Skip to content

(custom-resources): Cannot delete AwsCustomResource when using assumedRoleArn #34011

Closed as duplicate of#23260
Closed as duplicate of#23260
(custom-resources): Cannot delete AwsCustomResource when using assumedRoleArn#34011
Labels
@aws-cdk/custom-resourcesRelated to AWS CDK Custom ResourcesbugThis issue is a bug.
@msessa

Description

@msessa
msessa
opened on Apr 2, 2025

Describe the bug

When a AwsCustomResource that uses assumedRoleArn for the onDelete operation is deleted, an error may occur if the physicalResourceId contains characters not allowed in an STS session name.

This appears to be caused by this line:

aws-cdk/packages/@aws-cdk/custom-resource-handlers/lib/custom-resources/aws-custom-resource-handler/utils.ts

Line 108 in 009680d

RoleSessionName: `${timestamp}-${physicalResourceId}`.substring(0, 64),

where the resource physical ID is used to construct the session name for the AssumeRole operation.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Role is assumed correctly and operation is invoked using the role

Current Behavior

An error is returned in cloudformation:

Received response status [FAILED] from custom resource. Message returned: 1 validation error detected: Value '1743579449324-arn:aws:sns:ap-southeast-2:<redacted>:TestCaseTo' at 'roleSessionName' failed to satisfy constraint: Member must satisfy regular expression pattern: [\w+=,.@-]* (RequestId: 5b8c8276-00d0-4c83-82f0-d1e00d91b90b)

Reproduction Steps

Deploy and then attempt to delete the following stack:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';

export class TestCaseBugStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props: cdk.StackProps) {
    super(scope, id, props);

    const assumedRole = new cdk.aws_iam.Role(this, 'AssumedRole', {
      assumedBy: new cdk.aws_iam.AccountRootPrincipal(),
      inlinePolicies: {
        ManageTopic: new cdk.aws_iam.PolicyDocument({
          statements: [new cdk.aws_iam.PolicyStatement({
            actions: ['sns:CreateTopic', 'sns:DeleteTopic'],
            resources: ['*'],
          })],
        }),
      },
    });

    new cdk.custom_resources.AwsCustomResource(this, 'TestCase', {
      installLatestAwsSdk: false,
      onCreate: {
        assumedRoleArn: assumedRole.roleArn,
        service: 'sns',
        action: 'CreateTopic',
        parameters: {
          Name: 'TestCaseTopic',
        },
        physicalResourceId: cdk.custom_resources.PhysicalResourceId.fromResponse('TopicArn'),
      },
      onDelete: {
        assumedRoleArn: assumedRole.roleArn,
        service: 'sns',
        action: 'DeleteTopic',
        parameters: {
          TopicArn: new cdk.custom_resources.PhysicalResourceIdReference(),
        },
      },
      policy: cdk.custom_resources.AwsCustomResourcePolicy.fromSdkCalls({ resources: [] }),
    });
  }
}

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.1006.0 (build a3b9762)

Framework Version

v2.187.0

Node.js Version

20.13.1

OS

MacOS 14.3 (23D56)

Language

TypeScript

Language Version

No response

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/custom-resourcesRelated to AWS CDK Custom ResourcesbugThis issue is a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions