Skip to content

Permission_relationships sync crashing when EC2Instance related permission relationship mapping added. #1792

New issue
New issue
Open
Bug
Open
Permission_relationships sync crashing when EC2Instance related permission relationship mapping added.#1792
Bug
Labels
module:AWSRelated to cartography's AWS module
@Daksh1603

Description

@Daksh1603
Daksh1603
opened on Aug 8, 2025

Description:

What issue is being seen?

- target_label: EC2Instance
  permissions:
    - ssm:StartSession
    - ssm:DescribeSessions
    - ssm:GetConnectionStatus
  relationship_name: SSM_FULL_ACCESS

Adding the above relationship mapping causes the permission_relationships sync to crash.

To Reproduce:

Steps to reproduce the behavior. Provide all data and inputs required to reproduce the issue.

Add the above policy to relationship_mappings.yaml and run AWS sync with permission-relationships-file flag set.

Logs:

If applicable, copy and paste your console log with the failing stack trace.

  Traceback (most recent call last):
  File "/home/Flarebound/CNCF/cartography-personal/cartography/cartography/sync.py", line 144, in run
    stage_func(neo4j_session, config)
    ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/Flarebound/CNCF/cartography-personal/cartography/cartography/util.py", line 204, in timed
    return method(*args, **kwargs)
  File "/home/Flarebound/CNCF/cartography-personal/cartography/cartography/intel/aws/__init__.py", line 362, in start_aws_ingestion
    sync_successful = _sync_multiple_accounts(
        neo4j_session,
    ...<5 lines>...
        regions=regions,
    )
  File "/home/Flarebound/CNCF/cartography-personal/cartography/cartography/intel/aws/__init__.py", line 212, in _sync_multiple_accounts
    _sync_one_account(
    ~~~~~~~~~~~~~~~~~^
        neo4j_session,
        ^^^^^^^^^^^^^^
    ...<5 lines>...
        aws_requested_syncs=aws_requested_syncs,  # Could be replaced later with per-account requested syncs
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    )
    ^
  File "/home/Flarebound/CNCF/cartography-personal/cartography/cartography/intel/aws/__init__.py", line 89, in _sync_one_account
    RESOURCE_FUNCTIONS["permission_relationships"](**sync_args)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^
  File "/home/Flarebound/CNCF/cartography-personal/cartography/cartography/util.py", line 204, in timed
    return method(*args, **kwargs)
  File "/home/Flarebound/CNCF/cartography-personal/cartography/cartography/intel/aws/permission_relationships.py", line 455, in sync
    allowed_mappings = calculate_permission_relationships(
        principals,
        resource_arns,
        permissions,
    )
  File "/home/Flarebound/CNCF/cartography-personal/cartography/cartography/intel/aws/permission_relationships.py", line 206, in calculate_permission_relationships
    if principal_allowed_on_resource(policies, resource_arn, permissions):
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/Flarebound/CNCF/cartography-personal/cartography/cartography/intel/aws/permission_relationships.py", line 166, in principal_allowed_on_resource
    allowed, explicit_deny = evaluate_policy_for_permissions(
                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
        statements,
        ^^^^^^^^^^^
        permissions,
        ^^^^^^^^^^^^
        resource_arn,
        ^^^^^^^^^^^^^
    )
    ^
  File "/home/Flarebound/CNCF/cartography-personal/cartography/cartography/intel/aws/permission_relationships.py", line 135, in evaluate_policy_for_permissions
    if evaluate_statements_for_permission(
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^
        allow_statements,
        ^^^^^^^^^^^^^^^^^
        permission,
        ^^^^^^^^^^^
        resource_arn,
        ^^^^^^^^^^^^^
    ):
    ^
  File "/home/Flarebound/CNCF/cartography-personal/cartography/cartography/intel/aws/permission_relationships.py", line 96, in evaluate_statements_for_permission
    if evaluate_resource_for_permission(statement, resource_arn):
       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/Flarebound/CNCF/cartography-personal/cartography/cartography/intel/aws/permission_relationships.py", line 62, in evaluate_resource_for_permission
    if evaluate_clause(clause, resource_arn):
       ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^
  File "/home/Flarebound/CNCF/cartography-personal/cartography/cartography/intel/aws/permission_relationships.py", line 33, in evaluate_clause
    result = compile_regex(clause).fullmatch(match)
TypeError: expected string or bytes-like object, got 'NoneType'

Please complete the following information::

  • Cartography release version or commit hash [e.g. 0.12.0 or 95e8e11]

6b4ab69

Additional context:

Add any other context about the problem here.

Happening because, arn property of resources used for matching relationships between principals and resources and some resources don't have this property yet ( reference: #1147 , #1024 ).

Metadata

Metadata

Assignees

No one assigned

    Labels

    module:AWSRelated to cartography's AWS module

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions