBuild
Build badge does not apply if your source provider is Amazon S3. Enable concurrent build limit. (Optional) If you want to limit the...
Read more >
10 smart ways to use AWS CodeBuild | by Moha Alsouli
This CodeBuild project only needs an IAM Role with permissions to interact with CodePipeline. 3. Builds, docker. For this example, we will assume...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

VPC fromLookup fails with asymmetric subnets

Next page

Make the CLI experience of multi-account CDK apps awesome