aws/amazon-genomics-cli

ecr:SetRepositoryPolicy missing for account activate with minimum permissions

ArlindNocaj opened this issue ยท 1 comments

ArlindNocaj commented

Describe the Bug
agc account activate not working due to missing permissions of admin policy described in https://aws.github.io/amazon-genomics-cli/docs/best-practices/iampermissions/

Steps to Reproduce

Relevant Logs

Admin:~/environment $ agc account activate
2022-11-22T08:36:14Z ๐’Š  Activating AGC with bucket '' and VPC ''
Bootstrapping CDK... [--o-] 57s                                                                                               2022-11-22T08:37:10Z โœ˜  [WARNING] aws-cdk-lib.aws_ssm.StringParameterProps#type is deprecated.
2022-11-22T08:37:10Z โœ˜    - type will always be 'String'
2022-11-22T08:37:10Z โœ˜    This API will be removed in the next major release.
2022-11-22T08:37:10Z โœ˜  [WARNING] aws-cdk-lib.aws_ssm.ParameterType is deprecated.
2022-11-22T08:37:10Z โœ˜    these types are no longer used
2022-11-22T08:37:10Z โœ˜    This API will be removed in the next major release.
2022-11-22T08:37:10Z โœ˜  [WARNING] aws-cdk-lib.aws_ssm.ParameterType#STRING is deprecated.
2022-11-22T08:37:10Z โœ˜    
2022-11-22T08:37:10Z โœ˜    This API will be removed in the next major release.
2022-11-22T08:37:10Z โœ˜  current credentials could not be used to assume 'arn:aws:iam::287209812789:role/cdk-agc-lookup-role-287209812789-us-east-1', but are for the right account. Proceeding anyway.
2022-11-22T08:37:10Z โœ˜  [WARNING] aws-cdk-lib.aws_ssm.StringParameterProps#type is deprecated.
2022-11-22T08:37:10Z โœ˜    - type will always be 'String'
2022-11-22T08:37:10Z โœ˜    This API will be removed in the next major release.
2022-11-22T08:37:10Z โœ˜  [WARNING] aws-cdk-lib.aws_ssm.ParameterType is deprecated.
2022-11-22T08:37:10Z โœ˜    these types are no longer used
2022-11-22T08:37:10Z โœ˜    This API will be removed in the next major release.
2022-11-22T08:37:10Z โœ˜  [WARNING] aws-cdk-lib.aws_ssm.ParameterType#STRING is deprecated.
2022-11-22T08:37:10Z โœ˜    
2022-11-22T08:37:10Z โœ˜    This API will be removed in the next major release.
2022-11-22T08:37:10Z โœ˜   โณ  Bootstrapping environment aws://287209812789/us-east-1...
2022-11-22T08:37:10Z โœ˜  Using default execution policy of 'arn:aws:iam::aws:policy/AdministratorAccess'. Pass '--cloudformation-execution-policies' to customize.
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit: creating CloudFormation changeset...
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  0/12 | 8:36:36 AM | REVIEW_IN_PROGRESS   | AWS::CloudFormation::Stack | Agc-CDKToolkit User Initiated
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  0/12 | 8:36:42 AM | CREATE_IN_PROGRESS   | AWS::CloudFormation::Stack | Agc-CDKToolkit User Initiated
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  0/12 | 8:36:47 AM | CREATE_IN_PROGRESS   | AWS::S3::Bucket       | StagingBucket 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  0/12 | 8:36:47 AM | CREATE_IN_PROGRESS   | AWS::IAM::Role        | FilePublishingRole 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  0/12 | 8:36:47 AM | CREATE_IN_PROGRESS   | AWS::IAM::Role        | LookupRole 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  0/12 | 8:36:47 AM | CREATE_IN_PROGRESS   | AWS::IAM::Role        | ImagePublishingRole 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  0/12 | 8:36:47 AM | CREATE_IN_PROGRESS   | AWS::ECR::Repository  | ContainerAssetsRepository 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  0/12 | 8:36:47 AM | CREATE_IN_PROGRESS   | AWS::IAM::Role        | CloudFormationExecutionRole 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  0/12 | 8:36:47 AM | CREATE_IN_PROGRESS   | AWS::SSM::Parameter   | CdkBootstrapVersion 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  0/12 | 8:36:48 AM | CREATE_IN_PROGRESS   | AWS::IAM::Role        | FilePublishingRole Resource creation Initiated
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  0/12 | 8:36:48 AM | CREATE_IN_PROGRESS   | AWS::IAM::Role        | ImagePublishingRole Resource creation Initiated
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  0/12 | 8:36:48 AM | CREATE_IN_PROGRESS   | AWS::S3::Bucket       | StagingBucket Resource creation Initiated
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  0/12 | 8:36:48 AM | CREATE_IN_PROGRESS   | AWS::IAM::Role        | CloudFormationExecutionRole Resource creation Initiated
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  0/12 | 8:36:48 AM | CREATE_IN_PROGRESS   | AWS::IAM::Role        | LookupRole Resource creation Initiated
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  0/12 | 8:36:49 AM | CREATE_IN_PROGRESS   | AWS::SSM::Parameter   | CdkBootstrapVersion Resource creation Initiated
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  1/12 | 8:36:50 AM | CREATE_COMPLETE      | AWS::SSM::Parameter   | CdkBootstrapVersion 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  1/12 | 8:36:51 AM | CREATE_IN_PROGRESS   | AWS::ECR::Repository  | ContainerAssetsRepository Resource creation Initiated
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  1/12 | 8:36:51 AM | CREATE_FAILED        | AWS::ECR::Repository  | ContainerAssetsRepository Resource handler returned message: "User: arn:aws:sts::287209812789:assumed-role/agc-admin/MySessionName is not authorized to perform: ecr:SetRepositoryPolicy on resource: arn:aws:ecr:us-east-1:287209812789:repository/cdk-agc-container-assets-287209812789-us-east-1 because no identity-based policy allows the ecr:SetRepositoryPolicy action (Service: Ecr, Status Code: 400, Request ID: 4750e529-31ca-487f-b3e3-f88dda553ff4, Extended Request ID: null)" (RequestToken: d7a04c03-36c1-2d51-82e5-b49b43c7a035, HandlerErrorCode: GeneralServiceException)
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  1/12 | 8:36:52 AM | CREATE_FAILED        | AWS::S3::Bucket       | StagingBucket Resource creation cancelled
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  1/12 | 8:36:52 AM | CREATE_FAILED        | AWS::IAM::Role        | ImagePublishingRole Resource creation cancelled
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  1/12 | 8:36:52 AM | CREATE_FAILED        | AWS::IAM::Role        | FilePublishingRole Resource creation cancelled
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  1/12 | 8:36:52 AM | CREATE_FAILED        | AWS::IAM::Role        | CloudFormationExecutionRole Resource creation cancelled
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  1/12 | 8:36:52 AM | CREATE_FAILED        | AWS::IAM::Role        | LookupRole Resource creation cancelled
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  1/12 | 8:36:53 AM | ROLLBACK_IN_PROGRESS | AWS::CloudFormation::Stack | Agc-CDKToolkit The following resource(s) failed to create: [ImagePublishingRole, FilePublishingRole, LookupRole, StagingBucket, CloudFormationExecutionRole, ContainerAssetsRepository]. Rollback requested by user.
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  1/12 | 8:37:03 AM | DELETE_IN_PROGRESS   | AWS::IAM::Role        | FilePublishingRole 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  1/12 | 8:37:03 AM | DELETE_IN_PROGRESS   | AWS::IAM::Role        | ImagePublishingRole 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  1/12 | 8:37:03 AM | DELETE_IN_PROGRESS   | AWS::IAM::Role        | LookupRole 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  1/12 | 8:37:03 AM | DELETE_IN_PROGRESS   | AWS::ECR::Repository  | ContainerAssetsRepository 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  1/12 | 8:37:03 AM | DELETE_IN_PROGRESS   | AWS::IAM::Role        | CloudFormationExecutionRole 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  1/12 | 8:37:03 AM | DELETE_IN_PROGRESS   | AWS::SSM::Parameter   | CdkBootstrapVersion 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  1/12 | 8:37:03 AM | DELETE_SKIPPED       | AWS::S3::Bucket       | StagingBucket 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  2/12 | 8:37:04 AM | DELETE_COMPLETE      | AWS::IAM::Role        | FilePublishingRole 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  3/12 | 8:37:04 AM | DELETE_COMPLETE      | AWS::IAM::Role        | ImagePublishingRole 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  4/12 | 8:37:05 AM | DELETE_COMPLETE      | AWS::IAM::Role        | CloudFormationExecutionRole 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  5/12 | 8:37:05 AM | DELETE_COMPLETE      | AWS::ECR::Repository  | ContainerAssetsRepository 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  4/12 | 8:37:05 AM | DELETE_COMPLETE      | AWS::SSM::Parameter   | CdkBootstrapVersion 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  5/12 | 8:37:06 AM | DELETE_COMPLETE      | AWS::IAM::Role        | LookupRole 
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit |  6/12 | 8:37:07 AM | ROLLBACK_COMPLETE    | AWS::CloudFormation::Stack | Agc-CDKToolkit 
2022-11-22T08:37:10Z โœ˜  
2022-11-22T08:37:10Z โœ˜  Failed resources:
2022-11-22T08:37:10Z โœ˜  Agc-CDKToolkit | 8:36:51 AM | CREATE_FAILED        | AWS::ECR::Repository  | ContainerAssetsRepository Resource handler returned message: "User: arn:aws:sts::287209812789:assumed-role/agc-admin/MySessionName is not authorized to perform: ecr:SetRepositoryPolicy on resource: arn:aws:ecr:us-east-1:287209812789:repository/cdk-agc-container-assets-287209812789-us-east-1 because no identity-based policy allows the ecr:SetRepositoryPolicy action (Service: Ecr, Status Code: 400, Request ID: 4750e529-31ca-487f-b3e3-f88dda553ff4, Extended Request ID: null)" (RequestToken: d7a04c03-36c1-2d51-82e5-b49b43c7a035, HandlerErrorCode: GeneralServiceException)
2022-11-22T08:37:10Z โœ˜   โŒ  Environment aws://287209812789/us-east-1 failed bootstrapping: Error: The stack named Agc-CDKToolkit failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "User: arn:aws:sts::287209812789:assumed-role/agc-admin/MySessionName is not authorized to perform: ecr:SetRepositoryPolicy on resource: arn:aws:ecr:us-east-1:287209812789:repository/cdk-agc-container-assets-287209812789-us-east-1 because no identity-based policy allows the ecr:SetRepositoryPolicy action (Service: Ecr, Status Code: 400, Request ID: 4750e529-31ca-487f-b3e3-f88dda553ff4, Extended Request ID: null)" (RequestToken: d7a04c03-36c1-2d51-82e5-b49b43c7a035, HandlerErrorCode: GeneralServiceException)
2022-11-22T08:37:10Z โœ˜      at FullCloudFormationDeployment.monitorDeployment (/home/ec2-user/.agc/cdk/node_modules/aws-cdk/lib/api/deploy-stack.ts:496:13)
2022-11-22T08:37:10Z โœ˜      at processTicksAndRejections (node:internal/process/task_queues:96:5)
2022-11-22T08:37:10Z โœ˜      at /home/ec2-user/.agc/cdk/node_modules/aws-cdk/lib/cdk-toolkit.ts:626:24
2022-11-22T08:37:10Z โœ˜      at async Promise.all (index 0)
2022-11-22T08:37:10Z โœ˜      at CdkToolkit.bootstrap (/home/ec2-user/.agc/cdk/node_modules/aws-cdk/lib/cdk-toolkit.ts:623:5)
2022-11-22T08:37:10Z โœ˜      at initCommandLine (/home/ec2-user/.agc/cdk/node_modules/aws-cdk/lib/cli.ts:357:12)
2022-11-22T08:37:10Z โœ˜  
2022-11-22T08:37:10Z โœ˜  The stack named Agc-CDKToolkit failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "User: arn:aws:sts::287209812789:assumed-role/agc-admin/MySessionName is not authorized to perform: ecr:SetRepositoryPolicy on resource: arn:aws:ecr:us-east-1:287209812789:repository/cdk-agc-container-assets-287209812789-us-east-1 because no identity-based policy allows the ecr:SetRepositoryPolicy action (Service: Ecr, Status Code: 400, Request ID: 4750e529-31ca-487f-b3e3-f88dda553ff4, Extended Request ID: null)" (RequestToken: d7a04c03-36c1-2d51-82e5-b49b43c7a035, HandlerErrorCode: GeneralServiceException)
2022-11-22T08:37:10Z โœ˜   error="exit status 1"

Expected Behavior

Actual Behavior

Screenshots

Additional Context

Operating System:
AGC Version:
Was AGC setup with a custom bucket:
Was AGC setup with a custom VPC:

vvalleru commented

Because the previous deployment/cleanup failed unsuccessfully. You need to delete this manually first before attempting to deploy it again.