aws-cdk: Obscure error message 'Bucket named 'bucket-name' exists, but not in account [object Object]. Wrong account?'

When running CDK deploy trying to deploy assets in preexisting CDK buckets, created by the bootstrap process without the necessary s3:getBucketLocation permission, the deployment fails with a message like Obscure error message ‘Bucket named ‘bucket-name’ exists, but not in account [object Object]. Wrong account?’ Notice that the bucket does exist in the account, it’s just a permission issue.

Reproduction Steps

Theoretical yet, but it should happen when trying to make a deploy to an account which already contains the assets being deployed in S3 from a previous bootstrap (at least there’s where we saw it happening).

It’s very likely that this can be reproduce by doing the same as in https://github.com/aws/aws-cdk/issues/4039, but only removing the s3:getBucketLocation permission.

Error Log

'Bucket named 'bucket-name' exists, but not in account [object Object]. Wrong account?'

Environment

  • CLI Version :
  • **Framework Version: 1.1.0
  • **OS : Linux x64
  • **Language : English

Other

Checking the code in https://github.com/aws/aws-cdk/blob/a75f711aea3dac83c6feec885b7df9b14a39486e/packages/cdk-assets/lib/private/handlers/files.ts you can see that when there is a permissions error, this message will be shown. Also, account is sent as an object and it stringifies into [objest Object]

This is 🐛 Bug Report

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 33
  • Comments: 20 (7 by maintainers)

Most upvoted comments

I can confirm the error is related to a lack of permissions as @pmarrone mentioned. I had a task definition complaining about the same problem. The policy below worked for my situation.

taskDefinition.addToTaskRolePolicy(
      new iam.PolicyStatement({
        resources: ["arn:aws:s3:::cdktoolkit-stagingbucket-*"],
        actions: ["s3:*Object", "s3:ListBucket", 's3:getBucketLocation'],
      })
    );
+35
oscarnevarezleal on Aug 18, 2020

Any update on this? I am still getting the same error, I even updated the bucket policy as below:: { “Version”: “2012-10-17”, “Id”: “AccessControl”, “Statement”: [ { “Sid”: “UpdateBucketPolicy”, “Effect”: “Allow”, “Principal”: { “AWS”: “arn:aws:iam::{…acount id…}:root” }, “Action”: "s3:", “Resource”: [ “arn:aws:s3:::bucketnamefordemo”, “arn:aws:s3:::bucketnamefordemo/” ] } ] }

+15
cnilak on Aug 14, 2020

Hi @iliapolo . I’m trying to find how to reproduce this. Our problem was the following: We deploy a codepipeline using the cdk with a role with admin privileges. One of the codepipe steps invokes the cdk itself to redeploy changed assets. Before, this step was run with admin rights (:). While tightening the permissions for this step, the s3 privileges were reduced to the following

new iam.PolicyStatement({
   resources: ['arn:aws:s3:::cdktoolkit-stagingbudket-*'],
   actions: ['s3:*Object', 's3:ListBucket'],
})

This was not enough as it triggers the described error. It appears that this error response happens when the role has these permissions but lacks the s3:getBucketLocation permission.

This seems to be caused by the call to

async function bucketOwnership(s3: AWS.S3, bucket: string): Promise<BucketOwnership> {
  try {
    await s3.getBucketLocation({ Bucket: bucket }).promise();
    return BucketOwnership.MINE;
  } catch (e) {
    if (e.code === 'NoSuchBucket') { return BucketOwnership.DOES_NOT_EXIST; }
    if (['AccessDenied', 'AllAccessDisabled'].includes(e.code)) { return BucketOwnership.SOMEONE_ELSES_OR_NO_ACCESS; }
    throw e;
  }
}

in https://github.com/aws/aws-cdk/blob/a75f711aea3dac83c6feec885b7df9b14a39486e/packages/cdk-assets/lib/private/handlers/files.ts Trying to check the bucket access using those permissions will fail with SOMEONE_ELSES_OR_NO_ACCESS value returned, and will be handled with the error message described above.

      case BucketOwnership.SOMEONE_ELSES_OR_NO_ACCESS:
        throw new Error(`Bucket named '${destination.bucketName}' exists, but not in account ${account}. Wrong account?`);
+13
pmarrone on Mar 22, 2020

Stumbled upon the same error message today, but not on arn:aws:s3:::cdktoolkit-stagingbucket-* as usually seen in tutorials.

  1. cdk deployment failed with an error today without any change in the codebase: Bucket named 'cdk-xxxxxxx-assets-*****-*****' exists, but not in account *****. Wrong account?.
  2. Permissions s3:GetObject, s3:PutObject, s3:ListBucket, s3:GetBucketLocation were already given to arn:aws:s3:::cdktoolkit-stagingbucket-* in the IAM role.
  3. I added the same permissions to the cdk-*-assets-*-* bucket regex following the error message.
  4. And it deployed again! 🎉

I can only explain it as a breaking change, since my deployments worked fine yesterday and stopped working today without changes, neither hitting the cdk deployment stack code, nor in the aws management console for that account.

aws-cdk version used: 1.136.0 (Scala).

cdk code to add, if interested (Scala):

PolicyStatement.Builder
.create()
.effect(Effect.ALLOW)
.actions(
    Seq(
    "s3:GetObject",
    "s3:PutObject",
    "s3:ListBucket",
    "s3:GetBucketLocation"
    ).asJava
)
.resources(
    Seq(
    "arn:aws:s3:::cdk-*-assets-*"
    ).asJava
)
.build()
+4
vladm123 on Dec 17, 2021

Thank you @oscarnevarezleal, I was missing the s3:getBucketLocation action in my case

+4
moravcik on Aug 18, 2020

Hi I am not sure I understand the fix to this problem. I am going through the AWS CDK Workshop. I am trying to do the deploy after creating the lambda and I am now seeing the same error. I deleted and re-added the bucket but still getting the wrong account error.

Where do I fix the permissions? In the IAM role or in the CDK code?

Thanks

+3
asween16 on Apr 7, 2021

@fabiopaiva thx for your reply, After searching many hours, find out, i got the same problem with you, after cdk bootstrap my IAM role only had permissions to access cdktoolkit-stagingbudket-* and unable to access new bucket cdk-${Qualifier}-assets-${AWS::AccountId}-${AWS::Region}

I had to go to iam console to manually modify exists policy, add new Resource for permission Resource": [ "arn:aws:s3:::cdk-${Qualifier}-assets-${AWS::AccountId}-${AWS::Region}", "arn:aws:s3:::cdk-${Qualifier}-assets-${AWS::AccountId}-${AWS::Region}/*", ]

+1
NeilSiao on Jul 14, 2023

I had this error after upgrading to CDK 2 it was trying to access a bucket with a name like “cdk-hash-assets-account-region” and my role only had permissions to access cdktoolkit-stagingbudket-*

+1
fabiopaiva on Feb 9, 2022

Hi @pmarrone - scratch my previous message, I understand what’s happening. Indeed, the message is not clear enough.

Thanks for reporting this!

+1
iliapolo on Mar 22, 2020
Read more comments on GitHub
← aws-cdk: New Docker-based Parcel Build does not work on CircleCI (and likely other CI platforms)
aws-cdk: OpenSearch: Bug in Describe-Domain API is causing CFN GetAtt "Internal error occurred" →