https://pulumi.com logo
Title
f

freezing-greece-82130

04/14/2023, 3:56 AM
somewhat basic question, I’m having some issues with AWS Organization module. when I try to retrieve info I get
Error: invocation of aws:organizations/getOrganization:getOrganization returned an error: invoking aws:organizations/getOrganization:getOrganization: 1 error occurred:
    	* error listing AWS Organization (o-mbtpj7k2e5) accounts: AccessDeniedException: You don't have permissions to access this resource.
this happens even though I have
PowerUserAccess
and
AdministratorAccess
. Organization is enabled in my region (us-east-1) and
aws organizations describe-organization
runs fine. has anyone else run into this? src is just this one-liner
const organization = aws.organizations.getOrganization({});
b

brainy-church-78120

04/14/2023, 4:07 AM
does it work for other aws resources?
f

freezing-greece-82130

04/14/2023, 11:44 AM
yup
resolved btw! seems that I didn’t have enough perms with just
PowerUserAccess
it would be nice if operations could list the perms needed in documentation or stack trace 😄
b

brainy-church-78120

04/17/2023, 1:14 AM
Lee Briggs opened this issue to allow us to expose more information on these types of errors, you can vote on it by emoji reacting on the issue over in github https://github.com/pulumi/pulumi-aws/issues/2467
f

freezing-greece-82130

04/17/2023, 2:06 PM
cool ty!
const gitlabInfraCiRole = new aws.iam.Role(`${name}-gitlab-oidc-infra-role`, {
  assumeRolePolicy: {
    Version: '2012-10-17',
    Statement: [
      {
        Effect: 'Allow',
        Principal: {
          Federated: pulumi.interpolate`arn:aws:iam::${getAccountId()}:oidc-provider/${gitlabShortUri}`,
        },
        Action: 'sts:AssumeRoleWithWebIdentity',
        Condition: {
          StringLike: {
            [conditionKey]: `project_path:${gitlabInfraProjectPath}`,
          },
        },
      },
    ],
  },
  managedPolicyArns: [
    'arn:aws:iam::aws:policy/AmazonECS_FullAccess',
    'arn:aws:iam::aws:policy/AWSLambda_FullAccess',
    'arn:aws:iam::aws:policy/AWSLambda_FullAccess',
    'arn:aws:iam::aws:policy/AWSOrganizationsFullAccess'
  ],
  description: 'GitLab infra repo role',
});

const gitlabInfraCiPolicy = new aws.iam.RolePolicy(
  `${name}-gitlab-oidc-infra-policy`,
  {
    role: gitlabInfraCiRole,
    policy: {
      Version: '2012-10-17',
      Statement: [
        {
          Effect: 'Allow',
          Action: ['ecr:DescribeImages'],
          Resource: repo.arn,
        },
        {
          Sid: 'AssumeNewAccountRole',
          Effect: 'Allow',
          Action: [
            'sts:AssumeRole'
          ],
          Resource: [
            'arn:aws:iam::290241234068:role/OrganizationalAccountAccessRole'
          ]
        },
        {
          Sid: 'OrganizationWritePolicies',
          Effect: 'Allow',
          Action: [
            'organizations:CreateOrganizationalUnit',
            'organizations:DeleteOrganizationalUnit',
            'organizations:UpdateOrganizationalUnit',
            'organizations:MoveAccount',
            'organizations:CreatePolicy',
            'organizations:AttachPolicy',
            'organizations:CreateAccount',
            'organizations:DeletePolicy',
            'organizations:DeleteResourcePolicy',
            'organizations:DetachPolicy',
            'organizations:UpdatePolicy',
            'organizations:CloseAccount',
            'organizations:DisablePolicyType',
            'organizations:EnablePolicyType'
          ],
          Resource: "*"
        },
        {
          Effect: 'Allow',
          Action: [
            'secretsmanager:GetSecretValue',
            // TODO: consider lowering the permision scope
            'ec2:*',
            'ecs:*',
            // TODO: Expect some missing policies when updateing/deleting resources eg:
            'iam:UpdateAssumeRolePolicy',
            'iam:DetachRolePolicy',
            'acm:RequestCertificate',
            'acm:DescribeCertificate',
            'acm:ListTagsForCertificate',
            'elasticloadbalancing:ModifyListener',
            'logs:PutRetentionPolicy',
            'logs:ListTagsLogGroup',
            'elasticloadbalancing:DescribeTags',
            'elasticloadbalancing:DescribeLoadBalancerAttributes',
            'elasticloadbalancing:ModifyLoadBalancerAttributes',
            'rds:DeleteDBSubnetGroup',
            'rds:ModifyDBInstance',
            'rds:DescribeDBInstances',
            'rds:ListTagsForResource',
            'backup:*',
            'backup-storage:*',
            'organizations:*',
            'account:GetAlternateContact',
            'account:GetContactInformation',
            'account:GetAlternateContact',
            'account:GetContactInformation',
            'account:PutContactInformation',
            'account:ListAccounts',
            'account:ListRegions',
            'account:EnableRegion',
            'account:DisableRegion',
          ],
          Resource: '*',
        },
      ],
    },
  }
);
b

brainy-church-78120

04/21/2023, 12:13 AM
not immediately but can take a closer look tomorrow
f

freezing-greece-82130

04/21/2023, 9:01 AM
thanks!! it’s been driving me a lil nuts haha