Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws - detail spec calls catch access denied due to rbp #9458

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

aws - detail spec calls catch access denied due to rbp #9458

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ec040e9
don't fail and continue when a resource based policy blocks a resource
PratMis Apr 23, 2024
232a119
duplicate imp
PratMis Apr 23, 2024
092f274
Merge branch 'main' into aws/iam-rbp
PratMis Apr 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
10 changes: 9 additions & 1 deletion c7n/query.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -738,6 +738,7 @@
def _scalar_augment(manager, model, detail_spec, client, resource_set):
detail_op, param_name, param_key, detail_path = detail_spec
op = getattr(client, detail_op)
ecodes_acc_denied = ('AuthorizationError', 'AccessDeniedException', 'AuthorizationError',)
if manager.retry:
args = (op,)
op = manager.retry
Expand All @@ -746,7 +747,14 @@
results = []
for r in resource_set:
kw = {param_name: param_key and r[param_key] or r}
response = op(*args, **kw)
try:
response = op(*args, **kw)
except ClientError as e:
if (e.response['Error']['Code'] in ecodes_acc_denied and

Check warning on line 753 in c7n/query.py

View check run for this annotation

Codecov / codecov/patch

c7n/query.py#L752-L753 

Added lines #L752 - L753 were not covered by tests
e.response['ResponseMetadata']['HTTPStatusCode'] == 403 and
'resource-based policy' in e.response['Error']['Message']):
manager.log.exception(e)
continue

Check warning on line 757 in c7n/query.py

View check run for this annotation

Codecov / codecov/patch

c7n/query.py#L756-L757 

Added lines #L756 - L757 were not covered by tests
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to raise for all other errors? My assumption is that if we leave it as is, the boto3 errors will bubble up automatically

if detail_path:
response = response[detail_path]
else:
Expand Down