New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(aws_ecs): CDK insists on Modifying the ECS Execution/Task Role with duplicate permissions, resulting policy Is too big to deploy #18926
Comments
Thanks for reporting this @mdesouky, We're aware of this issue, and haven't had the time to put in the fix for it since messing with policies is really tricky, but is a priority to get done this year. We're tracking the issue in a few places, as there are a couple different ways we can help to prevent this error. Here are a few places where we're tracking it: #16244 #14713 and a PR #16350 Please give thumbs up on these issues, that is the best way to help us prioritize them 🙂 Ping me if you have any other concerns |
|
The additional policies are being added because when you call aws-cdk/packages/@aws-cdk/aws-ecs/lib/container-definition.ts Lines 455 to 467 in 22b034f
The CDK will create a new policy as a child of the execution role you've created. You can access and override this policy with escape hatches cfn_policy = ecs_execution_role.node.find_child('DefaultPolicy');
cfn_policy.addPropertyOverride('PolicyDocument', policy_document) |
I'm seeing a similar issue but with logging. How does this escape hatch mechanism work? |
What is the problem?
Trying to create a scheduled fargate task, I created the necessary IAM role to use as both Execution Role and Task Role in the definition as follows:
IAM Role:
Passing it to the function creating the task:
The Code Creating the task:
The resulting CFN template has got extra permissions added to the role created by myself and not the task definition construct, wouldn't be such a big problem if it weren't for the huge number of secrets we're using which made the policy too big to deploy
got the follwowing error from CFN
here is the resulting CFN template
Reproduction Steps
cdk synth
What did you expect to happen?
only permissions created to the role would be there
What actually happened?
CDK added duplicate permission to the role not created by the the task definition construct
CDK CLI Version
2.12.0 (build c9786db)
Framework Version
No response
Node.js Version
v17.0.1
OS
MacOs Monterey,
Language
Python
Language Version
Python 3.8.8
Other information
Get the same results running in a docker container based on
python:3.8-slim
The text was updated successfully, but these errors were encountered: