Issue listing cost allocation tags on a member account of AWS Organization

ivosth commented 1 year ago

Description

When a cluster is selected, notifications with the following message start to appear. Error: Something went wrong while invoking other AWS services. Looking at the network requests that are occurring I have detected that the GET request to the cost-monitoring endpoint returns a 400. Looking at the logs provided by the execution of the lambda functions, I was able to get more information about this error: An error occurred (AccessDeniedException) when calling the ListCostAllocationTags operation: Failed to list Cost Allocation Tags: Linked account doesn't have access to cost allocation tags. Which is the same error I get through the AWS CLI running the following command aws ce list-cost-cost-allocation-tags even though my user has administrator permissions. Further investigation, in the code (costs.py line 21) I have seen that the CostExplorerClient class is initialized with the attribute of COST_ALLOCATION_TAGS = ['parallelcluster:cluster-name']. For later in the file costexplorer_client.py call the function get_cost_monitoring_tags that lists the cost allocation tags of the AWS account. Researching I have detected that the problem comes from the fact that I am deploying the Parallelcluster UI stack in an AWS account belonging to an OU. Where the cost allocation tags cannot be listed, additionally these must be activated from the main account.

Steps to reproduce the issue

Installing Parallel UI on an account within an AWS Organization
Deploy a cluster
Select this cluster in from the UI to start displaying error notifications.

Expected behaviour

No errors would occur and requests could be made to cost explorer with this cost allocation tag even if it had to be previously activated from the main account.

Actual behaviour

Clicking on the cluster information displays the following errors: Screenshot 2023-07-06 125438

Required info

In order to help us determine the root cause of the issue, please provide the following information:

Region where ParallelCluster UI is installed: eu-west-1
Version of ParallelCluster UI: 2023.06.0
Version of ParallelCluster: 3.6.0

BarcoMasile commented 1 year ago

Hi @ivosth , thank you for reaching out about this issue. We are currently aware of this problem and are looking to address it in a new release. I'm not able to provide you with an ETA for this, but at this point, the only known workaround is to actually enrich the PCUI lambda role with a policy to allow PCUI backend to list the allocation tags. You can see here the policy needed to make it work.

- Action:
  - ce:ListCostAllocationTags
  - ce:UpdateCostAllocationTagsStatus
  - ce:GetCostAndUsage
  Resource:
    - !Sub 'arn:aws:ce:us-east-1:${AWS::AccountId}:/*'
  Effect: Allow
  Sid: CostMonitoringPolicy

We will update this Github issue as soon as we provide a solution in a release.

mrobbert commented 9 months ago

I want to note that we are also hitting this bug and would like to know when it might get fixed. We are unwilling to use the product with our end users if they are going to be seeing these errors all the time. Thanks!

gmarciani commented 9 months ago

This issue will be fixed in the next upcoming release 2023.10.0

gmarciani commented 9 months ago

Released https://github.com/aws/aws-parallelcluster-ui/releases/tag/2023.10.0

aws / aws-parallelcluster-ui