search

org-formation / org-formation-reference

A reference architecture which aims to provide some best practices for any AWS Organization starting out using org-formation.
91 stars 23 forks source link

Unable to init from cli #45

Closed kaihendry closed 2 years ago

kaihendry commented 2 years ago

I've followed the instructions until https://github.com/org-formation/org-formation-reference#5-initialize-org-formation and first it ran into a Error: Profile default not found error. I assumed I needed to put the root crendentials in, but that doesn't work:

(ins)hendry-tw-mbp~/orgtest/org-formation-reference$ npx org-formation update ./src/organization.yml --verbose
WARN: ======================================
WARN: Hi there!
WARN: You just ran into an error when assuming the role OrganizationFormationBuildAccessRole in account 381831929214.
WARN: Possibly, this is due a breaking change in org-formation v0.9.15.
WARN: From v0.9.15 onwards the org-formation cli will assume a role in every account it deploys tasks to.
WARN: This will make permission management and SCPs to deny / allow org-formation tasks easier.
WARN: More information: https://github.com/org-formation/org-formation-cli/tree/master/docs/0.9.15-permission-change.md
WARN: Thanks!
WARN: ======================================
ERROR: error: AccessDenied, aws-request-id: 018ac5f7-258a-4f88-aa23-76145560f36b
ERROR: Roles may not be assumed by root accounts.

And then I created a user with Administrator access rights and that also did not work:

(ins)hendry-tw-mbp~/orgtest/org-formation-reference$ vim .env 
(ins)hendry-tw-mbp~/orgtest/org-formation-reference$ source .env 
(ins)hendry-tw-mbp~/orgtest/org-formation-reference$ npx org-formation update ./src/organization.yml --verbose
WARN: ======================================
WARN: Hi there!
WARN: You just ran into an error when assuming the role OrganizationFormationBuildAccessRole in account 381831929214.
WARN: Possibly, this is due a breaking change in org-formation v0.9.15.
WARN: From v0.9.15 onwards the org-formation cli will assume a role in every account it deploys tasks to.
WARN: This will make permission management and SCPs to deny / allow org-formation tasks easier.
WARN: More information: https://github.com/org-formation/org-formation-cli/tree/master/docs/0.9.15-permission-change.md
WARN: Thanks!
WARN: ======================================
ERROR: error: AccessDenied, aws-request-id: 90d5db12-a048-4ffe-a999-73ad3c398472
ERROR: User: arn:aws:iam::381831929214:user/admintest is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::381831929214:role/OrganizationFormationBuildAccessRole
(ins)hendry-tw-mbp~/orgtest/org-formation-reference$

What am I missing please?

kaihendry commented 2 years ago

It's not in the instructions, but I logged in as the SSO user, in which I clumsily added AdministratorAccess, but now it complains of OrganizationFormationBuildAccessRole... where does that come from?


(ins)hendry-tw-mbp~/orgtest/org-formation-reference$ npx org-formation update ./src/organization.yml --profile AdministratorAccess-381831929214 --verbose
WARN: ======================================
WARN: Hi there!
WARN: You just ran into an error when assuming the role OrganizationFormationBuildAccessRole in account 381831929214.
WARN: Possibly, this is due a breaking change in org-formation v0.9.15.
WARN: From v0.9.15 onwards the org-formation cli will assume a role in every account it deploys tasks to.
WARN: This will make permission management and SCPs to deny / allow org-formation tasks easier.
WARN: More information: https://github.com/org-formation/org-formation-cli/tree/master/docs/0.9.15-permission-change.md
WARN: Thanks!
WARN: ======================================
ERROR: error: AccessDenied, aws-request-id: 7835fcc5-0fa4-4e54-afc3-3734ae8f77c8
ERROR: User: arn:aws:sts::381831929214:assumed-role/AWSReservedSSO_AdministratorAccess_a6e0c532b831eac0/hendry is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::381831929214:role/OrganizationFormationBuildAccessRole
OlafConijn commented 2 years ago

Hi, the first error was indeed because being logged in as the root user doesn't allow you to assume roles.

The second and the third error seem very similar: both are users that exist in the account "381831929214" that try to assume a role on that same account.

the error reads "is not authorized to perform", which to me would suggest that the user doesn't have the right permissions. though Administrator should (obviously) be more than enough.

would you be able to check: 1) whether the role OrganizationFormationBuildAccessRole exists 2) what the assume role policy is on this role 3) whether there are SCPs that would prevent you from assuming this role?

thanks in advance

kaihendry commented 2 years ago

That role doesn't exist, this is a fresh AWS account btw 😅

image
OlafConijn commented 2 years ago

just rereading the steps:

it seems that you are missing the role that is created in step 5.3? maybe these step should be inverted?

kaihendry commented 2 years ago

To move forward, my colleague and I basically ignored this repo and went to https://github.com/org-formation/org-formation-cli#getting-started

We init and init-bootstrap using root credentials, and that's how we managed to get org-formation going.