Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

"region: us-gov-west-1" generates ARNs for standard region "arn:aws:..." not arn:aws-us-gov:...

See original GitHub issue

This is a Bug Report

Description

We are deploying in GovCloud, so we specify that in the provider.region. However, the template generated creates PolicyDocument referencing logs with non-govcloud ARNs.

For bug reports:

  • What went wrong?

In serverless.yml:

provider:
  name: aws
  region: us-gov-west-1    # need ARNs arn:aws-us-gov:...
  deploymentBucket:
    name: eva-ocr-deployment-${self:custom.stage}

If I do a “sls package” and see the cloudformation-template-update-stack.json has reference to standard region ARN like “arn:aws:…”:

            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": [
                    "logs:CreateLogStream"
                  ],
                  "Resource": [
                    {
                      "Fn::Sub": "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/eva-ocr-izdev-DocPdfSplit:*"
                    },
  • What did you expect should have happened?

The generated ARNs for GovCloud should start with "arn:aws-us-gov:… " like:

                      "Fn::Sub": "arn:aws-us-gov:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/eva-ocr-izdev-PagePdfOcr:*"
  • What was the config you used?

(I don’t understand the question)

  • What stacktrace or error message from your provider did you see?

When I try to deploy, I see it complain about using “aws” instead of “aws-us-gov”:

CREATE_FAILED 
AWS::IAM::Role
IamRoleLambdaExecution
Partition "aws" is not valid for resource "arn:aws:logs:us-gov-west-1:644832730935:log-group:/aws/lambda/eva-ocr-dev-DocPdfSplit:*".

For feature proposals:

  • What is the use case that should be solved. The more detail you describe this in the easier it is to understand for us.
  • If there is additional config how would it look

Similar or dependent issues:

Additional Data

  • Serverless Framework Version you’re using: 1.9.0 patched with fix for #4040 #4048 because I don’t yet have access to GC for SLS to access the bucket.
  • Operating System: OSX El Capitan
  • Stack Trace: none
  • Provider Error messages: Partition “aws” is not valid for resource “arn:aws:logs:us-gov-west-1:644832730935:log-group:/aws/lambda/eva-ocr-dev-DocPdfSplit:*”.

If the ARNs aren’t being tweaked for GC, then SLS may not be handling other non-standard regions; sorry, I don’t know the code well enough yet.

FYI AWS GC ARNs: http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-arns.html

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:8 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
earlrobcommented, May 18, 2021

I am trying deploy to AWS govcloud and I see this error. Using v2.41.2

PR 6615 should have fixed this issue. You may want to open a new issue and provide details of your setup and the arn output that is causing an error.

1reaction
maplioncommented, Aug 1, 2019

I’m with @digitalageexperts : this needs to be resolved or serverless is not usable in govcloud.

Here’s my error:

Expected ARN arn:aws-us-gov:apigateway:us-gov-east-1::/... for Stage <stage> on RestApi <api id>, not arn:aws:apigateway:us-gov-east-1::/...
Read more comments on GitHub >

github_iconTop Results From Across the Web

Amazon Resource Names (ARNs) in GovCloud (US) ...
If an ARN requires a region, for the AWS GovCloud (US-West) Region, the region should be identified as us-gov-west-1 . For AWS GovCloud...
Read more >
Complete AWS IAM Reference - cloudonaut
Creates an Auto Scaling group with the specified name and attributes. arn:aws:autoscaling:$region:$account:autoScalingGroup:*:autoScalingGroupName/$name.
Read more >
Making requests through a Multi-Region Access Point
As with Multi-Region Access Point ARNs, the ARNs for objects that are accessed through Multi-Region Access Points don't include an Amazon Web Services...
Read more >
An Introduction to AWS GovCloud
The ARNs in GovCloud region is different from the standard region. ARNs for standard region begins with: arn:aws. ARNs in GovCloud region begins ......
Read more >
claudiajs/claudia
When I run claudia create --region us-gov-west-1 --name myLambdaName ... when an arn in a Gov Cloud region begins with arn:aws:... and not...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Callback with new Error('[status] message') always results in a 502 response

Next page

Lambda not writing to logs