trying to use a custom role - where all do I change it?

[jsheflin]

Thanks for sharing this, BTW, it will be wonderful when I get it working.

Need to deploy with an existing role due to permission issues.

I replaced the role in lambda_iam.tf (2 times), but I am still getting the "Access Denied" while deploying.

Where else should I add my custom role?

thanks

[ryandeivert]

@jsheflin is the custom role you need for creating the resources? it sounds like you might need something like this:

provider "aws" {
  assume_role {
    role_arn     = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
    session_name = "SESSION_NAME"
    external_id  = "EXTERNAL_ID"
  }
}

if so, you'd have to edit the main.tf with your values

[jsheflin]

thank you so much for the quick response.

Yes, to create resources.

I changed role in main.tf and lambda_iam.tf, but still seeing the same access denied, can't create s3bucket, even after I already created the bucket and put it in terrafrom.tfvars.

I am brand new to terraform, so perhaps I am doing something ditzy.

On Tue, Aug 4, 2020 at 8:05 PM ryandeivert notifications@github.com wrote:

@jsheflin https://github.com/jsheflin is the custom role you need for creating the resources? it sounds like you might need something like this https://registry.terraform.io/providers/hashicorp/aws/latest/docs#assume-role. if so, you'd have to edit the main.tf https://github.com/airbnb/binaryalert/blob/master/terraform/main.tf with your values

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/airbnb/binaryalert/issues/161#issuecomment-668931356, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFMBD5232NWPVAXZ4IVC3VLR7C47JANCNFSM4PU7AIHQ .

[ryandeivert]

@jsheflin please follow the above advice and do not change the lambda_iam.tf file itself. if you're getting access denied with the role you're supplying in the provider block (using role_arn) then you should check to make sure that role has the permissions you need

[jsheflin]

will do, thanks

On Tue, Aug 4, 2020 at 8:38 PM ryandeivert notifications@github.com wrote:

@jsheflin https://github.com/jsheflin please follow the above advice and do not change the lambda_iam.tf file itself. if you're getting access denied with the role you're supplying in the provider block (using role_arn) then you should check to make sure that role has the permissions you need

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/airbnb/binaryalert/issues/161#issuecomment-668942654, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFMBD57K4YXOS6RRSMAZ32DR7DAYXANCNFSM4PU7AIHQ .

[jsheflin]

So I can't assume the roles I need to run the deploy. I guess my only route is to request more permissions from the owner? Or is there any route around? I can create the buckets, logs, policies, SQS, SNS, via aws console.

I know this is not a binaryalert issue, so thanks for the help already.