somewhat basic question I m having some issues with AWS Orga

Question

somewhat basic question I m having some issues with AWS Organization module when I try to retrieve info I get ``` Error invocation of aws organizations getOrganization getOrganization returned an error invoking aws organizations getOrganization getOrganization 1 error occurred error listing AWS Organization o mbtpj7k2e5 accounts AccessDeniedException You don t have permissions to access this resource ``` this happens even though I have `PowerUserAccess` and `AdministratorAccess` Organization is enabled in my region us east 1 and ```aws organizations describe organization``` runs fine has anyone else run into this src is just this one liner ```const organization = aws organizations getOrganization ```

brainy-church-78120 · Answer

does it work for other aws resources

freezing-greece-82130 · Answer

yup

freezing-greece-82130 · Answer

resolved btw seems that I didn t have enough perms with just `PowerUserAccess`

freezing-greece-82130 · Answer

it would be nice if operations could list the perms needed in documentation or stack trace smile

brainy-church-78120 · Answer

Lee Briggs opened this issue to allow us to expose more information on these types of errors you can vote on it by emoji reacting on the issue over in github <https github com pulumi pulumi aws issues 2467|https github com pulumi pulumi aws issues 2467>

freezing-greece-82130 · Answer

cool ty

freezing-greece-82130 · Answer

```const gitlabInfraCiRole = new aws iam Role `$ name gitlab oidc infra role` assumeRolePolicy Version 2012 10 17 Statement Effect Allow Principal Federated pulumi interpolate`arn aws iam $ getAccountId oidc provider $ gitlabShortUri ` Action sts AssumeRoleWithWebIdentity Condition StringLike conditionKey `project path $ gitlabInfraProjectPath ` managedPolicyArns arn aws iam aws policy AmazonECS FullAccess arn aws iam aws policy AWSLambda FullAccess arn aws iam aws policy AWSLambda FullAccess arn aws iam aws policy AWSOrganizationsFullAccess description GitLab infra repo role const gitlabInfraCiPolicy = new aws iam RolePolicy `$ name gitlab oidc infra policy` role gitlabInfraCiRole policy Version 2012 10 17 Statement Effect Allow Action ecr DescribeImages Resource repo arn Sid AssumeNewAccountRole Effect Allow Action sts AssumeRole Resource arn aws iam 290241234068 role OrganizationalAccountAccessRole Sid OrganizationWritePolicies Effect Allow Action organizations CreateOrganizationalUnit organizations DeleteOrganizationalUnit organizations UpdateOrganizationalUnit organizations MoveAccount organizations CreatePolicy organizations AttachPolicy organizations CreateAccount organizations DeletePolicy organizations DeleteResourcePolicy organizations DetachPolicy organizations UpdatePolicy organizations CloseAccount organizations DisablePolicyType organizations EnablePolicyType Resource Effect Allow Action secretsmanager GetSecretValue TODO consider lowering the permision scope ec2 ecs TODO Expect some missing policies when updateing deleting resources eg iam UpdateAssumeRolePolicy iam DetachRolePolicy acm RequestCertificate acm DescribeCertificate acm ListTagsForCertificate elasticloadbalancing ModifyListener logs PutRetentionPolicy logs ListTagsLogGroup elasticloadbalancing DescribeTags elasticloadbalancing DescribeLoadBalancerAttributes elasticloadbalancing ModifyLoadBalancerAttributes rds DeleteDBSubnetGroup rds ModifyDBInstance rds DescribeDBInstances rds ListTagsForResource backup backup storage organizations account GetAlternateContact account GetContactInformation account GetAlternateContact account GetContactInformation account PutContactInformation account ListAccounts account ListRegions account EnableRegion account DisableRegion Resource ```

brainy-church-78120 · Answer

not immediately but can take a closer look tomorrow

freezing-greece-82130 · Answer

thanks it s been driving me a lil nuts haha