search

aws-samples / aws-iam-identity-center-extensions

This solution is intended for enterprises that need a streamlined way of managing user access to their AWS accounts. Using this solution, your identity and access management teams can extend AWS SSO functionality by automating common access management and governance use cases
MIT License
65 stars 24 forks source link

"User is missing the following permissions" error when trying to region switch #117

Open Almenon opened 1 year ago

Almenon commented 1 year ago

When following https://github.com/aws-samples/aws-iam-identity-center-extensions/blob/main/docs/documentation/Region-Switch.md I ran into the following error when deploying the discovery stack:

11:55:33 AM | CREATE_FAILED        | Custom::DynamoDBReplica             | awsssoextensionsre...icauseast1D10E0F6F
Received response status [FAILED] from custom resource. Message returned: Failed to describe limits in region: ?US_EAST_1?. User is missing the following permissions: ?dynamodb:DescribeLimits?.

I checked the lambda's execution role and it did have dynamodb describelimits permissions, so maybe it's a timing issue where the policy wasn't attached when the lambda ran.

Screenshot 2023-04-26 at 12 19 35 PM

Logs: https://pastebin.com/gnSW6wXb

Almenon commented 1 year ago

One weird thing I noticed is the lambda is trying to describe us east limits. Not sure why it tried to do that, the lambda was in us-west-2. But the resource was * so it should be able to describe a different region without error.

Also here is the contents of my config/region-switch.yaml:

---
BootstrapQualifier: "ssoutility"
SSOServiceAccountId: "459446695407"
SSOServiceAccountRegion: "us-west-2"
SSOServiceTargetAccountRegion: "us-east-1"