Probelm: when following public doc and github readme on launching new EXTERNAL .zip type of terraform products, it will give IAM assume role permission error when provision a product, the error seems to come from the hub spoke parser lambda to assume launch roles in the spoke accounts upon accessing S3 artifacts.
Solution: changing the launch role stack trust policy to include the new parser role arn will solve the problem, the documentation on the public doc and the TRE github example launch role stackset/readme need to update accordingly
Error details:Error occurred during parameter parsing: Access denied while downloading artifact from s3://sc-7eb1d19038****/out/****: AccessDenied: User: arn:aws:sts::***:assumed-role/ServiceCatalogExternalParameterParserRole-eu-west-1/ServiceCatalogExternalParameterParser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::***:role/SCLaunch-vpc-endpoint-dev-role status code: 403, request id: ****
Probelm: when following public doc and github readme on launching new EXTERNAL .zip type of terraform products, it will give IAM assume role permission error when provision a product, the error seems to come from the hub spoke parser lambda to assume launch roles in the spoke accounts upon accessing S3 artifacts.
Solution: changing the launch role stack trust policy to include the new parser role arn will solve the problem, the documentation on the public doc and the TRE github example launch role stackset/readme need to update accordingly
Error details:
Error occurred during parameter parsing: Access denied while downloading artifact from s3://sc-7eb1d19038****/out/****: AccessDenied: User: arn:aws:sts::***:assumed-role/ServiceCatalogExternalParameterParserRole-eu-west-1/ServiceCatalogExternalParameterParser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::***:role/SCLaunch-vpc-endpoint-dev-role status code: 403, request id: ****