Issue: Getting
AccessDenied: User: arn:aws:sts::XXXXXXXXXXXXXX:assumed-role/XXXXXXXX is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::XXXXXXXXXX:role/<RANDOM_NAME>
while deploying a ui, api and db as some where down the chain the framework is trying to create roles and it is failing.
I think it is ideal to provide an ability for specifying a role name that already exists in the account or provide an ability to create role and use that for deployment.
In certain organizations the role creation might have restriction.
Ex: Allow creation of new roles only if a standard permission boundary is attached to it. or other scenarios wrt to roles...
In those lines custom role creation will always run into issues.. So if an IAM role is provided, on the fly role creation should be skipped and provided role should be attached to the resources.
Issue: Getting
AccessDenied: User: arn:aws:sts::XXXXXXXXXXXXXX:assumed-role/XXXXXXXX is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::XXXXXXXXXX:role/<RANDOM_NAME>while deploying a ui, api and db as some where down the chain the framework is trying to create roles and it is failing.I think it is ideal to provide an ability for specifying a role name that already exists in the account or provide an ability to create role and use that for deployment.
In certain organizations the role creation might have restriction.
Ex: Allow creation of new roles only if a standard permission boundary is attached to it. or other scenarios wrt to roles...In those lines custom role creation will always run into issues.. So if an IAM role is provided, on the fly role creation should be skipped and provided role should be attached to the resources.
@eahefnawy @pmuens @medikoo Thoughts ?