👋🏻 hey folks! I am on my learning journey of using Pulumi with AWS. At the moment am trying to automate a multi-account set-up. One of the things I am having troubles with is trying to lookup and use an existing organization using

aws.organizations.getOrganization

. The problem I am facing that it seems to be ignoring the AWS Provider I am giving it and trying to perform a lookup with my current credentials, instead of assuming the ones provided in the provider. The rough set-up is:

const managementAccountProvider = new aws.Provider('management-account-provider', {
  assumeRole: { roleArn: managementAccountProviderRoleArn },
  region: aws.Region.APSoutheast2,
});

const organization = aws.organizations.getOrganizationOutput({ provider: managementAccountProvider });

and I am getting the

* reading Organizations Organization: operation error Organizations: DescribeOrganization, https response error StatusCode: 400, RequestID: be2ef75b-81af-401a-bd98-f6db6e446222, AccessDeniedException: You don't have permissions to access this resource.

which is correct if using my current role, but if it would use the role assumed in the

managementAccountProvider

, it will be fine, because that user has all the perms needed. Any ideas what am I doing wrong?

Doesn't assumeRole require sourceProfile? I don't think it'll work without a base profile to use to assume the new role from.

Thanks Paul. I have just discovered the problem. It was a misspelling of the policy action on the user. Instead of

organizations:DescribeOrganization

I had

organization:DescribeOrganization

😐 I really wish we had constants for this and also that AWS actually validated things instead of blindly accepting them...