gifted-vase-28337
11/09/2020, 8:21 AMassume_role
policy attached to the role:
assume_role_policy_document = aws.iam.get_policy_document(
statements=[
aws.iam.GetPolicyDocumentStatementArgs(
actions=["sts:AssumeRoleWithSAML", "sts:AssumeRole"],
effect="Allow",
principals=[
aws.iam.GetPolicyDocumentStatementPrincipalArgs(
identifiers=[
"arn:aws:iam::{account id}:saml-provider/AWSSSO_d3b6798fb784ed5e_DO_NOT_DELETE"
],
type="Federated"
),
],
conditions=[
aws.iam.GetPolicyDocumentStatementConditionArgs(
test="StringEquals",
values=["<https://signin.aws.amazon.com/saml>"],
variable="SAML:aud",
),
],
)
]
)
which comports with https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html#idp_saml_Prerequisiteserror: 1 error occurred:
* error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::{account id}:role/debug) cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
Error: NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors
~/.aws/config
contains the following (it's using aws2-wrap):
[default]
region = us-west-2
sso_account_id = {account id}
sso_region = us-west-2
sso_role_name = AWSAdministratorAccess
sso_start_url = {redacted}
credential_process = aws2-wrap --process --profile default
[profile chaueter-sandbox]
region = us-west-2
role_arn = arn:aws:iam::{account id}:role/aws-reserved/sso.amazonaws.com/us-west-2/AWSReservedSSO_AWSAdministratorAccess_dbc09583d3a27737
source_profile = default
sso_account_id = {account id}
sso_region = us-west-2
sso_role_name = AWSAdministratorAccess
sso_start_url = {redacted}
chaueter-sandbox
profile and CRUD resources. However, it cannot assume the role set by assume_role
in an aws.Provider
:
aws.Provider(
resource_name="provider",
assume_role=aws.ProviderAssumeRoleArgs(
duration_seconds=2 * 60 * 60,
role_arn="{the role arn}",
session_name="session",
),
max_retries=1,
profile=os.environ["AWS_PROFILE"],
region=pulumi.Config("aws").require("region"),
)
assume_role
policy:
test="StringEquals",
values=["<mailto:chaueter@valohealth.com|chaueter@valohealth.com>"],
variable="SAML:mail",
and got the same error message.