Closed JimToupet closed 3 months ago
You can check if you have a customDeploymentRole
specified in the global-config.yaml file.
In the sample configuration it uses AWSAccelerator-PipelineRole
and the SCPs allow this role with the ${ACCELERATOR_PREFIX}*
condition.
Good catch, the line was commented. I uncommented it and it run smoothly. I'll be attentive for next deployment but I'm pretty sure you point it right.
Merci Olivier!
We deployed the CCCS Medium LZA and when we run the pipeline for modification (ex. adding workload account) the deployment failed by access denied from SCP with the following error :
Resource handler returned message: "User: arn:aws:sts::XXXXXXXX:assumed-role/AWSControlTowerExecution/cdk-assume-role-plugin is not authorized to perform: lambda:CreateFunction on resource: arn:aws:lambda:ca-central-1:XXXXXXXX:function:AWSAccelerator-LoggingSta-CustomS3PutPublicAccessB-qVf24HMYcEfF with an explicit deny in a service control policy (Service: Lambda, Status Code: 403, Request ID: 880204be-292a-4fe7-9c7c-a3ddb64b63e5)" (RequestToken: 49174451-b352-2886-479f-788ca3e0d7f7, HandlerErrorCode: AccessDenied)
As state, the AWSControlTowerExecution is denied for creating the Lambda Function.
The SCP file is
LZA-Guardrails-Part1.json
and we can see that the ControlTowerExecution role is not in the exclusion for the deny."Resource": ["arn:${PARTITION}:lambda:*:*:function:${ACCELERATOR_PREFIX}*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN": ["arn:${PARTITION}:iam::*:role/${ACCELERATOR_PREFIX}*"] } } }
We had the same kind of problem with the KMS::PutKey and SNS:CreateTopic from the
LZA-Guardrails-Part0-CoreOUs.json
when we first deploy the LZA. We finally be able to deploy it be detaching SCP.The AWSControlTowerExecution role seems missing from some exclusion. Can be a configuration problem somewhere ?
Anyclue ?
LZA version use 1.6.2