Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
h
hundreds-kite-52072
05/28/2021, 6:24 PMI have a test project that is virtually identical to https://www.pulumi.com/docs/tutorials/aws/video-thumbnailer/ when the container runs I'm getting access denied errors for accessing the S3 buckets. The only key difference I have is that I'm referring to existing S3 buckets rather than creating them in the pulumi project. What do I have to do to give permissions for the container to access the buckets?
m
miniature-musician-31262
05/28/2021, 6:46 PMIt’s hard to say without seeing some code, but I can share that when I’ve done something similar, I’ve passed in these two managed policies to allow the container task to access the upload bucket:
myBucket.onObjectCreated("onUploadEvent", new aws.lambda.CallbackFunction<aws.s3.BucketEvent, void>("onUploadHandler", {
policies: [
aws.iam.ManagedPolicies.AWSLambdaFullAccess,
aws.iam.ManagedPolicies.AmazonEC2ContainerServiceFullAccess,
],
..It does require a handle to the bucket (above,
myBucketh
hundreds-kite-52072
05/28/2021, 10:12 PMThe two managed policies don't work. On trying pulumi up I get this error : Error attaching policy arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess to IAM Role onNewVideoCreated-d00e07e: NoSuchEntity: Policy arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess does not exist or is not attachable.
status code: 404, request id: 8648df91-e856-4b6e-96d8-b44e22c92412
And AWSLambdaFullAccess is deprecated.
I'm using the bucket.get() function to get the handle and that is working fine. In the lambda function I can read from the bucket but the docker container can't.
Do I need an executionRole on the FargateTaskDefinition if so, what?
m
miniature-musician-31262
05/28/2021, 10:24 PMah, my code is quite old, which may explain why you’re seeing that error. let me try updating it to latest pulumi/aws, etc.
h
hundreds-kite-52072
05/28/2021, 10:24 PMThank you! Really appreciate your help!
m
miniature-musician-31262
05/28/2021, 10:37 PMNo problem — I’m definitely not expert-level AWS, but I can at least share what’s working for me. 🙂 Here’s what I’m attempting to upgrade to now —
{
...
"dependencies": {
"@pulumi/aws": "^4.6.0",
"@pulumi/awsx": "^0.30.0",
"@pulumi/pulumi": "^3.3.1",
...
}
}Will report back as soon I’m able to validate
Ok so that did work for me — I had to update a couple of references for those managed policies, but I just deployed and verified things all work as they should. Here’s the file I’m using to define the upload handler and task definition: https://gist.github.com/cnunciato/9409f84fbf965e6105a5365220a638ba
Lines 39 and 40 contain the managed-policy references.
(I’m pulling the container image from Docker, but I don’t believe shouldn’t matter here.)
And it looks like those two lines have applied these two policies on the role that was associated with the Lambda:
Hopefully that helps shed some light!
h
hundreds-kite-52072
06/01/2021, 10:24 AMReally appreciate this. Just back from a long weekend off an will be looking at this today.
👍 1