[Bug] Operation error Organizations: ListAccounts

[haooliveira84]

Kubecost Version

2.3.3

Kubernetes Version

1.28

Kubernetes Platform

EKS

Description

Running the installation steps for AWS Organization, I see the error: 2024-07-24T19:39:56.902905256Z WRN could not get account tags for provider [12345678910/s3://XXX-kubecost-reports/athena]: operation error Organizations: ListAccounts, https response error StatusCode: 400, RequestID: aa414828-889a-46e1-8d25-b6e62eb229cb, AccessDeniedException: You don't have permissions to access this resource. The IAM Policy for masterPayerARN is correct.

Steps to reproduce

1. Following steps for to https://docs.kubecost.com/install-and-configure/install/cloud-integration/aws-cloud-integrations/aws-cloud-integration-using-irsa

Expected behavior

Getting data from athena from AWS Master Account

Impact

No response

Screenshots

No response

Logs

No response

Slack discussion

No response

Troubleshooting

• [X] I have read and followed the issue guidelines and this is a bug impacting only the Kubecost application.
• [X] I have searched other issues in this repository and mine is not recorded.

[haooliveira84]

IDK if is related, but I see this in the logs. 2024-07-26T16:12:39.761115956Z WRN Failed to load cloud-integration config: failed to locate cloud-integration config file: cloud-integration/cloud-integration.json

[thomasvn]

@haooliveira84 This error comes from a feature which attempts to get the tags associated with each account ID and report them in the Assets page. I'd say not mission critical for the AWS cloud integration and can be safe to ignore if you wish! If you'd like to fix this, I believe your IAM policy will need to allow Kubecost perform the ListAccounts API.

[haooliveira84]

Many tks @thomasvn! I'm calm now :)