When trying to use Python 3.9 runtime as being new corporate requirement due to 3.8 vulnerabilities getting cff errors.

[arkrud]

While creating Private Key in CloudFormation Received response status [FAILED] from custom resource. Message returned: ModuleNotFoundError: No module named '_cffi_backend' (RequestId: 3860dfd8-3261-4bbc-a634-73a89c468287)

[mvanholsteijn]

Hi @arkrud, thank you for opening an issue. Which version are you using? Versions >= 2.0.0 of the provider are built for the Python3.9 runtime.

Please reopen if the problem persists.

[arkrud]

I tried it with version 2.0.1 and Python3.9 and get same error:
Received response status [FAILED] from custom resource. Message returned: ModuleNotFoundError: No module named '_cffi_backend' (RequestId: 3bda91a4-ffdd-418b-a2a4-8769a04c6fe3)

[arkrud]

Hi Mark, I tried with 2.0.1 and 39 but it failed again with same error. I commented on the issue in Git, but I cannot reopen it. Sincerely, Arkadiy Rudin From: Mark van Holsteijn ***@***.***> Sent: Thursday, June 22, 2023 2:15 PM To: binxio/cfn-secret-provider ***@***.***> Cc: arkrud ***@***.***>; Mention ***@***.***> Subject: Re: [binxio/cfn-secret-provider] When trying to use Python 3.9 runtime as being new corporate requirement due to 3.8 vulnerabilities getting cff errors. (Issue #60) Hi @arkrud <https://github.com/arkrud> , thank you for opening an issue. Which version are you using? Versions >= 2.0.0 of the provider are built for the Python3.9 runtime. Please reopen if the problem persists. — Reply to this email directly, view it on GitHub <#60 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABIXUA3NUT72VQKCLMVPIMDXMSDRVANCNFSM6AAAAAAZPQZTIQ> . You are receiving this because you were mentioned. <https://github.com/notifications/beacon/ABIXUAYWGTN7ZN2DQILMA7LXMSDRVA5CNFSM6AAAAAAZPQZTISWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTS7RWGNK.gif> Message ID: ***@***.*** ***@***.***> >

[mvanholsteijn]

Hi @arkud,

Which region are you deploying from? I can reproduce this exact error only when I explicitly remove the file _cffi_backend.cpython-39-x86_64-linux-gnu.so from the zip file.

$ aws  s3  cp s3://binxio-public-eu-west-1/lambdas/cfn-secret-provider-2.0.1.zip /tmp
$ mkdir /tmp/content && cd /tmp/content
$ unzip ../cfn-secret-provider-2.0.1.zip
$ cat > cfn_rsakey_provider.py <<!
if __name__ == "__main__":
    key = rsa.generate_private_key(
        backend=crypto_default_backend(),
        public_exponent=65537,
        key_size=2048
    ) 
!
$  docker run -v $HOME/.aws:/root/.aws  \
       -v $PWD:/task -w /task --platform linux/amd64  \
       --entrypoint python3  \
       python:3.9 cfn_rsakey_provider.py
$ mv _cffi_backend.cpython-39-x86_64-linux-gnu.so{,-}
$  docker run -v $HOME/.aws:/root/.aws  \
       -v $PWD:/task -w /task --platform linux/amd64  \
       --entrypoint python3  \
       python:3.9 cfn_rsakey_provider.py
Traceback (most recent call last):
  File "/task/cfn_rsakey_provider.py", line 208, in <module>
    backend=crypto_default_backend(),
  File "/task/cryptography/hazmat/backends/__init__.py", line 8, in default_backend
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/task/cryptography/hazmat/backends/openssl/__init__.py", line 6, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/task/cryptography/hazmat/backends/openssl/backend.py", line 63, in <module>
    from cryptography.hazmat.bindings.openssl import binding
  File "/task/cryptography/hazmat/bindings/openssl/binding.py", line 14, in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
ModuleNotFoundError: No module named '_cffi_backend'

[arkrud]

Hi,

I see error in us-east-1

Ark

[arkrud]

I noticed that I changed the reference to zip release v2.0.1 only in one place in CF temple.
When I updated it in both locations it is working now.
So you can close the issue.

Thank You,

Arkadiy