CloudFormation Key Template Fails: ‘Standing’ | by Teri Radichel | Bugs That Chunk | Aug, 2022

By Admin

August 7, 2022

0

1

Very unusual outcomes with various kinds of CLI profiles

Utilizing an EC2 occasion profile I used to be in a position to run the next command:

The command works correctly however fails with the next error.

Useful resource handler returned message:

The brand new key coverage is not going to let you replace the important thing coverage sooner or later. Service: Kms, Standing Code: 400

The important thing coverage makes use of a selected function for the executive principal.

I created a consumer with an related digital MFA machine.

I created a profile for the AWS CLI utilizing the the role_arn set to the important thing administrator function.

I ran aws configure and set the credentials to the roles for the consumer.

After I run the command above utilizing the function profile I get:

That’s not precisely useful.

To confirm my profile works appropriately I ran a command to examine the identification.

aws sts get-caller-identity --profile kms

The outcomes present an assumed function:

arn:aws:sts::xxxxxxxx:assumed-role/KmsKeyAdministrator/botocore-session-xxxxxxx

The assumed function matches the function in my KMS coverage.

Initially I obtained an error about not having a supply profile. I didn’t wish to use the default supply profile as a result of that profile makes use of EC2 occasion credentials not my consumer’s credentials. So I set the supply profile to the profile itself.

Clearly that doesn’t work. What if I create a separate profile for the consumer credentials and the function? I created two separate profiles.

my ~/.aws/config now appears like this:

[profile kmsuser]
area = us-west-2
output = json
mfa_serial=arn:aws:iam::xxxxxxxxxxxxx:mfa/KmsKeyAdmin[profile kms]
role_arn=arn:aws:iam::xxxxxxxxxxx:function/KmsKeyAdministrator
source_profile = kmsuser

In my .aws/credentials file I modified the profile identify with the consumer credentials to kmsuser to match the profile with the mfa serial quantity within the config file above.

Then I obtained this error as a substitute:

An error occurred (AccessDenied) when calling the AssumeRole operation: Consumer: arn:aws:iam::xxxxxxxxx:consumer/KmsKeyAdmin just isn't licensed to carry out: sts:AssumeRole on useful resource: arn:aws:iam::xxxxxxx:function/KmsKeyAdministrator

That’s odd. I simply checked the belief profile of my function and this consumer has permissions to imagine this function within the belief profile when utilizing MFA.

Nevertheless…let’s examine the consumer IAM permissions once more.

I had set the consumer permissions to the identical permissions because the KMS key admin however didn’t give the consumer sts:AssumeRole permission. That’s not proper. I must take away the KMS admin profile and provides the consumer permission to imagine the KMS Admin function.

Bizarre, even after including an IAM Coverage with sts:AssumeRole for the precise function with MFA required, the consumer can’t assume the function.

I added the MFA serial quantity to the cli profile with the function along with the one with consumer credentials like this:

[profile kmsuser]
area = us-west-2
output = json
mfa_serial=arn:aws:iam::xxxxxxxxxxxxx:mfa/KmsKeyAdmin[profile kms]
role_arn=arn:aws:iam::xxxxxxxxxxx:function/KmsKeyAdministrator
source_profile = kmsuser
mfa_serial=arn:aws:iam::xxxxxxxxxxxxx:mfa/KmsKeyAdmin

Now we’re getting someplace. I obtained a special permission error and a sign that the consumer did really assume the function efficiently.

Nevertheless, after I added the lacking permission for TemplateGetSummary, I used to be again to the unhelpful ‘Standing’ end result.

What I observed was that the CloudFormation template is definitely deploying. The standing is caught at ‘Assessment in Progress’. Perhaps my function is lacking permissions to examine the standing of the deployment.

Let’s see what we are able to discover in CloudTrail.

I don’t discover any helpful failed requests to assist me resolve this.

What motion would possibly that be?

As soon as once more I determine it’s simpler to grant cloudforamtion:* as a result of it’s too tough to attempt to determine which of the permissions my coverage really requires (for now).

After doing so I get an error for CreateKey despite the fact that my consumer clearly has permissions to Create a Key. Nevertheless, since I’m utilizing a task for this, maybe the MFA situation is breaking the replace now, despite the fact that MFA is utilized to the CLI profile. Again to CloudTrail.

Positive sufficient, MFA just isn’t within the CloudTrail report in the important thing specified within the situation:

Though somebody tried to inform me MFA is current right here, it’s not. Positive, I can backtrack to the consumer that originally assumed the coverage to see in the event that they used MFA however that doesn’t make my MFA authenticated situation work, as a result of my situation appears at that key to find out if the request can be allowed or not.

Let’s validate this principle by eradicating the MFA situation from the admin function coverage. Properly, that should not be it. Getting the identical error:

Useful resource handler returned message: “Entry denied for operation ‘CreateKey’.”

Properly, my administrator clearly has this permission in its IAM coverage and the CloudTrail logs point out that function is taking the required motion.

So I add the admin coverage like every good developer would do, and there we go. The consumer now can run the CreateKey motion, however it fails once more on the “you might be making a coverage that received’t allow you to replace this sooner or later” despite the fact that the KMS admin is the one making the request.

Oh. Wait a minute. Maintain up.

I had my area for my consumer configured incorrectly to the improper area apart from the one I’m within the console. However wait. How is it even attainable that my stacks are exhibiting up within the area I’m in when my consumer is configured to deploy issues in a special area? Nothing is tough coded to an alternate area in my templates.

Properly I take away the admin coverage and re-run the script and it doesn’t resolve the issue anyway.

Lastly I have a look at the coverage within the UI. I discover a few warnings so I examine and my coverage is restricted to keys within the present account

So I add aliases as nicely. However that also doesn’t repair the issue, as a result of the error messages say “CreateKey” just isn’t allowed.

So I begin to consider these assets and the way can a CreateKey motion take an motion on a key that doesn’t exist but. So I add a brand new assertion for any Create motion (Create*) and take away the assets. And it really works.

However I nonetheless my error that claims I can’t create the coverage as a result of I wont’ have the ability to replace it — despite the fact that the function I’m creating the important thing coverage with is the function within the coverage.

Again to MFA. I’m requiring MFA. I wish to use KMS in my key coverage and require MFA, however now I’ve made a task the KMS key administrator. Roles don’t move MFA however I’ve a consumer that assumed the function. Though I can get that to work within the CLI profile, it could be inflicting points with my key coverage. Let’s take away it.

YES. That was the opposite drawback. Eradicating MFA allowed me to efficiently deploy the important thing and coverage.

Now I simply must resolve a problem with the important thing alias I’m making an attempt to assign.

Useful resource handler returned message: “Mannequin validation failed (#/AliasName: failed validation constraint for key phrase [pattern])” (InvalidRequest)

That actually unclear message means I’m making an attempt to assign a key alias that isn’t in the best format. The place can I discover the proper format for a key alias for the reason that error message just isn’t each helpful and doensn’t tel me?

The documentation isn’t very useful (am I simply not seeing it? perhaps it’s there someplace) however I can see from the instance code that lowercase and dashes work.

Nope. Similar error.

Madness is setting in. I discovered this error message and repair for a special service — an AWS canary. It says the identify must be lower than 21 characters so I modified my alias to twenty characters.

Ah sure, the necessities could be within the CloudFormation documentation clearly. The size is as much as 256 in order that wasn’t it:

Unusual I don’t see something improper with my alias…

Discovered this web page that tells me to do what I simply did. This error message actually needs to be extra exact and it’s used everywhere.

Lastly, I feel I see it. I had scrolled move the massive “Word” field which is type of a distraction and missed the very first line. Including alias/ now. Are you able to not simply inform me that my alias wants to begin with “alias” within the error message and why anyway? Simply add it for me.

Lastly. Sheesh.

I want that the error messages had been rather a lot higher so I didn’t must dig round in documentation a lot. It will save the world a variety of time when you might simply write easy error messages that specify to individuals precisely what the issue is when attainable.

That is what trial and error troubleshooting appears like when error messages aren’t precisely clear or exact as to resolve the issue that precipitated the error.

Teri Radichel

In case you appreciated this story please clap and observe:

Medium: Teri Radichel or E mail Listing: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests providers by way of LinkedIn: Teri Radichel or IANS Analysis