-
Notifications
You must be signed in to change notification settings - Fork 5.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting existing:true on S3 bucket causes deployment to fail #6771
Comments
@Kasmilos thanks for report. What exactly error is reported in CloudFormation? (Above log just indicated that some error happened, but we don't know what failed exactly) |
Executing with SLS_DEBUG=* does not give any additional information during the deployment
It does not give any additional information about the failure reason that I can see. The execution terminates with:
The log mentioned at the start of the error report has already been deleted by the rollback before I can get to it. From digging around the template file, it is clear that the execution of the custom resource javascript fails during the CREATE event for S3uploadedCustomS31. The function CustomDashresourceDashexistingDashs3LambdaFunction is the one that is executed in this case and it has been created as is seen in the log. That function does two things in succession
One of these is causing the failure but I have no way of determining which, partly because the error message is vague and partly because the entire stack gets rolled back, deleting the logs.
Is there anything else I can do to get more info? |
try to check: |
We are facing same error with |
I get this when I set |
Are you running this with some limited rights on account, or maybe relying on It looks that custom resource was not able to apply needed configuration due to access issue. |
In my case I had to change
to
(notice the two extra spaces) It's weird how the error message is so cryptic though |
@tommedema it's problem of lack of validation on Framework side. We plan to solve it with: #6562 |
So I've checked the spacing on my
An error occurred: S3Bucket{name} already exists. |
@jdelaune please share full content of |
|
@jdelaune thanks, can you provide also full output of |
My apologies, figured out my issue was our CI server had an old version of serverless on it before the existing property was supported. It works as expected. |
I am getting an error when Did anyone find a solution? |
Updating to version 1.77.0 fixed it for me |
If anybody faces the issue bellow AND is using custom
Ensure your custom cfn role has the following actions allowed :
|
Yeah, this is also crazy, and still ongoing. They need to fix that delta in yaml config for s3. Totally maddening, imo |
@wkhatch Such configuration errors are now neatly reported by our config schema based validation. Ensure to use latest version of a Framework |
Hi All, I have something like that error, my configuration serverless it's the following: service: NAMESERVICE
provider:
name: aws
runtime: dotnetcore3.1
timeout: 10
autoPublishAlias: live
region: us-east-2 # AWS region
deploymentBucket:
name: BUCKETDEPLOY
iam:
role: NAMEROLE
deploymentRole: DEPLOYROLE
vpc:
securityGroupIds:
- SECURITYGROUPID
subnetIds:
- SUBNETIDID
package:
artifact: CACHEPACKAGE
functions:
eventRequest:
name: NAMELAMBDA
handler: HANDLERAPI
events:
- s3:
bucket: NAMES3
event: s3:ObjectCreated:*
rules:
- prefix: waves/
- suffix: .csv
existing: true But at the time of deploying it gave me the following error: Serverless Error ---------------------------------------- An error occurred: CustomDashresourceDashexistingDashs3LambdaFunction - Resource handler returned message: "The role defined for the function cannot be assumed by Lambda. (Service: Lambda, Status Code: 400, Request ID: f079df33-4ddf-4543-bb49-517b2fd43fc7, Extended Request ID: null)" (RequestToken: bff75f0e-1f65-795c-3b03-84f7192b2913, HandlerErrorCode: InvalidRequest). Please, i need your help |
@d3m0n1n it appears that role you list at |
Hi @medikoo, But the truth is that the doploymentrole has the trust permissions the problem is when I remove "existing: true" in serverless.yml, cloudformation try to create resource s3 that exists, right now and when I use "existing: true", cloudformation fails giving the above mentioned error |
I read in the documentation that Output:
Here's my config:
|
@jazwiecki - The error you're seeing it unrelated to S3 bucket - if you don't specify a role for Lambda functions to use, one will be created for you by Serverless Framework and used by your functions. You can avoid that by specifying an existing role. You can read more about it here: https://www.serverless.com/framework/docs/providers/aws/guide/iam#iam |
That did it! Thank you. |
Glad to hear that @jazwiecki 🙌 |
|
Did you manage to solve this? I still have this issue |
I have a very similar issue, the difference is that the deployment works but sls remove gives me this error: I am alos using |
I also encountered this a while ago. It turns out that my bucket name is correct. The version that I'm using is:
TLDR; The fix is to update Serverless to the latest version and make sure that your S3 bucket name is correct. |
So would all 6 of these abilities need to be part of the role referenced in 'role: role-arn-here' or the 'deploymentRole: role-arn-here' ? |
We ran into this issue. Our deployment role does not have It looks like this role is created as the lambda execution role for a custom lambda that adds the event trigger to S3. It is always created if you're using an existing bucket. See here and here. There's an analogous feature in the console where it grant S3 the permissions to invoke the bucket. We solved this problem by manually adding the event triggers after deploying the lambda. If you are looking for future features it would be nice if there was a way to specify the execution role for the custom lambda. |
@sblack4 custom lambda covers deployment steps that cannot be done via CF, so technically it should work with the same deployment role used for CF deployments. Also, ideally, if there would be no custom resource involved, and in some cases, we managed to get rid of that requirement |
You're right on both points. Users could use the same role for the custom lambda as they do for the main lambda. Rather than give them a boolean to do just that I think it would be simpler to optionally specify the role by name/arn. Then if they want to create separate roles they can |
Hi @medikoo , I'm struggling with the same issue where the CF fails after some time with:
The thing is, that I know the feature of linking events to an existing s3 works as I've been doing it on another project. However this project is a bit different in setup on AWS level. I was able to get some logs from the custom resource errors. Hopefully this can shed some lights to someone here and lead us to the right direction:
The serverless config is a bit hard to copy paste, but it is very basic approach:
If you need any other info let me know. Cheers |
@tonivdv This error signals that you've moved to the Node.js runtime which doesn't host If require of Side solution could be to add |
Hey @medikoo , Thanks for reacting so fast despite you're not part of Serverless Inc anymore. The runtime it is running in is fine: But I'm wondering ... the major difference with the other project is that this serverless project runs lambdas inside the vpc ... So could it be that this internal custom resource runs lambda's in the normal way and can't access the lambda inside the vpc to do the configuration? |
@tonivdv this runtime definitely doesn't host |
@medikoo but are we influencing anything on how we use serverless that can cause this? Because that custom resource stuff is internally generated by serverless framework right? |
Ok, so I think I understand ... the custom resource generated by Serverless framework is generating this with aws sdk 2 which is not available since node 18 ... and this is causing the issue ... If my understanding is correct, can I fix that easily or is there a internal fix needed inside serverless framework? |
I am getting this error while trying to deploy lambda using serverless. |
@tonivdv were you able to figure out how to package the aws-sdk dependency with the custom resource function? I'm not seeing a clear path here. @medikoo could you possibly expand on this:
Specifically, how would I add |
@cwinters8 unfortunately not :( |
@cwinters8 yes, that I think was mistake on my side. I overlooked that framework packages custom resource lambdas independently and what dependencies you define in service is not relevant. I assume as long Framework is not upgraded the only solution is to hack it somehow (via plugin). I take it'll be possible but will require some understanding of its internals. |
Bug Report
Setting existing:true on S3 bucket causes deployment to fail
Description
What did you do?
Added existing:true to S3 function. The deployment works correctly for a new bucket.
What happened?
The deployment fails with:
and then rolls back everything else.
The rollback for S3uploadedCustomS31 fails of course.
What should've happened?
Deployment should complete. The step that fails is the custom resource handler that attaches the necessary policies to the function handler and the existing bucket. It is not clear which step fails. I suspect it is attaching the permission to the lambda.
What's the content of your
serverless.yml
file?Reduced file for clarity
SLS_DEBUG=*
environment variable (e.g.SLS_DEBUG=* serverless deploy
)sls does not fail, but the AWS deployment does.
Similar or dependent issues:
existing: true
on an s3 lambda event causes deployment to fail #6638 This gave a different error.Because the whole stack rolls back due to the error, there are no AWS logs to track down the issue. Debugging CloudFormation custom resources is a bit of a dark art.
The text was updated successfully, but these errors were encountered: