Not assuming roles

[stex79]

Hi,

I am having problems with the module to assume the roles:

Error: Error refreshing state: 2 error(s) occurred:

* module.vpc_peering_cross_account.provider.aws.accepter: The role "arn:aws:iam::YYYYYYYYYYYYY:role/cross_account_role" cannot be assumed.

  There are a number of possible causes of this - the most common are:
    * The credentials used in order to assume the role are invalid
    * The credentials do not have appropriate permission to assume the role
    * The role ARN is not valid
* module.vpc_peering_cross_account.provider.aws.requester: The role "arn:aws:iam::XXXXXXXXXXX:role/cross_account_role" cannot be assumed.

  There are a number of possible causes of this - the most common are:
    * The credentials used in order to assume the role are invalid
    * The credentials do not have appropriate permission to assume the role
    * The role ARN is not valid

Using the same credentials and roles I can assume the roles using aws cli.

Any idea what can cause it?

Thanks

[aknysh]

@stex79 did you go through the example in https://github.com/cloudposse/terraform-aws-vpc-peering-multi-account/blob/master/README.yaml? Take a look at how to setup the role, policy and permissions.

Also, these errors:

* module.vpc_peering_cross_account.provider.aws.accepter: The role "arn:aws:iam::YYYYYYYYYYYYY:role/cross_account_role" cannot be assumed.

* module.vpc_peering_cross_account.provider.aws.requester: The role "arn:aws:iam::XXXXXXXXXXX:role/cross_account_role" cannot be assumed.

Did you update XXXXXXXXXXX and YYYYYYYYYYYYY to the real account IDs (accepter and requester)? Is cross_account_role the correct role name?

[stex79]

I have double checked the roles and policies by successfully been able to assume the roles using aws cli. So this should proves that roles and policies are correct.

Regarding the account id, I have obfuscated them.

I have more info now, because I tried a different approach and I cannot assume the roles either, so it is not a problem with the module, but with terraform itself.

I am running the latest version and I have upgraded the aws provider, but still nothing.

Thank you for your answer, but now I think the problem is not with the module, but with my terraform setup.

[aknysh]

@stex79 please check the Trust Policies for both roles. Both trust Policies should allow assuming the roles from the account you are using to provision the module (it could be a different (third) account, or one of the accepter or requester accounts

[stex79]

@aknysh this is my Trust policy in both account A, requester (the same where the user belongs) and in Account B the accepter:

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<AccountA>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

this is my Policy in account A, requester:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateRoute",
        "ec2:DeleteRoute"
      ],
      "Resource": "arn:aws:ec2:*:<AccountA>:route-table/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVpcPeeringConnections",
        "ec2:DescribeVpcs",
        "ec2:ModifyVpcPeeringConnectionOptions",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcAttribute",
        "ec2:DescribeRouteTables"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AcceptVpcPeeringConnection",
        "ec2:DeleteVpcPeeringConnection",
        "ec2:CreateVpcPeeringConnection",
        "ec2:RejectVpcPeeringConnection"
      ],
      "Resource": [
        "arn:aws:ec2:*:<AccountA>:vpc-peering-connection/*",
        "arn:aws:ec2:*:<AccountA>:vpc/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteTags",
        "ec2:CreateTags"
      ],
      "Resource": "arn:aws:ec2:*:<AccountA>:vpc-peering-connection/*"
    }
  ]
}

and this is the policy in the account B accepter:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateRoute",
        "ec2:DeleteRoute"
      ],
      "Resource": "arn:aws:ec2:*:<AccountB>:route-table/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVpcPeeringConnections",
        "ec2:DescribeVpcs",
        "ec2:ModifyVpcPeeringConnectionOptions",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcAttribute",
        "ec2:DescribeRouteTables"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AcceptVpcPeeringConnection",
        "ec2:DeleteVpcPeeringConnection",
        "ec2:CreateVpcPeeringConnection",
        "ec2:RejectVpcPeeringConnection"
      ],
      "Resource": [
        "arn:aws:ec2:*:<AccountB>:vpc-peering-connection/*",
        "arn:aws:ec2:*:<AccountB>:vpc/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteTags",
        "ec2:CreateTags"
      ],
      "Resource": "arn:aws:ec2:*:<AccountB>:vpc-peering-connection/*"
    }
  ]
}

the user in the admin group in Account A and I have also specifically assigned the permission to assume roles with the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "*"
        }
    ]
}

Do you see errors?

[stex79]

@aknysh Things are getting even more interesting... I have investigated in CloudTrail what was happening to my AssumeRole event, and I discovered that it doesn't exist! I mean that the Request to Assume Role is never sent to AWS, and for some reason terraform is not allowing me to assume the role, without even trying to reach AWS API!

This is also confirmed by the fact that I can assume role using AWS-CLI and the AssumeRole event is properly recorded in CloudTrail.

I think I am facing some terraform bug, maybe something like this: https://github.com/terraform-providers/terraform-provider-aws/issues/6566

[nitrocode]

@stex79 is this still an issue? Please respond and we can reopen this if you're still having issues.

[napestershine]

@nitrocode I am having exactly same error. How can i solve it? Thanks

[nitrocode]

@napestershine please give some more information regarding your error, inputs, version, etc

[benjefferies]

I had this issue when I had already assumed this role in my pipeline through a github IDP integration. To get around this I just set

requester_aws_assume_role_arn = ""
accepter_aws_assume_role_arn = ""

[ShankyJS]

This is a 100% misconfiguration on the AWS policies/roles side. I think we should close this issue @nitrocode