Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Issue with group filter when run as lambda

See original GitHub issue

This ticket is related to #2454.

When policy is run as a Lambda function, the following messages appear in the CloudWatch logs:

[ERROR]	2018-06-05T22:20:12.415Z	79a5d662-690e-11e8-bd2d-d557592c4236	Error while executing policy
Traceback (most recent call last):
File "/var/task/c7n/policy.py", line 229, in run
resources = self.policy.resource_manager.resources()
File "/var/task/c7n/query.py", line 421, in resources
return self.filter_resources(resources)
File "/var/task/c7n/manager.py", line 90, in filter_resources
resources = f.process(resources, event)
File "/var/task/c7n/resources/iam.py", line 960, in process
for p in r['c7n:Groups']:
KeyError: u'c7n:Groups'
u'c7n:Groups': KeyError
Traceback (most recent call last):
File "/var/task/custodian_policy.py", line 4, in run
return handler.dispatch_event(event, context)
File "/var/task/c7n/handler.py", line 89, in dispatch_event
p.push(event, context)
File "/var/task/c7n/policy.py", line 739, in push
return mode.run(event, lambda_ctx)
File "/var/task/c7n/policy.py", line 504, in run
return PullMode.run(self)
File "/var/task/c7n/policy.py", line 229, in run
resources = self.policy.resource_manager.resources()
File "/var/task/c7n/query.py", line 421, in resources
return self.filter_resources(resources)
File "/var/task/c7n/manager.py", line 90, in filter_resources
resources = f.process(resources, event)
File "/var/task/c7n/resources/iam.py", line 960, in process
for p in r['c7n:Groups']:
KeyError: u'c7n:Groups'

Policy

policies:
  - name: mfa-unused-audit
    description: |
      Cloud Custodian MFA Admin Audit
    comments: |
      Retrieve list of all IAM users in the group 'CloudCustodianAdmins'
      who have not enabled MFA and delete their ssh-keys and access-keys.
      Also, disable access to management console.
    resource: iam-user
    mode:
      type: periodic
      role: arn:aws:iam::1234567890:role/CloudCustodianRole
      schedule: "rate(1 minute)"
    filters:
      - type: credential
        key: mfa_active
        value: false
      - type: group
        key: GroupName
        value: CloudCustodianAdmins
    actions:
      - type: delete
        options:
          - access-keys
          - ssh-keys
          - console-access

The policy runs clean when run locally.

Issue Analytics

State:
Created 5 years ago
Comments:6 (2 by maintainers)

Top GitHub Comments

1reaction

davidclincommented, Jun 6, 2018

I went ahead and changed the title to more accurately reflect the reported issue.

0reactions

davidclincommented, Jun 12, 2018

While the errors are no longer appearing, my group filter is not matching against any users when run as a Lambda.

Also, when I run my policy locally the group filter only matches when the GroupName is ‘Administrators’.

If the GroupName anything else, the group filter shows no matches.

Temporary workaround is to run policy locally as a cron job – but ideally, I would like to run it as a Lambda filtering against any custom GroupName given.