Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
First reported here, I've reproduced it but using terraform: when you try to attach the following policy you get an internal server error:
InternalErrorexception while calling iam.AttachRolePolicy: Traceback (most recent call last):
File "/opt/code/localstack/localstack/aws/chain.py", line 90, in handle
handler(self, self.context, response)
File "/opt/code/localstack/localstack/aws/handlers/service.py", line 122, in call
handler(chain, context, response)
File "/opt/code/localstack/localstack/aws/handlers/service.py", line 92, in call
skeleton_response = self.skeleton.invoke(context)
File "/opt/code/localstack/localstack/aws/skeleton.py", line 153, in invoke
return self.dispatch_request(context, instance)
File "/opt/code/localstack/localstack/aws/skeleton.py", line 165, in dispatch_request
result = handler(context, instance) or {}
File "/opt/code/localstack/localstack/aws/forwarder.py", line 67, in _call
return fallthrough_handler(context, req)
File "/opt/code/localstack/localstack/services/moto.py", line 83, in _proxy_moto
return call_moto(context)
File "/opt/code/localstack/localstack/services/moto.py", line 46, in call_moto
return dispatch_to_backend(context, dispatch_to_moto, include_response_metadata)
File "/opt/code/localstack/localstack/aws/forwarder.py", line 120, in dispatch_to_backend
http_response = http_request_dispatcher(context)
File "/opt/code/localstack/localstack/services/moto.py", line 111, in dispatch_to_moto
response = dispatch(request, request.url, request.headers)
File "/opt/code/localstack/.venv/lib/python3.10/site-packages/moto/core/responses.py", line 225, in dispatch
return cls()._dispatch(*args, *kwargs)
File "/opt/code/localstack/.venv/lib/python3.10/site-packages/moto/core/responses.py", line 366, in _dispatch
return self.call_action()
File "/opt/code/localstack/.venv/lib/python3.10/site-packages/moto/core/responses.py", line 455, in call_action
response = method()
File "/opt/code/localstack/.venv/lib/python3.10/site-packages/moto/iam/responses.py", line 17, in attach_role_policy
self.backend.attach_role_policy(policy_arn, role_name)
File "/opt/code/localstack/.venv/lib/python3.10/site-packages/moto/iam/models.py", line 1702, in attach_role_policy
policy = arns[policy_arn]
KeyError: 'local-bucket-access-policy'
DQJQDJKNC93JXLHUJ4T593IIKH8KS0OR7FJGL3J7EWIZKPAHGTRU" http.response.header.access_control_allow_headers=authorization,cache-control,content-length,content-md5,content-type,etag,location,x-amz-acl,x-amz-content-sha256,x-amz-date,x-amz-request-id,x-amz-security-token,x-amz-tagging,x-amz-target,x-amz-user-agent,x-amz-version-id,x-amzn-requestid,x-localstack-target,amz-sdk-invocation-id,amz-sdk-request http.response.header.access_control_allow_methods=HEAD,GET,PUT,POST,DELETE,OPTIONS,PATCH http.response.header.date="Wed, 22 Mar 2023 22:42:30 GMT" http.response.header.server=hypercorn-h11 http.response_content_length=2481 tf_req_id=74a915fe-1b32-ebcf-e1a6-88a84e30c539 @caller=github.com/hashicorp/aws-sdk-go-base/v2/awsv1shim/v2@v2.0.0-beta.25/logger.go:138 @module=aws http.duration=9 http.response.header.access_control_allow_origin= http.response.header.access_control_expose_headers=etag,x-amz-version-id tf_provider_addr=registry.terraform.io/hashicorp/aws tf_resource_type=aws_iam_role_policy_attachment tf_rpc=ApplyResourceChange timestamp=2023-03-22T22:42:30.954Z
terraform (tflocal):
resource "aws_s3_bucket" "bucket" {
bucket = "mybucket"
}
# this works
resource "aws_iam_role" "lambda_role" {
name = "lambda_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_policy" "s3_access" {
name = "local-bucket-access-policy"
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "",
"Effect" : "Allow",
"Action" : ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"],
"Resource" : "${aws_s3_bucket.bucket.arn}"
}
]
})
}
resource "aws_iam_role_policy_attachment" "exe" {
role = aws_iam_role.lambda_role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
}
resource "aws_iam_role_policy_attachment" "s3_access" {
role = aws_iam_role.lambda_role.name
# this causes the error, should use "arn" not "name"
policy_arn = aws_iam_policy.s3_access.name
}Expected Behavior
should attach the policy or give a reason why not due to the key error. The above error was only visible in debug logs
How are you starting LocalStack?
With a docker-compose file
Steps To Reproduce
How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)
docker-compose up
Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)
tflocal apply
Compose file
version: "3.8"
services:
localstack:
container_name: localstack-main
image: "localstack/localstack:${LOCALSTACK_VERSION}"
environment:
- SERVICES=s3,lambda,logs,iam
- PROVIDER_OVERRIDE_LAMBDA=asf
- DOCKER_HOST=unix:///var/run/docker.sock
- DEBUG=1
- EDGE_PORT=4566
- AWS_ACCESS_KEY_ID=local
- AWS_SECRET_ACCESS_KEY=local
- DEFAULT_REGION=us-west-1
ports:
- "127.0.0.1:4566:4566"
- "127.0.0.1:4510-4559:4510-4559"
volumes:
- "${LOCALSTACK_VOLUME_DIR:-./volume}:/var/lib/localstack"
- "/var/run/docker.sock:/var/run/docker.sock" Environment
- OS: `Linux 07109cc2728b 5.15.0-67-generic #74-Ubuntu SMP Wed Feb 22 14:14:39 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux`
- LocalStack: `1.4.0-arm64`Anything else?
No response