Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

elbv2: Network Load Balancer - access logs permission issues #8113

Closed
DaWyz opened this issue May 21, 2020 · 0 comments · Fixed by #8114
Closed

elbv2: Network Load Balancer - access logs permission issues #8113

DaWyz opened this issue May 21, 2020 · 0 comments · Fixed by #8114
Assignees
@rix0rrr
Labels
@aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 bug This issue is a bug. in-progress This issue is being actively worked on. needs-triage This issue or PR still needs to be triaged. p2

Comments

@DaWyz
Copy link
Contributor

DaWyz commented May 21, 2020

The NetworkLoadBalancer class inherit logAccessLogs method from the BaseLoadBalancer to enable access logs.

When enabling it, the stack creation fails because of missing permissions on the S3 Bucket.

The required permissions are listed here.

Reproduction Steps

Create a new CDK app and install the following dependencies.

cdk init sample-app --language=typescript
npm install @aws-cdk/aws-elasticloadbalancingv2 @aws-cdk/aws-s3

Pass an aws account and aws region as Stack Props when instanciating the following stack.

import * as cdk from '@aws-cdk/core';
import { NetworkLoadBalancer } from '@aws-cdk/aws-elasticloadbalancingv2';
import { Vpc } from '@aws-cdk/aws-ec2';
import { Bucket } from '@aws-cdk/aws-s3';

export class NlbExampleStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    let bucket = new Bucket(this, 'bucket');

    let vpc = new Vpc(this, 'vpc', {
      cidr: '10.0.0.0/16',
    });

    let nlb = new NetworkLoadBalancer(this, 'nlb', {
      loadBalancerName: `my-nlb`,
      vpc: vpc,
      internetFacing: true,
    });

    nlb.logAccessLogs(bucket);
  }
}

Then, deploy the app.

cdk deploy

Error Log

37/38 | 7:48:56 PM | CREATE_FAILED        | AWS::ElasticLoadBalancingV2::LoadBalancer | nlb (nlbC39469D4) Access Denied for bucket: nlbexamplestack-bucket43879c71-17wi9vtrueh7w. Please check S3bucket permission (Service: AmazonElasticLoadBalancingV2; Status Code: 400; Error Code: ValidationError; Request ID: 96c228a0-fe63-4d71-8913-22c410c990b0)
	new BaseLoadBalancer (.../nlb-example/node_modules/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts:136:22)
	\_ new NetworkLoadBalancer (.../nlb-example/node_modules/@aws-cdk/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.ts:85:5)
	\_ new NlbExampleStack (.../nlb-example/lib/nlb-example-stack.ts:16:15)
	\_ Object.<anonymous> (.../nlb-example/bin/nlb-example.ts:20:1)
	\_ Module._compile (internal/modules/cjs/loader.js:1133:30)
	\_ Module.m._compile (.../nlb-example/node_modules/ts-node/src/index.ts:858:23)
	\_ Module._extensions..js (internal/modules/cjs/loader.js:1153:10)
	\_ Object.require.extensions.<computed> [as .ts] (.../nlb-example/node_modules/ts-node/src/index.ts:861:12)
	\_ Module.load (internal/modules/cjs/loader.js:977:32)
	\_ Function.Module._load (internal/modules/cjs/loader.js:877:14)
	\_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:74:12)
	\_ main (.../nlb-example/node_modules/ts-node/src/bin.ts:227:14)
	\_ Object.<anonymous> (.../nlb-example/node_modules/ts-node/src/bin.ts:513:3)
	\_ Module._compile (internal/modules/cjs/loader.js:1133:30)
	\_ Object.Module._extensions..js (internal/modules/cjs/loader.js:1153:10)
	\_ Module.load (internal/modules/cjs/loader.js:977:32)
	\_ Function.Module._load (internal/modules/cjs/loader.js:877:14)
	\_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:74:12)

Environment

  • CLI Version : 1.40.0
  • Framework Version: 1.40.0
  • OS : Ubuntu 18.04
  • Language : TypeScript

Other

This is 🐛 Bug Report
@DaWyz DaWyz added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels May 21, 2020
DaWyz added a commit to DaWyz/aws-cdk that referenced this issue May 21, 2020
@DaWyz
fix(elbv2): fix access log bucket permissions
8b78e0f 
fixes aws#8113

Currently, it's not possible to enable access logs for a network load balancer
using the logAccessLogs method. Cloudformation will fail at deploy time because
the S3 Bucket doesn't have the right permissions.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
DaWyz added a commit to DaWyz/aws-cdk that referenced this issue May 21, 2020
@DaWyz
fix(elbv2): fix access log bucket permissions
a03197d 
fixes aws#8113

Currently, it's not possible to enable access logs for a network load balancer
using the logAccessLogs method. Cloudformation will fail at deploy time because
the S3 Bucket doesn't have the right permissions.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
DaWyz added a commit to DaWyz/aws-cdk that referenced this issue May 21, 2020
@DaWyz
fix(elbv2): fix access log bucket permissions
626487d 
fixes aws#8113

Currently, it's not possible to enable access logs for a network load balancer
using the logAccessLogs method. Cloudformation will fail at deploy time because
the S3 Bucket doesn't have the right permissions.
DaWyz added a commit to DaWyz/aws-cdk that referenced this issue May 21, 2020
@DaWyz
fix(elbv2): fix access log bucket permissions
30214d7 
fixes aws#8113

Currently, it's not possible to enable access logs for a network load balancer
using the logAccessLogs method. Cloudformation will fail at deploy time because
the S3 Bucket doesn't have the right permissions.
@DaWyz DaWyz mentioned this issue May 21, 2020
Merged
@SomayaB SomayaB added the @aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 label May 26, 2020
@SomayaB SomayaB added the in-progress This issue is being actively worked on. label May 26, 2020
@rix0rrr rix0rrr added the p2 label May 27, 2020
@mergify mergify bot closed this as completed in #8114 Jun 9, 2020
mergify bot pushed a commit that referenced this issue Jun 9, 2020
@DaWyz
fix(elbv2): missing permission to write NLB access logs to S3 bucket (#…
d6a1265 
…8114)

fixes #8113

Currently, it's not possible to enable access logs for a network load balancer
using the logAccessLogs method. Cloudformation will fail at deploy time because
the S3 Bucket doesn't have the right permissions.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@josefaidt josefaidt mentioned this issue Sep 7, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 bug This issue is a bug. in-progress This issue is being actively worked on. needs-triage This issue or PR still needs to be triaged. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(elbv2): missing permission to write NLB access logs to S3 bucket DaWyz/aws-cdk
3 participants
@rix0rrr @DaWyz @SomayaB