Avoid using IAM resource objects that require iam:Get* on .load()
If role policy compositor encounters an IAM permission denied error, fall back to pass instance profile ARN in the blind
Traceback (most recent call last):
File "/usr/local/bin/aegea", line 23, in <module>
aegea.main()
File "/Users/andrey.kislyuk/projects/aegea/aegea/__init__.py", line 86, in main
result = parsed_args.entry_point(parsed_args)
File "/Users/andrey.kislyuk/projects/aegea/aegea/launch.py", line 190, in launch
umbrella_policy = compose_managed_policies(args.iam_policies)
File "/Users/andrey.kislyuk/projects/aegea/aegea/util/aws/iam.py", line 147, in compose_managed_policies
doc = resources.iam.Policy(arn="arn:aws:iam::aws:policy/" + policy_name).default_version.document
File "/usr/local/lib/python3.9/site-packages/boto3/resources/factory.py", line 431, in get_reference
self.load()
File "/usr/local/lib/python3.9/site-packages/boto3/resources/factory.py", line 505, in do_action
response = action(self, *args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/boto3/resources/action.py", line 83, in __call__
response = getattr(parent.meta.client, operation_name)(*args, **params)
File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 386, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 705, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the GetPolicy operation: User: arn:aws:sts::1234567890123:assumed-role/ROLE is not authorized to perform: iam:GetPolicy on resource: policy arn:aws:iam::aws:policy/IAMReadOnlyAccess