somewhat basic question I m having some issues with AWS Orga Pulumi Community #general

somewhat basic question, I’m having some issues wi...

freezing-greece-82130

04/14/2023, 3:56 AM

somewhat basic question, I’m having some issues with AWS Organization module. when I try to retrieve info I get

Copy code

Error: invocation of aws:organizations/getOrganization:getOrganization returned an error: invoking aws:organizations/getOrganization:getOrganization: 1 error occurred:
    	* error listing AWS Organization (o-mbtpj7k2e5) accounts: AccessDeniedException: You don't have permissions to access this resource.

this happens even though I have

PowerUserAccess

and

AdministratorAccess

. Organization is enabled in my region (us-east-1) and

Copy code

aws organizations describe-organization

runs fine. has anyone else run into this? src is just this one-liner

Copy code

const organization = aws.organizations.getOrganization({});

brainy-church-78120

04/14/2023, 4:07 AM

does it work for other aws resources?

freezing-greece-82130

04/14/2023, 11:44 AM

yup

freezing-greece-82130

04/14/2023, 11:47 AM

resolved btw! seems that I didn’t have enough perms with just

PowerUserAccess

freezing-greece-82130

04/14/2023, 11:50 AM

it would be nice if operations could list the perms needed in documentation or stack trace 😄

brainy-church-78120

04/17/2023, 1:14 AM

Lee Briggs opened this issue to allow us to expose more information on these types of errors, you can vote on it by emoji reacting on the issue over in github https://github.com/pulumi/pulumi-aws/issues/2467

freezing-greece-82130

04/17/2023, 2:06 PM

cool ty!

freezing-greece-82130

04/21/2023, 12:07 AM

Copy code

const gitlabInfraCiRole = new aws.iam.Role(`${name}-gitlab-oidc-infra-role`, {
  assumeRolePolicy: {
    Version: '2012-10-17',
    Statement: [
      {
        Effect: 'Allow',
        Principal: {
          Federated: pulumi.interpolate`arn:aws:iam::${getAccountId()}:oidc-provider/${gitlabShortUri}`,
        },
        Action: 'sts:AssumeRoleWithWebIdentity',
        Condition: {
          StringLike: {
            [conditionKey]: `project_path:${gitlabInfraProjectPath}`,
          },
        },
      },
    ],
  },
  managedPolicyArns: [
    'arn:aws:iam::aws:policy/AmazonECS_FullAccess',
    'arn:aws:iam::aws:policy/AWSLambda_FullAccess',
    'arn:aws:iam::aws:policy/AWSLambda_FullAccess',
    'arn:aws:iam::aws:policy/AWSOrganizationsFullAccess'
  ],
  description: 'GitLab infra repo role',
});

const gitlabInfraCiPolicy = new aws.iam.RolePolicy(
  `${name}-gitlab-oidc-infra-policy`,
  {
    role: gitlabInfraCiRole,
    policy: {
      Version: '2012-10-17',
      Statement: [
        {
          Effect: 'Allow',
          Action: ['ecr:DescribeImages'],
          Resource: repo.arn,
        },
        {
          Sid: 'AssumeNewAccountRole',
          Effect: 'Allow',
          Action: [
            'sts:AssumeRole'
          ],
          Resource: [
            'arn:aws:iam::290241234068:role/OrganizationalAccountAccessRole'
          ]
        },
        {
          Sid: 'OrganizationWritePolicies',
          Effect: 'Allow',
          Action: [
            'organizations:CreateOrganizationalUnit',
            'organizations:DeleteOrganizationalUnit',
            'organizations:UpdateOrganizationalUnit',
            'organizations:MoveAccount',
            'organizations:CreatePolicy',
            'organizations:AttachPolicy',
            'organizations:CreateAccount',
            'organizations:DeletePolicy',
            'organizations:DeleteResourcePolicy',
            'organizations:DetachPolicy',
            'organizations:UpdatePolicy',
            'organizations:CloseAccount',
            'organizations:DisablePolicyType',
            'organizations:EnablePolicyType'
          ],
          Resource: "*"
        },
        {
          Effect: 'Allow',
          Action: [
            'secretsmanager:GetSecretValue',
            // TODO: consider lowering the permision scope
            'ec2:*',
            'ecs:*',
            // TODO: Expect some missing policies when updateing/deleting resources eg:
            'iam:UpdateAssumeRolePolicy',
            'iam:DetachRolePolicy',
            'acm:RequestCertificate',
            'acm:DescribeCertificate',
            'acm:ListTagsForCertificate',
            'elasticloadbalancing:ModifyListener',
            'logs:PutRetentionPolicy',
            'logs:ListTagsLogGroup',
            'elasticloadbalancing:DescribeTags',
            'elasticloadbalancing:DescribeLoadBalancerAttributes',
            'elasticloadbalancing:ModifyLoadBalancerAttributes',
            'rds:DeleteDBSubnetGroup',
            'rds:ModifyDBInstance',
            'rds:DescribeDBInstances',
            'rds:ListTagsForResource',
            'backup:*',
            'backup-storage:*',
            'organizations:*',
            'account:GetAlternateContact',
            'account:GetContactInformation',
            'account:GetAlternateContact',
            'account:GetContactInformation',
            'account:PutContactInformation',
            'account:ListAccounts',
            'account:ListRegions',
            'account:EnableRegion',
            'account:DisableRegion',
          ],
          Resource: '*',
        },
      ],
    },
  }
);

brainy-church-78120

04/21/2023, 12:13 AM

not immediately but can take a closer look tomorrow

freezing-greece-82130

04/21/2023, 9:01 AM

thanks!! it’s been driving me a lil nuts haha

5 Views

Open in Slack

Previous Next