search

aws-samples / aws-service-catalog-terraform-reference-architecture

Apply Terraform configurations using CloudFormation through a proxy lambda
Apache License 2.0
134 stars 70 forks source link

Default IAM Roles have insufficient permissions #9

Open smithhannahm opened 5 years ago

smithhannahm commented 5 years ago

The TerraformResourceCreationRole created by the Terraform Spoke Principals stack is missing at least one permission to create the sample S3 Website stack. 

Encountered error during fulfillment script execution - ClientError: An error occurred (AccessDeniedException) when calling the CreateGroup operation: User: arn:aws:sts::xxxx:assumed-role/TerraformResourceCreationRole/TerraformAssumeRoleSession-52905d76-bacb-430a-88e8-c5ab453cb834 is not authorized to perform: resource-groups:Tag on resource: arn:aws:resource-groups:us-east-2:xxxx:group/SC-275098837840-pp-lyk6a4tkd67no-MyTerraformStack-970a9f351a871af3fc62f31dd71dcd98875e5056416ef3ab78818ba78188b26c

I added the "resource-groups:Tag" permission manually, and was able to get it to get further along.

I was working off the master branch at commit fa01af1f0684681bb1d7f1559b0d374afdb03faf

kattavenkata commented 5 years ago

Just comment out the group creating code then it will be fine