Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Wrong policy action when create an AwsCustomResource
See original GitHub issueHello,
When I try to create the AwsCustomResource show as example in the documentation : https://docs.aws.amazon.com/cdk/api/latest/docs/custom-resources-readme.html, I got a cloudformation error.
Reproduction Steps
import { AwsCustomResource } from "@aws-cdk/custom-resources";
const app = new App();
const verifyDomainIdentity = new AwsCustomResource(app, 'VerifyDomainIdentity', {
onCreate: {
service: 'SES',
action: 'verifyDomainIdentity',
parameters: {
Domain: 'example.com'
},
physicalResourceIdPath: 'VerificationToken' // Use the token returned by the call as physical id
}
});
Error Log
Failed to create resource. User: arn:aws:sts::***:assumed-role/***-***/***-***-*** is not authorized to perform: ses:VerifyDomainIdentity
Environment
- CLI Version : 1.13.0 (build 250a270)
- Framework Version: 1.13.0
- OS : Debian
- Language : javascript
Other
When I look the cloudformation created by cdk, the Action property is wrong. I got ``“Action”: “email:VerifyDomainIdentity"instead of"Action”: “ses:VerifyDomainIdentity”`
I think mapping define here is not correct for all services.
Workaround
import { AwsCustomResource } from "@aws-cdk/custom-resources";
const app = new App();
const verifyDomainIdentity = new AwsCustomResource(app, 'VerifyDomainIdentity', {
onCreate: {
service: 'SES',
action: 'verifyDomainIdentity',
parameters: {
Domain: 'example.com'
},
physicalResourceIdPath: 'VerificationToken' // Use the token returned by the call as physical id
},
policyStatements : [
new PolicyStatement({
resources : ['*'],
actions : ['ses:VerifyDomainIdentity'],
}),
],
});
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 4 years ago
- Reactions:14
- Comments:11 (4 by maintainers)
Top Results From Across the Web
class AwsCustomResource (construct) · AWS CDK
Defines a custom resource that is materialized using specific AWS API calls. These calls are created using a singleton Lambda function. Use this...
Read more >Call Lambda using CustomResource - Stack Overflow
I solved the issue by creating a role that assumes the lambda service principal, and adding a policy statement allowing the lambda:InvokeFunction.
Read more >Implementing and deploying Custom Resources using CDK
This was necessary because one customer's security policy didn't allow direct RDP or ... AD users cannot be created via CloudFormation/CDK.
Read more >Invoking an AWS Lambda function during a CDK deployment
The provider handles the event (e.g. creates a resource) and ... So we don't have to write the Lambda function or manage the...
Read more >Advanced Custom Resources with AWS CDK - Medium
The AWSCustomResource construct is a simple way to create custom resources and ... This is an AWS CDK construct for deploying an IoT...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Escalating to
p1as this has been pending and blocking for too longI’m not sure if this is an issue people are still struggling with, but here’s a potential workaround I found (I did not write it) that works for me:
Create a policy with the action as it should be in IAM (ex: ‘ses:verifyEmailIdentity’), then attach that policy to your custom resource, instead of having it create the policy using fromSdkCalls.
I’m sorry if this was already common knowledge/unhelpful, but I hope it’s helpful to someone as a workaround in the meantime!