freezing-greece-82130
04/14/2023, 3:56 AMError: invocation of aws:organizations/getOrganization:getOrganization returned an error: invoking aws:organizations/getOrganization:getOrganization: 1 error occurred:
* error listing AWS Organization (o-mbtpj7k2e5) accounts: AccessDeniedException: You don't have permissions to access this resource.
this happens even though I have PowerUserAccess
and AdministratorAccess
. Organization is enabled in my region (us-east-1) and
aws organizations describe-organization
runs fine. has anyone else run into this?
src is just this one-liner
const organization = aws.organizations.getOrganization({});
brainy-church-78120
04/14/2023, 4:07 AMfreezing-greece-82130
04/14/2023, 11:44 AMPowerUserAccess
brainy-church-78120
04/17/2023, 1:14 AMfreezing-greece-82130
04/17/2023, 2:06 PMconst gitlabInfraCiRole = new aws.iam.Role(`${name}-gitlab-oidc-infra-role`, {
assumeRolePolicy: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Principal: {
Federated: pulumi.interpolate`arn:aws:iam::${getAccountId()}:oidc-provider/${gitlabShortUri}`,
},
Action: 'sts:AssumeRoleWithWebIdentity',
Condition: {
StringLike: {
[conditionKey]: `project_path:${gitlabInfraProjectPath}`,
},
},
},
],
},
managedPolicyArns: [
'arn:aws:iam::aws:policy/AmazonECS_FullAccess',
'arn:aws:iam::aws:policy/AWSLambda_FullAccess',
'arn:aws:iam::aws:policy/AWSLambda_FullAccess',
'arn:aws:iam::aws:policy/AWSOrganizationsFullAccess'
],
description: 'GitLab infra repo role',
});
const gitlabInfraCiPolicy = new aws.iam.RolePolicy(
`${name}-gitlab-oidc-infra-policy`,
{
role: gitlabInfraCiRole,
policy: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: ['ecr:DescribeImages'],
Resource: repo.arn,
},
{
Sid: 'AssumeNewAccountRole',
Effect: 'Allow',
Action: [
'sts:AssumeRole'
],
Resource: [
'arn:aws:iam::290241234068:role/OrganizationalAccountAccessRole'
]
},
{
Sid: 'OrganizationWritePolicies',
Effect: 'Allow',
Action: [
'organizations:CreateOrganizationalUnit',
'organizations:DeleteOrganizationalUnit',
'organizations:UpdateOrganizationalUnit',
'organizations:MoveAccount',
'organizations:CreatePolicy',
'organizations:AttachPolicy',
'organizations:CreateAccount',
'organizations:DeletePolicy',
'organizations:DeleteResourcePolicy',
'organizations:DetachPolicy',
'organizations:UpdatePolicy',
'organizations:CloseAccount',
'organizations:DisablePolicyType',
'organizations:EnablePolicyType'
],
Resource: "*"
},
{
Effect: 'Allow',
Action: [
'secretsmanager:GetSecretValue',
// TODO: consider lowering the permision scope
'ec2:*',
'ecs:*',
// TODO: Expect some missing policies when updateing/deleting resources eg:
'iam:UpdateAssumeRolePolicy',
'iam:DetachRolePolicy',
'acm:RequestCertificate',
'acm:DescribeCertificate',
'acm:ListTagsForCertificate',
'elasticloadbalancing:ModifyListener',
'logs:PutRetentionPolicy',
'logs:ListTagsLogGroup',
'elasticloadbalancing:DescribeTags',
'elasticloadbalancing:DescribeLoadBalancerAttributes',
'elasticloadbalancing:ModifyLoadBalancerAttributes',
'rds:DeleteDBSubnetGroup',
'rds:ModifyDBInstance',
'rds:DescribeDBInstances',
'rds:ListTagsForResource',
'backup:*',
'backup-storage:*',
'organizations:*',
'account:GetAlternateContact',
'account:GetContactInformation',
'account:GetAlternateContact',
'account:GetContactInformation',
'account:PutContactInformation',
'account:ListAccounts',
'account:ListRegions',
'account:EnableRegion',
'account:DisableRegion',
],
Resource: '*',
},
],
},
}
);
brainy-church-78120
04/21/2023, 12:13 AMfreezing-greece-82130
04/21/2023, 9:01 AM