Why CDK fails to deploy with an error: Syntax errors in policy error?

Question

We currently want to run some codes to build a tarball, then deploy the tarball using curls. Not sure if my approach is correct, however i got this error and stuck with it:

Resource handler returned message: "Syntax errors in policy. (Service: Iam, Status Code: 400, Request ID: 2c0ead32-b1d6-42b7-ba8b-e252bcce3657)" (RequestToken: 25adc60c-1869-6e03-44db-ddb04decf3e6, HandlerErrorCode: InvalidRequest)

My code:

const pipeline = new CodePipeline(this, 'Pipeline', {
  ... // this went fine
});

const tarballBucket = new Bucket(this, 'TarballBucket', {
  removalPolicy: cdk.RemovalPolicy.DESTROY,
});

const buildStep = new CodeBuildStep('Build', {
  input,
  env: {
    TARBALL_BUCKET_NAME: tarballBucket.bucketName
  },
  commands: [
    ...// some shell codes here
    'tar --exclude=".git" --exclude="node_modules" -zcvf tarball.tgz ../view-resources/*',
    'echo "uploading tarball to s3..."',
    'aws s3 cp tarball.tgz s3://$TARBALL_BUCKET_NAME/tarball.tgz'
  ],
});

// add build step to pipeline
pipeline.addStage(buildStage, {
  post: [buildStep],
});


const deployStep = new CodeBuildStep('Deploy', {
  buildEnvironment: {
    environmentVariables: {
      JWT: {
        type: BuildEnvironmentVariableType.SECRETS_MANAGER,
        value: jwtValue,
      }
    }
  },
  commands: [
    `aws s3 cp s3://${tarballBucket.bucketName}}/tarball.tgz tarball.tgz`,
    'echo "Deploying to CMS"',
    // print the tarball size in bytes
    'du -b tarball.tgz',
});

// without this buildpipeline, cdk synth complains
pipeline.buildPipeline();
tarballBucket.grantReadWrite(buildStep);
tarballBucket.grantRead(deployStep);

I also tried to create a role that has access to the bucket, and pass the role to the codebuild steps. But the same error occurs.

Updates: The problem is somehow with the deployStep, i commented out the deploy step and it works, the tarball is created correctly.

The buildStep works with these codes:

const tarballBucketRole = new Role(this, 'TarballBucketRole', {
  assumedBy: new ServicePrincipal('codebuild.amazonaws.com'),
});

tarballBucket.grantReadWrite(tarballBucketRole);
const buildStep = new CodeBuildStep('Build', {
  input,
  role: tarballBucketRole,
  env: {
    TARBALL_BUCKET_NAME: tarballBucket.bucketName
  },
  commands: [
    ...// some shell codes here
    'tar --exclude=".git" --exclude="node_modules" -zcvf tarball.tgz ../view-resources/*',
    'echo "uploading tarball to s3..."',
    'aws s3 cp tarball.tgz s3://$TARBALL_BUCKET_NAME/tarball.tgz'
  ],
});

I deployed a solution using the role as an input to the codebuildstep and it throws the "Syntax errors in policy" again. Same errors were thrown also with using CodePipelineSource.s3 as an input for the CodeBuildStep:

const tarballBucketInput = CodePipelineSource.s3(tarballBucket, 'tarball.tgz');
const deployStep = new CodeBuildStep('Deploy', {
  input: tarballBucketInput,
  commands: [
    'echo "Deploying to CMS"',
    // print the tarball size in bytes
    'du -b tarball.tgz',
});

Answer 1

My guess is that your buildStep is not an IGrantable object since CodeBuildStep is an L3 Construct.

The method grant* requires an identity of IGrantable type.

IGrantable: Any object that has an associated principal that a permission can be granted to. https://docs.aws.amazon.com/cdk/v2/guide/permissions.html#permissions_grants

CodeBuildStep already creates a default IAM role. If you want to use the s3.Bucket.grant* methods, you can use either of these two:

// actionRole: Custom IAM role created by CodeBuildStep
tarballBucket.grantReadWrite(buildStep.actionRole);
tarballBucket.grantRead(deployStep.actionRole);

// grantPrincipal: The CodeBuild Project's principal.
tarballBucket.grantReadWrite(buildStep.grantPrincipal);
tarballBucket.grantRead(deployStep.grantPrincipal);