https://pulumi.com logo
Title
h

hundreds-kite-52072

05/28/2021, 6:24 PM
I have a test project that is virtually identical to https://www.pulumi.com/docs/tutorials/aws/video-thumbnailer/ when the container runs I'm getting access denied errors for accessing the S3 buckets. The only key difference I have is that I'm referring to existing S3 buckets rather than creating them in the pulumi project. What do I have to do to give permissions for the container to access the buckets?
m

miniature-musician-31262

05/28/2021, 6:46 PM
It’s hard to say without seeing some code, but I can share that when I’ve done something similar, I’ve passed in these two managed policies to allow the container task to access the upload bucket:
myBucket.onObjectCreated("onUploadEvent", new aws.lambda.CallbackFunction<aws.s3.BucketEvent, void>("onUploadHandler", {
    policies: [
        aws.iam.ManagedPolicies.AWSLambdaFullAccess,
        aws.iam.ManagedPolicies.AmazonEC2ContainerServiceFullAccess,
    ],
    ..
Have you tried these and not had any luck?
It does require a handle to the bucket (above,
myBucket
), which you can get in your program using `aws.s3.Bucket.get()`: https://www.pulumi.com/docs/reference/pkg/aws/s3/bucket/#look-up
h

hundreds-kite-52072

05/28/2021, 10:12 PM
The two managed policies don't work. On trying pulumi up I get this error : Error attaching policy arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess to IAM Role onNewVideoCreated-d00e07e: NoSuchEntity: Policy arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess does not exist or is not attachable. status code: 404, request id: 8648df91-e856-4b6e-96d8-b44e22c92412 And AWSLambdaFullAccess is deprecated.
I'm using the bucket.get() function to get the handle and that is working fine. In the lambda function I can read from the bucket but the docker container can't.
Do I need an executionRole on the FargateTaskDefinition if so, what?
m

miniature-musician-31262

05/28/2021, 10:24 PM
ah, my code is quite old, which may explain why you’re seeing that error. let me try updating it to latest pulumi/aws, etc.
h

hundreds-kite-52072

05/28/2021, 10:24 PM
Thank you! Really appreciate your help!
m

miniature-musician-31262

05/28/2021, 10:37 PM
No problem — I’m definitely not expert-level AWS, but I can at least share what’s working for me. 🙂 Here’s what I’m attempting to upgrade to now —
{
    ...
    "dependencies": {
        "@pulumi/aws": "^4.6.0",
        "@pulumi/awsx": "^0.30.0",
        "@pulumi/pulumi": "^3.3.1",
        ...
    }
}
Will report back as soon I’m able to validate
Ok so that did work for me — I had to update a couple of references for those managed policies, but I just deployed and verified things all work as they should. Here’s the file I’m using to define the upload handler and task definition: https://gist.github.com/cnunciato/9409f84fbf965e6105a5365220a638ba
Lines 39 and 40 contain the managed-policy references.
(I’m pulling the container image from Docker, but I don’t believe shouldn’t matter here.)
And it looks like those two lines have applied these two policies on the role that was associated with the Lambda:
Hopefully that helps shed some light!
h

hundreds-kite-52072

06/01/2021, 10:24 AM
Really appreciate this. Just back from a long weekend off an will be looking at this today.
👍 1