Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CreateScheduleCommand throws invalid ValidationException #6494

Open
3 of 4 tasks
defmtog opened this issue Sep 19, 2024 · 0 comments
Open
3 of 4 tasks

CreateScheduleCommand throws invalid ValidationException #6494

defmtog opened this issue Sep 19, 2024 · 0 comments
Assignees
@zshzbh
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@defmtog
Copy link

defmtog commented Sep 19, 2024

Checkboxes for prior research

Describe the bug

When I create a valid Policy, Role, AssumeRolePolicy and Group and send the command I get the following error:
ValidationException: The execution role you provide must allow AWS EventBridge Scheduler to assume the role.

If a add a bogus AssumeRolePolicy to the Permission Policy it succeeds. Seems the validation is looking for the AssumeRolePolicy in the PermissionPolicy rather than in the AssumeRolePolicy?

example code:

Regression Issue

  • Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/client-scheduler@3.651.1

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v20.17.0

Reproduction Steps

const iamClient = new IAMClient(initial)
  const assumePolicy = {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": "scheduler.amazonaws.com"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
          "StringEquals": {
            "aws:SourceAccount": `${config.aws_account_id}`
          }
        }
      }
    ]
  }
  console.log(JSON.stringify(assumePolicy))
  const inputR = { // CreateRoleRequest
    RoleName: `Amazon_EventBridge_Scheduler_${lambdaLongName}`,
    AssumeRolePolicyDocument: JSON.stringify(assumePolicy),
    Description: `Execution role for ${lambdaLongName}`
  }
  const command = new CreateRoleCommand(inputR)
  return iamClient.send(command).then(role => {
    console.log('role:', role)
    return role.Role
  }).then(role => {
    // create policy
    const policyStatement = {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "lambda:InvokeFunction"
          ],
          "Resource": [
            `${lambdaArn}:*`,
            `${lambdaArn}`
          ]
        },
        // add Bogus AssumeRole
        // {
        //   "Effect": "Allow",
        //   "Action": "sts:AssumeRole",
        //   "Condition": {
        //     "StringEquals": {
        //       "aws:SourceAccount": `${config.aws_account_id}`
        //     }
        //   },
        //   "Resource": [
        //     `${lambdaArn}:*`,
        //     `${lambdaArn}`
        //   ]
        // }
      ]
    }
    const inputP = { // CreatePolicyRequest
      PolicyName: `Amazon-EventBridge-Scheduler-Execution-Policy-${lambdaLongName}`,
      PolicyDocument: JSON.stringify(policyStatement),
      Description: `Scheduler Execution policy for ${lambdaLongName}`,
    };
    const commandP = new CreatePolicyCommand(inputP);
    return iamClient.send(commandP).then(policy => {
      console.log('policy:', policy)
      return policy.Policy
    }).then(policy => {
      const inputA = { // AttachRolePolicyRequest
        RoleName: role.RoleName,
        PolicyArn: policy.Arn
      };
      const command = new AttachRolePolicyCommand(inputA);
      return iamClient.send(command).then(attach => {
        console.log('attach:', attach)
        return attach
      }).then(_attach => {
        const schedulerClient = new SchedulerClient(initial)
        // create scheduler group
        const input = { // CreateScheduleGroupInput
          Name: SCHEDULER_GROUP,
        };
        const command = new CreateScheduleGroupCommand(input);
        return schedulerClient.send(command).then(group => {
          console.log('group:', group)
          return group.Group
        }).catch (err => {
          console.error('scheduler group exists')
        }).finally(() => {
          // create schedule
          const inputS = { // CreateScheduleInput
            Name: `Schedule-${lambdaLongName}`,
            GroupName: SCHEDULER_GROUP,
            ScheduleExpression: scheduleExpression,
            Description: description,
            ScheduleExpressionTimezone: TIMEZONE,
            Target: { // Target
              Arn: lambdaArn,
              RoleArn: role.Arn,
              Input: JSON.stringify(params),
            },
            FlexibleTimeWindow: {
              Mode: FlexibleTimeWindowMode.OFF,
            },
          }
          console.log(JSON.stringify(inputS))
          const command = new CreateScheduleCommand(inputS)
          return schedulerClient.send(command)
        }).then(schedule => {
          console.log('schedule:', schedule)
          return schedule
        })
      })
    })
  })

Observed Behavior

ValidationException: The execution role you provide must allow AWS EventBridge Scheduler to assume the role.
    at de_ValidationExceptionRes (/home/dflesner/tune/code/git/codeadx/dan/podadx-aws/node_modules/@aws-sdk/client-scheduler/dist-cjs/index.js:837:21)
    at de_CommandError (/home/dflesner/tune/code/git/codeadx/dan/podadx-aws/node_modules/@aws-sdk/client-scheduler/dist-cjs/index.js:754:19)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /home/dflesner/tune/code/git/codeadx/dan/podadx-aws/node_modules/@aws-sdk/client-scheduler/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:20
    at async /home/dflesner/tune/code/git/codeadx/dan/podadx-aws/node_modules/@aws-sdk/client-scheduler/node_modules/@smithy/core/dist-cjs/index.js:165:18
    at async /home/dflesner/tune/code/git/codeadx/dan/podadx-aws/node_modules/@aws-sdk/client-scheduler/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:38
    at async /home/dflesner/tune/code/git/codeadx/dan/podadx-aws/node_modules/@aws-sdk/client-scheduler/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:34:22 {
  '$fault': 'client',
  '$metadata': {
    httpStatusCode: 400,
    requestId: '40ae0f9d-b014-4448-9b87-ed00403e09c6',
    extendedRequestId: undefined,
    cfId: undefined,
    attempts: 1,
    totalRetryDelay: 0
  }
}

Expected Behavior

succeed

Possible Solution

Move the validation check to the correct Policy

Additional Information/Context

No response
@defmtog defmtog added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 19, 2024
@zshzbh zshzbh self-assigned this Sep 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zshzbh zshzbh

Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@defmtog @zshzbh