search

org-formation / org-formation-cli

Better than landingzones!
MIT License
1.4k stars 129 forks source link

Org-formation init-pipeline build-account-id AccessDenied #548

Closed costal closed 2 months ago

costal commented 7 months ago

Subject of the issue

Org-formation init-pipeline action results in an access denied error when using a build-account id. This error stems from s3 interaction.

Your environment

Steps to reproduce

I have a console created organization, with console created accounts.

I make initial tests with org-formation init organization.yml and org-formation init-pipeline organization.yml with no issues at all. However, attempting to use org-formation init-pipeline [organization.yml] [--region us-east-1] build-account-id XXXXXX results in what appears to be a permission error.

Expected behaviour

INFO: uploading initial commit to s3 organization-formation-XXXXX/initial-commit.zip...
INFO: creating code commit / codebuild and codepipeline resources using CloudFormation...
INFO: Your pipeline and initial commit have been created in AWS.
INFO: Hope this will get you started!
INFO:
INFO: Take your time and browse through the source, there is some additional guidance as comments.
INFO:
INFO: Have fun!
INFO:
INFO: --OC

Actual behaviour

INFO: uploading initial commit to s3 organization-formation-XXXXX/initial-commit.zip...
ERROR: unexpected error occurred...
Access Denied
AccessDenied: Access Denied
    at throwDefaultError (/home/leo/.nvm/versions/node/v20.11.0/lib/node_modules/aws-organization-formation/node_modules/@smithy/smithy-client/dist-cjs/index.js:838:20)
    at /home/leo/.nvm/versions/node/v20.11.0/lib/node_modules/aws-organization-formation/node_modules/@smithy/smithy-client/dist-cjs/index.js:847:5
    at de_PutObjectCommandError (/home/leo/.nvm/versions/node/v20.11.0/lib/node_modules/aws-organization-formation/node_modules/@aws-sdk/client-s3/dist-cjs/index.js:5741:10)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /home/leo/.nvm/versions/node/v20.11.0/lib/node_modules/aws-organization-formation/node_modules/@smithy/middleware-serde/dist-cjs/index.js:35:20
    at async /home/leo/.nvm/versions/node/v20.11.0/lib/node_modules/aws-organization-formation/node_modules/@aws-sdk/client-s3/node_modules/@aws-sdk/middleware-signing/dist-cjs/index.js:184:18
    at async /home/leo/.nvm/versions/node/v20.11.0/lib/node_modules/aws-organization-formation/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:38
    at async /home/leo/.nvm/versions/node/v20.11.0/lib/node_modules/aws-organization-formation/node_modules/@aws-sdk/middleware-flexible-checksums/dist-cjs/index.js:173:18
    at async /home/leo/.nvm/versions/node/v20.11.0/lib/node_modules/aws-organization-formation/node_modules/@aws-sdk/client-s3/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:97:20
    at async /home/leo/.nvm/versions/node/v20.11.0/lib/node_modules/aws-organization-formation/node_modules/@aws-sdk/client-s3/node_modules/@aws-sdk/middleware-sdk-s3/dist-cjs/index.js:120:14
    at async /home/leo/.nvm/versions/node/v20.11.0/lib/node_modules/aws-organization-formation/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:33:22
    at async Promise.all (index 0)
    at async _Upload.__uploadUsingPut (/home/leo/.nvm/versions/node/v20.11.0/lib/node_modules/aws-organization-formation/node_modules/@aws-sdk/lib-storage/dist-cjs/index.js:217:22)
    at async _Upload.__doConcurrentUpload (/home/leo/.nvm/versions/node/v20.11.0/lib/node_modules/aws-organization-formation/node_modules/@aws-sdk/lib-storage/dist-cjs/index.js:280:18)
    at async Promise.all (index 0)
    at async _Upload.__doMultipartUpload (/home/leo/.nvm/versions/node/v20.11.0/lib/node_modules/aws-organization-formation/node_modules/@aws-sdk/lib-storage/dist-cjs/index.js:366:5)
    at async _Upload.done (/home/leo/.nvm/versions/node/v20.11.0/lib/node_modules/aws-organization-formation/node_modules/@aws-sdk/lib-storage/dist-cjs/index.js:190:12)

In all cases an organization-formation-XXXXX bucket is created in the management account. My impression is that the build account would carry the build files.

tegamckinney commented 2 months ago

@costal Did you ever figure out the issue here? I have run into the same issue and have begun to look into it. As you indicated, I'm thinking the permissions issue arises from the state bucket begin created in the wrong account.