Bugs: AccessDeniedException: Resource is not in the state functionActive

Question

Bugs: AccessDeniedException: Resource is not in the state functionActive

Opened this issue a year ago · 7 comments

Version: v1.0.9

When I deployed, I got the following error in CloudFormation Event message.

(This deployment has no changes in Lambda, IAM Role and IAM Policy, only Custom Resource has changes for update.)

ECSConstruct/EcrConstruct/ImageScannerWithDockle/Default/Default (ECSConstructEcrConstructImageScannerWithDockle0DCA0262) Received response status [FAILED] from custom resource. Message returned: AccessDeniedException: Resource is not in the state functionActive
    at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:61:27)
    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:61:8)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14)
    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12) (RequestId: xxxxxxxxxxxxxxxxx)

Answer 1 · 2023-09-05T05:52:14.000Z

Custom Resource Provider Role Policy missing?

https://stackoverflow.com/questions/76819690/accessdeniedexception-resource-is-not-in-the-state-functionactivev2-at-object-e

Answer 2 · 2023-09-05T05:52:48.000Z

However, when I retried deployment (after complete updating rollback for UPDATE_ROLLBACK_FAILED), I succeeded...

Answer 3 · 2023-09-05T06:56:12.000Z

Tried it multiple times with different stacks, but all of them will be the error at first.

And in all, retries are successful.

Answer 4 · 2023-09-05T07:01:42.000Z

Provider has next policies. But no change after a successful retry.

AWSLambdaBasicExecutionRole

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

Inline

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "lambda:InvokeFunction",
            "Resource": [
                "arn:aws:lambda:ap-northeast-1:123456789012:function:dev-main-BastionTunnel-CustomImageScannerWithDockl-hzy008aOF787",
                "arn:aws:lambda:ap-northeast-1:123456789012:function:dev-main-BastionTunnel-CustomImageScannerWithDockl-hzy008aOF787:*"
            ],
            "Effect": "Allow"
        }
    ]
}

Answer 5 · 2023-09-05T10:14:31.000Z

Retry succeeds, so I'll close it this time for now...

Answer 6 · 2024-03-20T10:46:59.000Z

What policy you have added to your role? I am also getting the same AccessDenied error.

Answer 7 · 2024-03-21T12:43:27.000Z

Users of this library do not need to specify explicit policies.
Apparently this is a bug on the aws-cdk side.

aws/aws-cdk#26838