Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
f
fresh-minister-66960
11/29/2022, 9:56 PMHello, I need some help here. I have started using Deployments REST API but I am getting an error when trying to provision a lambda function in a subaccount.
I get this error:
aws:lambda:Function (XXXXX):
44
error: 1 error occurred:
45
* error creating Lambda Function (1): AccessDeniedException:
46
status code: 403, request id: 2224b871-f8fc-43f9-baf5-c62809b1779d# Create new subaccount
new_account = organizations.Account(
client_name,
email=email,
close_on_deletion=True,
role_name=role_name,
name=client_name,
iam_user_access_to_billing="ALLOW",
)
account_id = ""
while not account_id:
# This is how we get the ID of 'new_account'
organization = organizations.get_organization()
for account in organization.accounts:
if account.name == client_name:
account_id = str(account.id)
# Intermediate provider that will assume admin role on the newly created account
iam_role_provider = Provider(
resource_name="admin-provider",
profile="mf",
assume_role={"role_arn": f"arn:aws:iam::{account_id}:role/{role_name}"},
skip_metadata_api_check=False,
skip_credentials_validation=True,
)
# Create new S3 bucket
bucket = s3.Bucket(
client_name,
acl="private",
versioning=s3.BucketVersioningArgs(
enabled=True,
),
bucket=client_name,
opts=ResourceOptions(provider=iam_role_provider),
)
iam_for_lambda = iam.Role(
"iamForLambda",
assume_role_policy="""{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "<http://lambda.amazonaws.com|lambda.amazonaws.com>"
},
"Effect": "Allow",
"Sid": ""
}
]
}
""",
opts=ResourceOptions(provider=iam_role_provider),
)
# This is the lambda function we will deploy
lambda_function = lambda_.Function(
resource_name=lambda_name,
name=lambda_name,
code=FileArchive("package/"),
handler="XXXX",
runtime=lambda_runtime,
layers=get_latest_layers(
[
"XXXX",
]
),
role=iam_for_lambda.arn,
opts=ResourceOptions(provider=iam_role_provider),
)Just to add some more context here. The provider I created, is able to create s3 buckets and other resources, but it only fails when trying to create a lambda.
I tried assuming a role and using the AWS keys with aws CLI and there I was also able to create a lambda!! The issue is only happening when using pulumi and when running it via Pulumi Deployment API
Sending this to the channel too in case anyone has gone through this. Basically I was able to solve the issue, and was nothing related to Pulumi but with a lambda layer version lacking permissions to be accessed from other accounts in the organization.
I was able to see the error message by creating a Cloudtrail instance and see the logs of the API calls. From Pulumi I was just getting an AccessDeniedException, would be nice to get better error messages from AWS CLI so it can be added to Pulumi as well.