Products aren't being launched in the right AWS Account

[JhonathanOrtiz]

Hi team,

I've been carefully following the guide to deploy external products from aws

https://docs.aws.amazon.com/servicecatalog/latest/adminguide/getstarted-Terraform.html

Issue description

I'm trying to deploy cross account and I followed this steps.

• Deploy Tre
• Create SC-Launch-* role in the Service Catalog Administrator and end user account (They are exactly the same)
• Add Launch role to product
• Share portfolio and grant access
• Launch Product

The launching process is running as expected, but the product is being deployed in the administrator account and I'd expect the product to be in the end user account.

Launch Role

• name: SC-Launch-S3Simple
• Policy Document:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "s3:ExistingObjectTag/servicecatalog:provisioning": "true"
                }
            }
        },
        {
            "Action": [
                "s3:CreateBucket*",
                "s3:DeleteBucket*",
                "s3:Get*",
                "s3:List*",
                "s3:PutBucketTagging"
            ],
            "Resource": "arn:aws:s3:::*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "resource-groups:CreateGroup",
                "resource-groups:ListGroupResources",
                "resource-groups:DeleteGroup",
                "resource-groups:Tag"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "tag:GetResources",
                "tag:GetTagKeys",
                "tag:GetTagValues",
                "tag:TagResources",
                "tag:UntagResources"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

• Trust Relationship Policy document

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GivePermissionsToServiceCatalog",
            "Effect": "Allow",
            "Principal": {
                "Service": "servicecatalog.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::account_id:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::accounti_id:role/TerraformEngine/TerraformExecutionRole*",
                        "arn:aws:iam::accounti_id:role/TerraformEngine/ServiceCatalogExternalParameterParserRole*",
                        "arn:aws:iam::accounti_id:role/TerraformEngine/ServiceCatalogTerraformOSParameterParserRole*"
                    ]
                }
            }
        }
    ]
}

• Terraform template

variable "bucket_name" {
  type = string
}
provider "aws" {
}
resource "aws_s3_bucket" "bucket" {
  bucket = var.bucket_name
}
output regional_domain_name {
  value = aws_s3_bucket.bucket.bucket_regional_domain_name
}

Notes:

• account_id is being replaced by administrator account id
• SC-Launch-S3Simple is added as constraint in the administrator account.

[smaly-amazon]

In general (not specific to external products), you can check a couple things.

1. Is the launch role constraint using LocalRoleName? This is needed for provisioning in share-recipient accounts. If you use RoleArn, then the arn is fixed to the product owning account regardless of which share-recipient account is calling ProvisionProduct, so you don't want RoleArn unless you are provisioning to the account for that arn.
2. Are you calling ProvisionProduct from the share-recipient account where you expect the resources to be provisioned? That's pretty obvious, but I thought I would check because we all make little mistakes sometimes.

[JhonathanOrtiz]

@smaly-amazon Thanks a lot for your answer.

For #1 and using the option Select IAM role asn shown in the image

For #2 I'm running Lanunch Product in the target account.

According to your answer I think I should select Role Name Option. right?

[jyjohnson]

using the 'enter role name' (aka local role name) worked for me. also make sure the trust policy in the SCLaunch- role(s) uses the management acct ID