Giter Club home page Giter Club logo

IAM Identity Center (ICC) (LZA v1.7.0+) fails to successfully create Management Account assignments - Failure message mentions missing iam:CreateSAMLProvider permission on the IIC Assignment Lambda IAM Role about landing-zone-accelerator-on-aws HOT 5 OPEN

CirrusHQ-Pipeline-User avatar CirrusHQ-Pipeline-User commented on August 13, 2024
IAM Identity Center (ICC) (LZA v1.7.0+) fails to successfully create Management Account assignments - Failure message mentions missing iam:CreateSAMLProvider permission on the IIC Assignment Lambda IAM Role

from landing-zone-accelerator-on-aws.

Comments (5)

erwaxler avatar erwaxler commented on August 13, 2024

Hi @CirrusHQ-Pipeline-User , thanks for creating this issue. I've created an item in the team's backlog to track this work, I will update this ticket accordingly. Thank you for your support of the Landing Zone Accelerator!

from landing-zone-accelerator-on-aws.

hemanth-m19 avatar hemanth-m19 commented on August 13, 2024

Hello! @CirrusHQ-Pipeline-User and @erwaxler, I wanted to share some insights on our configuration that might help in diagnosing this issue effectively.

We've recently updated our LZA version to the latest (v1.7.1). Additionally, we have our IAM Identity Centre configured with an external identity provider (Okta) as well. This version update has successfully resolved previous issues, and as of now, we haven't encountered the problem you mentioned here

Below is the sample config I tested just then to double check:

identityCenter:
  name: IdentityCenter
  delegatedAdminAccount: Audit
  identityCenterPermissionSets:
    - name: OrgViewOnlyAccess
      policies:
        awsManaged:
          - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
      sessionDuration: 60
    
    - name: OrgReadOnlyAccess
      policies:
        awsManaged:
          - arn:aws:iam::aws:policy/ReadOnlyAccess
        inlinePolicy: iam-policies/OrgReadOnlyAccess-inline-policy.json
      sessionDuration: 60

  identityCenterAssignments:
  - name: Assignment1
    permissionSetName: OrgViewOnlyAccess
    principals:
      - type: GROUP
        name: OrgAWSViewers
    deploymentTargets:
      organizationalUnits:
        - Root # Sucessfully assigned to all accounts

  - name: Assignment2
    permissionSetName: OrgReadOnlyAccess
    principals:
      - type: GROUP
        name: OrgAWSReaders
    deploymentTargets:
      accounts:
        - Management # Sucessfully assigned to Management account

from landing-zone-accelerator-on-aws.

CirrusHQ-Pipeline-User avatar CirrusHQ-Pipeline-User commented on August 13, 2024

Hi @hemanth-m19 (CC: @erwaxler),

Thank you for the additional context and sample Config.

What's weird is that I seem to have a similiar Config to how you've set it up and I wouldn't have suspected it to be a Config issue anyway since validation tests passed and the Pipeline successfully completed.

I will paste my Config below:

providers: []
policySets: []
roleSets: []
groupSets: []
userSets: []

identityCenter:
  name: identityCenter
  delegatedAdminAccount: SharedServices
  identityCenterPermissionSets:
    - name: ReadOnlyAccess
      policies:
        awsManaged:
          - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
      sessionDuration: 480

    - name: AdministratorAccess
      policies:
        awsManaged:
          - arn:aws:iam::aws:policy/AdministratorAccess
      sessionDuration: 480

    - name: FinanceAccess
      policies:
        awsManaged:
          - arn:aws:iam::aws:policy/AWSSupportAccess
          - arn:aws:iam::aws:policy/job-function/Billing                 
      sessionDuration: 480

    - name: DeveloperAccess
      policies:
        awsManaged:
          - arn:aws:iam::aws:policy/PowerUserAccess
      sessionDuration: 480

    - name: Monitoring
      policies:
        inlinePolicy: iam-policies/monitoring-policy.json
      sessionDuration: 480

  identityCenterAssignments:
  #adjust the below so that they are assigned to the correct OU/Account
    - name: AdministratorAccess
      permissionSetName: AdministratorAccess
      principals:
        - type: GROUP
          name: AWS-AdministratorAccess
      deploymentTargets:
        organizationalUnits:
          - Workload
          - Infrastructure
          - Security
          - Quarantine
        accounts:
          - Management # did not get assigned as recieved the IAM Error: User: arn:aws:sts::xxx:assumed-role/xxxx-IdentityCenterStac-CustomIdentityCenterAssig-xxx/xxx-IdentityCenterStac-CustomIdentityCenterAssi-xxx is not authorized to perform: iam:CreateSAMLProvider on resource 

    - name: Read-Only
      permissionSetName: ReadOnlyAccess
      principals:
        - type: GROUP
          name: AWS-ReadOnlyAccess
      deploymentTargets:
        organizationalUnits:
          - Workload
          - Infrastructure
          - Security
          - Quarantine
        accounts:
          - Management # did not get assigned as recieved the IAM Error: User: arn:aws:sts::xxx:assumed-role/xxxx-IdentityCenterStac-CustomIdentityCenterAssig-xxx/xxx-IdentityCenterStac-CustomIdentityCenterAssi-xxx is not authorized to perform: iam:CreateSAMLProvider on resource 

    - name: Finance
      permissionSetName: FinanceAccess
      principals:
        - type: GROUP
          name: AWS-BillingAccess
      deploymentTargets:
        organizationalUnits:
          - Workload
        accounts:
          - Management # did not get assigned as recieved the IAM Error: User: arn:aws:sts::xxx:assumed-role/xxxx-IdentityCenterStac-CustomIdentityCenterAssig-xxx/xxx-IdentityCenterStac-CustomIdentityCenterAssi-xxx is not authorized to perform: iam:CreateSAMLProvider on resource 
          
    - name: Developer
      permissionSetName: DeveloperAccess
      principals:
        - type: GROUP
          name: AWS-DeveloperAccess
      deploymentTargets:
        organizationalUnits:
          - Workload
        accounts:
          - Management # did not get assigned as recieved the IAM Error: User: arn:aws:sts::xxx:assumed-role/xxxx-IdentityCenterStac-CustomIdentityCenterAssig-xxx/xxx-IdentityCenterStac-CustomIdentityCenterAssi-xxx is not authorized to perform: iam:CreateSAMLProvider on resource 

    - name: Monitoring
      permissionSetName: Monitoring
      principals:
        - type: GROUP
          name: AWS-MonitoringAccess
      deploymentTargets:
        organizationalUnits:
          - Workload
        accounts:
          - Management # did not get assigned as recieved the IAM Error: User: arn:aws:sts::xxx:assumed-role/xxxx-IdentityCenterStac-CustomIdentityCenterAssig-xxx/xxx-IdentityCenterStac-CustomIdentityCenterAssi-xxx is not authorized to perform: iam:CreateSAMLProvider on resource 

Again, all that was done was the steps I have listed in recreate, the only difference between our setup and yours from what you mention is that we use AzureAD instead of Okta (but that should be no issue). With that in mind I believe this still must be a bug or managed LZA permissions issue as there is no other pain point we can think of which would be causing this.

Interested to hear your thoughts.

from landing-zone-accelerator-on-aws.

hemanth-m19 avatar hemanth-m19 commented on August 13, 2024

@CirrusHQ-Pipeline-User

It's interesting that an error is arising stating the IAM role isn't authorized to perform the action iam:CreateSAMLProvider.

From my understanding, when adding assignments to a Management account configured with an external provider, the IAM role only needs the iam:GetSAMLProvider permission (although there might be variations; adding this only permission to IAM role has been functional in another internal assignments pipeline of mine).

Additionally, this permission is already in place for the Custom::IdentityCenterAssignments Lambda function. You can refer to this link for more details.

from landing-zone-accelerator-on-aws.

CirrusHQ-Pipeline-User avatar CirrusHQ-Pipeline-User commented on August 13, 2024

@hemanth-m19 & @erwaxler - PLEASE READ THE FULL RESPONSE BELOW, I THINK I'VE FOUND THE PROBLEM AND POTENTIAL FIX AROUND THIS.

Thanks for your response and clarification. I followed a similar process with another separate AWS Organization and encountered the same issue. Here are the steps I followed:

  • Enable IAM Identity Centre in the Management Account (to create the Org IIC Instance)
  • Deploy LZA iam-config.yml with NO assignments and NO permission sets, just to set the delegated admin to the SharedServices Account
  • I then entered the SharedServices Account to setup Azure AD as an Identity Provider which thus allowed my Azure AD Team to send over Groups and Users into IIC
  • I then deployed iam-config.yml through LZA with assignments and permission sets

The outcome of this was the same as the previous Org, ALL assignments worked EXCEPT for the Management Account ones. For this new Org we also upgraded version v1.6.3 to v1.7.1 and are getting the exact same error (when running aws sso-admin describe-account-assignment-creation-status) which I will paste below.

Please note, again, ALL assignments worked except for the one to the Management Account, despite including the Management Account via deploymentTargets > organizationalUnits > Root in one assignment and trying via deploymentTargets > accounts > Management in another.

{
    "AccountAssignmentCreationStatus": {
        "CreatedDate": "2024-07-03T10:12:39.038000+00:00",
        "FailureReason": "Received a 403 status error: Access denied by IAM. Please check your policy, or wait for role propagation to complete. IAM Error: User: arn:aws:sts::xxxx:assumed-role/xxxx-IdentityCenterSta-CustomIdentityCenterAssg-xxxx/xxxx-IdentityCenterSta-CustomIdentityCenterAssi-xxxx is not authorized to perform: iam:CreateSAMLProvider on resource: arn:aws:iam::xxxx:saml-provider/AWSSSO_xxxx_DO_NOT_DELETE because no identity-based plicy allows the iam:CreateSAMLProvider action (Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied; Request ID: xxxx; Proxy: null)",
        "PermissionSetArn": "arn:aws:sso:::permissionSet/ssoins-xxxx/xxxx",
        "PrincipalId": "xxxx",
        "PrincipalType": "GROUP",
        "RequestId": "xxxx",
        "Status": "FAILED",
        "TargetId": "xxxx",
        "TargetType": "AWS_ACCOUNT"
    }
}

Here is the iam-config.yml which was used:

providers: []
policySets: []
roleSets: []
groupSets: []
userSets: []

identityCenter:
  name: identityCenter
  delegatedAdminAccount: SharedServices
  identityCenterPermissionSets: 

    - name: ReadOnlyAccess
      policies:
        awsManaged:
          - arn:aws:iam::aws:policy/ReadOnlyAccess
      sessionDuration: 480

    - name: AdministratorAccess
      policies:
        awsManaged:
          - arn:aws:iam::aws:policy/AdministratorAccess
      sessionDuration: 480

    - name: FinanceAccess
      policies:
        awsManaged:
          - arn:aws:iam::aws:policy/job-function/Billing                 
      sessionDuration: 480

    - name: DeveloperAccess
      policies:
        awsManaged:
          - arn:aws:iam::aws:policy/job-function/SystemAdministrator
      sessionDuration: 480

  identityCenterAssignments: 
#adjust the below so that they are assigned to the correct OU/Account
    - name: AWS-AdminAccessEverything
      permissionSetName: AdministratorAccess
      principals:
        - type: GROUP
          name: AWS-AdminAccessEverything
      deploymentTargets:
        organizationalUnits:
          - Root

    - name: AWS-ReadOnlyAccessEverything
      permissionSetName: ReadOnlyAccess
      principals:
        - type: GROUP
          name: AWS-ReadOnlyAccessEverything
      deploymentTargets:
        organizationalUnits:
          - Root

    - name: AWS-ReadOnlySecurity
      permissionSetName: ReadOnlyAccess
      principals:
        - type: GROUP
          name: AWS-ReadOnlySecurity
      deploymentTargets:
        organizationalUnits:
          - Security

    - name: AWS-ReadOnlyIAM
      permissionSetName: ReadOnlyAccess
      principals:
        - type: GROUP
          name: AWS-ReadOnlyIAM
      deploymentTargets:
        organizationalUnits:
          - Infrastructure

    - name: AWS-AdminManagementOnly
      permissionSetName: AdministratorAccess
      principals:
        - type: GROUP
          name: AWS-AdminManagement
      deploymentTargets:
        accounts:
          - Management

All assignments worked except for the one to the Management Account, despite including the Management Account via deploymentTargets > organizationalUnits > Root in one assignment and trying via deploymentTargets > accounts > Management in another.

After investigating, I found that when creating an external Identity Provider in IAM Identity Center, it also creates an Identity Provider within the IAM Console. It appears SSO tries to create an Identity Provider from the Management Account when creating Management Account Assignments. Since it is not available (as the external Identity Provider integration was created from my SharedServices Account, the delegated Admin of IIC as per best practices), the process fails unless the Custom IIC Assignments resource in the Management Account has the correct permissions, and currently it does not to support the above workflow.

The new update (v1.7.0) deploys IIC-related resources in the Management Account (as noted in the v1.7.0 release notes), and it needs to use the SAML Provider which is not available within the Management Account, if the external Identity Provider is first created from the IIC Delegated Admin Account

Here are screenshots from the IAM Console in the Identity Providers section:

SharedServices Account:
IdP-Shared-Services

Management Account:
IdP-Management

To fix this, it appears the Management Account also needs a SAML Identity Provider to create assignments. I recommend the LZA Team test this process and include the necessary permissions in a future release, as once the permission for iam:CreateSAMLProvider is added, more may still be needed so a full replication/investigation is required from the LZA Team.

Additionally, clarifying the process of using Delegated Admins vs. Management Account for IIC could prevent future customers from encountering this issue.

Thanks and I look forward to your feedback.

Best,

from landing-zone-accelerator-on-aws.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.