search

aws-samples / aws-cudos-framework-deployment

Command Line Interface tool for Cloud Intelligence Dashboards deployment
https://catalog.workshops.aws/awscid
MIT No Attribution
372 stars 138 forks source link

Error when deploying using Cloudformation templates #852

Closed kp2401075 closed 1 week ago

kp2401075 commented 1 week ago

We have pipeline deploying All dashboards deploying through cloudformation.

we're getting this error in Cloudformation .

Received response status [FAILED] from custom resource. Message returned: Error: An error occurred (AccessDeniedException) when calling the DescribeTemplate operation: User: arn:aws:sts::<Account-Number>:assumed-role/CidExecRole/CidCustomResourceDashboard is not authorized to perform: quicksight:DescribeTemplate on resource: arn:aws:quicksight:us-east-1:223485597511:template/ta-organizational-view with an explicit deny in a service control policy - Cannot find ta-organizational-view in account 223485597511. See more: https://ap-southeast-2.console.aws.amazon.com/cloudwatch/home?region=ap-southeast-2#logEvent:group=/aws/lambda/CidCustomResourceDashboard;stream=2024/06/21/[$LATEST]2b6acd66594a403a91078ec60d74bcaf (RequestId: 045b07fb-c81c-427c-b23c-5c0eff7f0341)

Cloudwatch link has log from Lambda which also have the same error.

94d00ba5-dd81-42bd-aca0-5e55c2b6fb39    An error occurred (AccessDeniedException) when calling the DescribeTemplate operation: User: arn:aws:sts::<Account-Number>:assumed-role/CidExecRole/CidCustomResourceDashboard is not authorized to perform: quicksight:DescribeTemplate on resource: arn:aws:quicksight:us-east-1:223485597511:template/compute_optimizer with an explicit deny in a service control policy
Traceback (most recent call last):
  File "/opt/python/cid/helpers/quicksight/__init__.py", line 1039, in describe_template
    result = client.describe_template(**parameters)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/python/botocore/client.py", line 565, in _api_call
    return self._make_api_call(operation_name, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/python/botocore/client.py", line 1021, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the DescribeTemplate operation: User: arn:aws:sts::<Account-Number>:assumed-role/CidExecRole/CidCustomResourceDashboard is not authorized to perform: quicksight:DescribeTemplate on resource: arn:aws:quicksight:us-east-1:223485597511:template/compute_optimizer with an explicit deny in a service control policy
[DEBUG] 2024-06-21T05:38:26.647Z 94d00ba5-dd81-42bd-aca0-5e55c2b6fb39 An error occurred (AccessDeniedException) when calling the DescribeTemplate operation: User: arn:aws:sts::<Account-Number>:assumed-role/CidExecRole/CidCustomResourceDashboard is not authorized to perform: quicksight:DescribeTemplate on resource: arn:aws:quicksight:us-east-1:223485597511:template/compute_optimizer with an explicit deny in a service control policy Traceback (most recent call last): File "/opt/python/cid/helpers/quicksight/__init__.py", line 1039, in describe_template result = client.describe_template(**parameters) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/python/botocore/client.py", line 565, in _api_call return self._make_api_call(operation_name, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/python/botocore/client.py", line 1021, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the DescribeTemplate operation: User: arn:aws:sts::<Account-Number>:assumed-role/CidExecRole/CidCustomResourceDashboard is not authorized to perform: quicksight:DescribeTemplate on resource: arn:aws:quicksight:us-east-1:223485597511:template/compute_optimizer with an explicit deny in a service control policy

223485597511 account doesn't belong in our org.

Deployment command

    aws cloudformation deploy --stack-name Cloud-Intelligence-Dashboards \
        --template-file aws-cudos-framework-deployment/cfn-templates/cid-cfn.yml \
        --s3-bucket some-bucket-<Account-Number> \
        --s3-prefix cloudformation/packages/cid-data-collection \
        --parameter-overrides CURBucketPath="s3://cid-<<Account-Number>>-shared/cur/" \
        DeployTAODashboard=yes \
        DeployComputeOptimizerDashboard=yes \
        DeployCostIntelligenceDashboard=yes \
        DeployCUDOSDashboard=no \
        DeployCUDOSv5=yes \
        DeployKPIDashboard=yes \
        LakeFormationEnabled=no \
        GlueDataCatalog=AwsDataCatalog \
        LambdaLayerBucketPrefix=aws-managed-cost-intelligence-dashboards \
        OptimizationDataCollectionBucketPath=s3://cf-cid-data<Account-Number>/ \
        PrerequisitesQuickSight=yes \
        PrerequisitesQuickSightPermissions=yes \
        PrimaryTagName=owner \
        QuickSightDataSourceRoleName=CidQuickSightDataSourceRole \
        QuickSightUser=OrganizationAccountAccessRole/<someuser> \
        RolePath=/ \
        SecondaryTagName=environment \
        --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND
iakov-aws commented 1 week ago

Please check that this action is not prohibited with scp in your org.

I confirm cid needs access to quicksight templates in this account and us-east-1 region to deploy foundation dashboards. This is a documented requirement.

kp2401075 commented 1 week ago

Thanks alot for quick response @iakov-aws ,

Does it only require quicksight:DescribeTemplate in us-east-1 region? or does this require quicksight:*.

iakov-aws commented 1 week ago

Just DescribeTemplate

kp2401075 commented 1 week ago

Thanks alot @iakov-aws