search

org-formation / org-formation-reference

A reference architecture which aims to provide some best practices for any AWS Organization starting out using org-formation.
92 stars 23 forks source link

Initialize org-formation with root user #43

Open NickDarvey opened 3 years ago

NickDarvey commented 3 years ago

Step 5 of the README says that:

In this step, you run OrgFormation locally using the credentials of the root user of the management account

however running the update command gives me this result:

> org-formation update ./src/organization.yml --verbose "--profile" "dangerous"

WARN: Hi there!
WARN: You just ran into an error when assuming the role OrganizationFormationBuildAccessRole in account x.
WARN: Possibly, this is due a breaking change in org-formation v0.9.15.
WARN: From v0.9.15 onwards the org-formation cli will assume a role in every account it deploys tasks to.
WARN: This will make permission management and SCPs to deny / allow org-formation tasks easier.
WARN: More information: https://github.com/org-formation/org-formation-cli/tree/master/docs/0.9.15-permission-change.md
WARN: Thanks!
WARN: ======================================
ERROR: error: AccessDenied, aws-request-id: x
ERROR: Roles may not be assumed by root accounts.

(I think the warning is irrelevant in this case.)

I believe I could workaround this by creating an IAM account and specifying it as one of the assumeRolePrincipals for the next step:

aws cloudformation create-stack --stack-name org-formation-role --template-body file://src/templates/000-org-build/role.yml

Is this what I should be doing? Or have I likely got something else wrong?

BJClark commented 2 years ago

@NickDarvey did you ever figure out a work around? I'm having the same issue

OlafConijn commented 2 years ago

hi! completely missed this before. The error is: ERROR: Roles may not be assumed by root accounts. I kinda wonder what the intention was behind running these commands as root, but this step will need to be ran as an IAM user.

you might already have an IAM user provisioned in the target account (or otherwise temporarily create one) you can use by running aws configure or setting up your credentials in ~/.aws/credentials.

stefan-karlsson commented 3 months ago

I managed to run the script after the following changes:

  1. Created an IAM account in my MasterAccount
  2. Assigned the predefined AdministratorAccess Permissions policy to the user created in 1.
  3. Added a custom inline policy to allow assuming a role: 
    {
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AssumeRole",
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "*"
    }
]
}
  4. Generated access keys for the IAM user created in step 1
  5. Configured my AWS CLI to use the access key generated in step 4
  6. Executed the following command to create the OrganizationFormationBuildAccessRole role: aws cloudformation create-stack --stack-name org-formation-role --template-body file://src/templates/000-org-build/role.yml --region eu-north-1 --capabilities CAPABILITY_NAMED_IAM
  7. Ensured to update line 74 and line 77 with the correct email domain and address.
  8. Finally executed npx org-formation update ./src/organization.yml --verbose to build.

This seems to be the expected procedure! If so, updating the documentation or creating a bootstrap script for this would be beneficial. I am happy to help out!