https://pulumi.com logo
Title
f

fresh-minister-66960

11/29/2022, 9:00 PM
Hello, I need some help here. I have started using Deployments REST API but I am getting an error when trying to provision a lambda function in a subaccount. I get this error:
aws:lambda:Function (XXXXX): 
44
     error: 1 error occurred: 
45
     	* error creating Lambda Function (1): AccessDeniedException: 
46
     	status code: 403, request id: 2224b871-f8fc-43f9-baf5-c62809b1779d
I am creating a new account in my organization using IAM credentials of an admin user in my main account. Will post the code in a comment here.
# Create new subaccount
new_account = organizations.Account(
    client_name,
    email=email,
    close_on_deletion=True,
    role_name=role_name,
    name=client_name,
    iam_user_access_to_billing="ALLOW",
)

account_id = ""
while not account_id:
    # This is how we get the ID of 'new_account'
    organization = organizations.get_organization()
    for account in organization.accounts:
        if account.name == client_name:
            account_id = str(account.id)

# Intermediate provider that will assume admin role on the newly created account
iam_role_provider = Provider(
    resource_name="admin-provider",
    profile="mf",
    assume_role={"role_arn": f"arn:aws:iam::{account_id}:role/{role_name}"},
    skip_metadata_api_check=False,
    skip_credentials_validation=True,
)

# Create new S3 bucket
bucket = s3.Bucket(
    client_name,
    acl="private",
    versioning=s3.BucketVersioningArgs(
        enabled=True,
    ),
    bucket=client_name,
    opts=ResourceOptions(provider=iam_role_provider),
)

iam_for_lambda = iam.Role(
    "iamForLambda",
    assume_role_policy="""{
"Version": "2012-10-17",
"Statement": [
    {
    "Action": "sts:AssumeRole",
    "Principal": {
        "Service": "<http://lambda.amazonaws.com|lambda.amazonaws.com>"
    },
    "Effect": "Allow",
    "Sid": ""
    }
]
}
""",
    opts=ResourceOptions(provider=iam_role_provider),
)

# This is the lambda function we will deploy
lambda_function = lambda_.Function(
    resource_name=lambda_name,
    name=lambda_name,
    code=FileArchive("package/"),
    handler="XXXX",
    runtime=lambda_runtime,
    layers=get_latest_layers(
        [
            "XXXX",
        ]
    ),
    role=iam_for_lambda.arn,
    opts=ResourceOptions(provider=iam_role_provider),
)
What is weird is that the named provider can assume the admin role in the new subaccount and create a bucket but then fails to create a lambda.
r

red-match-15116

11/29/2022, 9:23 PM
Hmm... it doesn't look like the assumed role in the new account is define din this code so I can't tell, but does it have permissions to create a lambda?
f

fresh-minister-66960

11/29/2022, 9:39 PM
@red-match-15116 as far as I understand, the field
role_name
when creating a new account, will make that role an admin of the new account which is the one the Provider is assuming. At least that is how I understood it works.
r

red-match-15116

11/29/2022, 9:51 PM
Ah yep I see that now. I'm honestly not sure, but it seems related to aws permissions rather than pulumi deployments specifically. you might have more luck in #aws? I would probably try to investigate the
rolename
role in the new account and make sure it has the right permissions using the permissions simulator