Comments (5)
Hi @CirrusHQ-Pipeline-User , thanks for creating this issue. I've created an item in the team's backlog to track this work, I will update this ticket accordingly. Thank you for your support of the Landing Zone Accelerator!
from landing-zone-accelerator-on-aws.
Hello! @CirrusHQ-Pipeline-User and @erwaxler, I wanted to share some insights on our configuration that might help in diagnosing this issue effectively.
We've recently updated our LZA version to the latest (v1.7.1). Additionally, we have our IAM Identity Centre configured with an external identity provider (Okta) as well. This version update has successfully resolved previous issues, and as of now, we haven't encountered the problem you mentioned here
Below is the sample config I tested just then to double check:
identityCenter:
name: IdentityCenter
delegatedAdminAccount: Audit
identityCenterPermissionSets:
- name: OrgViewOnlyAccess
policies:
awsManaged:
- arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
sessionDuration: 60
- name: OrgReadOnlyAccess
policies:
awsManaged:
- arn:aws:iam::aws:policy/ReadOnlyAccess
inlinePolicy: iam-policies/OrgReadOnlyAccess-inline-policy.json
sessionDuration: 60
identityCenterAssignments:
- name: Assignment1
permissionSetName: OrgViewOnlyAccess
principals:
- type: GROUP
name: OrgAWSViewers
deploymentTargets:
organizationalUnits:
- Root # Sucessfully assigned to all accounts
- name: Assignment2
permissionSetName: OrgReadOnlyAccess
principals:
- type: GROUP
name: OrgAWSReaders
deploymentTargets:
accounts:
- Management # Sucessfully assigned to Management account
from landing-zone-accelerator-on-aws.
Hi @hemanth-m19 (CC: @erwaxler),
Thank you for the additional context and sample Config.
What's weird is that I seem to have a similiar Config to how you've set it up and I wouldn't have suspected it to be a Config issue anyway since validation tests passed and the Pipeline successfully completed.
I will paste my Config below:
providers: []
policySets: []
roleSets: []
groupSets: []
userSets: []
identityCenter:
name: identityCenter
delegatedAdminAccount: SharedServices
identityCenterPermissionSets:
- name: ReadOnlyAccess
policies:
awsManaged:
- arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
sessionDuration: 480
- name: AdministratorAccess
policies:
awsManaged:
- arn:aws:iam::aws:policy/AdministratorAccess
sessionDuration: 480
- name: FinanceAccess
policies:
awsManaged:
- arn:aws:iam::aws:policy/AWSSupportAccess
- arn:aws:iam::aws:policy/job-function/Billing
sessionDuration: 480
- name: DeveloperAccess
policies:
awsManaged:
- arn:aws:iam::aws:policy/PowerUserAccess
sessionDuration: 480
- name: Monitoring
policies:
inlinePolicy: iam-policies/monitoring-policy.json
sessionDuration: 480
identityCenterAssignments:
#adjust the below so that they are assigned to the correct OU/Account
- name: AdministratorAccess
permissionSetName: AdministratorAccess
principals:
- type: GROUP
name: AWS-AdministratorAccess
deploymentTargets:
organizationalUnits:
- Workload
- Infrastructure
- Security
- Quarantine
accounts:
- Management # did not get assigned as recieved the IAM Error: User: arn:aws:sts::xxx:assumed-role/xxxx-IdentityCenterStac-CustomIdentityCenterAssig-xxx/xxx-IdentityCenterStac-CustomIdentityCenterAssi-xxx is not authorized to perform: iam:CreateSAMLProvider on resource
- name: Read-Only
permissionSetName: ReadOnlyAccess
principals:
- type: GROUP
name: AWS-ReadOnlyAccess
deploymentTargets:
organizationalUnits:
- Workload
- Infrastructure
- Security
- Quarantine
accounts:
- Management # did not get assigned as recieved the IAM Error: User: arn:aws:sts::xxx:assumed-role/xxxx-IdentityCenterStac-CustomIdentityCenterAssig-xxx/xxx-IdentityCenterStac-CustomIdentityCenterAssi-xxx is not authorized to perform: iam:CreateSAMLProvider on resource
- name: Finance
permissionSetName: FinanceAccess
principals:
- type: GROUP
name: AWS-BillingAccess
deploymentTargets:
organizationalUnits:
- Workload
accounts:
- Management # did not get assigned as recieved the IAM Error: User: arn:aws:sts::xxx:assumed-role/xxxx-IdentityCenterStac-CustomIdentityCenterAssig-xxx/xxx-IdentityCenterStac-CustomIdentityCenterAssi-xxx is not authorized to perform: iam:CreateSAMLProvider on resource
- name: Developer
permissionSetName: DeveloperAccess
principals:
- type: GROUP
name: AWS-DeveloperAccess
deploymentTargets:
organizationalUnits:
- Workload
accounts:
- Management # did not get assigned as recieved the IAM Error: User: arn:aws:sts::xxx:assumed-role/xxxx-IdentityCenterStac-CustomIdentityCenterAssig-xxx/xxx-IdentityCenterStac-CustomIdentityCenterAssi-xxx is not authorized to perform: iam:CreateSAMLProvider on resource
- name: Monitoring
permissionSetName: Monitoring
principals:
- type: GROUP
name: AWS-MonitoringAccess
deploymentTargets:
organizationalUnits:
- Workload
accounts:
- Management # did not get assigned as recieved the IAM Error: User: arn:aws:sts::xxx:assumed-role/xxxx-IdentityCenterStac-CustomIdentityCenterAssig-xxx/xxx-IdentityCenterStac-CustomIdentityCenterAssi-xxx is not authorized to perform: iam:CreateSAMLProvider on resource
Again, all that was done was the steps I have listed in recreate, the only difference between our setup and yours from what you mention is that we use AzureAD instead of Okta (but that should be no issue). With that in mind I believe this still must be a bug or managed LZA permissions issue as there is no other pain point we can think of which would be causing this.
Interested to hear your thoughts.
from landing-zone-accelerator-on-aws.
It's interesting that an error is arising stating the IAM role isn't authorized to perform the action iam:CreateSAMLProvider
.
From my understanding, when adding assignments to a Management account configured with an external provider, the IAM role only needs the iam:GetSAMLProvider
permission (although there might be variations; adding this only permission to IAM role has been functional in another internal assignments pipeline of mine).
Additionally, this permission is already in place for the Custom::IdentityCenterAssignments
Lambda function. You can refer to this link for more details.
from landing-zone-accelerator-on-aws.
@hemanth-m19 & @erwaxler - PLEASE READ THE FULL RESPONSE BELOW, I THINK I'VE FOUND THE PROBLEM AND POTENTIAL FIX AROUND THIS.
Thanks for your response and clarification. I followed a similar process with another separate AWS Organization and encountered the same issue. Here are the steps I followed:
- Enable IAM Identity Centre in the Management Account (to create the Org IIC Instance)
- Deploy LZA
iam-config.yml
with NO assignments and NO permission sets, just to set the delegated admin to the SharedServices Account - I then entered the SharedServices Account to setup Azure AD as an Identity Provider which thus allowed my Azure AD Team to send over Groups and Users into IIC
- I then deployed
iam-config.yml
through LZA with assignments and permission sets
The outcome of this was the same as the previous Org, ALL assignments worked EXCEPT for the Management Account ones. For this new Org we also upgraded version v1.6.3 to v1.7.1 and are getting the exact same error (when running aws sso-admin describe-account-assignment-creation-status) which I will paste below.
Please note, again, ALL assignments worked except for the one to the Management Account, despite including the Management Account via deploymentTargets > organizationalUnits > Root
in one assignment and trying via deploymentTargets > accounts > Management
in another.
{
"AccountAssignmentCreationStatus": {
"CreatedDate": "2024-07-03T10:12:39.038000+00:00",
"FailureReason": "Received a 403 status error: Access denied by IAM. Please check your policy, or wait for role propagation to complete. IAM Error: User: arn:aws:sts::xxxx:assumed-role/xxxx-IdentityCenterSta-CustomIdentityCenterAssg-xxxx/xxxx-IdentityCenterSta-CustomIdentityCenterAssi-xxxx is not authorized to perform: iam:CreateSAMLProvider on resource: arn:aws:iam::xxxx:saml-provider/AWSSSO_xxxx_DO_NOT_DELETE because no identity-based plicy allows the iam:CreateSAMLProvider action (Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied; Request ID: xxxx; Proxy: null)",
"PermissionSetArn": "arn:aws:sso:::permissionSet/ssoins-xxxx/xxxx",
"PrincipalId": "xxxx",
"PrincipalType": "GROUP",
"RequestId": "xxxx",
"Status": "FAILED",
"TargetId": "xxxx",
"TargetType": "AWS_ACCOUNT"
}
}
Here is the iam-config.yml
which was used:
providers: []
policySets: []
roleSets: []
groupSets: []
userSets: []
identityCenter:
name: identityCenter
delegatedAdminAccount: SharedServices
identityCenterPermissionSets:
- name: ReadOnlyAccess
policies:
awsManaged:
- arn:aws:iam::aws:policy/ReadOnlyAccess
sessionDuration: 480
- name: AdministratorAccess
policies:
awsManaged:
- arn:aws:iam::aws:policy/AdministratorAccess
sessionDuration: 480
- name: FinanceAccess
policies:
awsManaged:
- arn:aws:iam::aws:policy/job-function/Billing
sessionDuration: 480
- name: DeveloperAccess
policies:
awsManaged:
- arn:aws:iam::aws:policy/job-function/SystemAdministrator
sessionDuration: 480
identityCenterAssignments:
#adjust the below so that they are assigned to the correct OU/Account
- name: AWS-AdminAccessEverything
permissionSetName: AdministratorAccess
principals:
- type: GROUP
name: AWS-AdminAccessEverything
deploymentTargets:
organizationalUnits:
- Root
- name: AWS-ReadOnlyAccessEverything
permissionSetName: ReadOnlyAccess
principals:
- type: GROUP
name: AWS-ReadOnlyAccessEverything
deploymentTargets:
organizationalUnits:
- Root
- name: AWS-ReadOnlySecurity
permissionSetName: ReadOnlyAccess
principals:
- type: GROUP
name: AWS-ReadOnlySecurity
deploymentTargets:
organizationalUnits:
- Security
- name: AWS-ReadOnlyIAM
permissionSetName: ReadOnlyAccess
principals:
- type: GROUP
name: AWS-ReadOnlyIAM
deploymentTargets:
organizationalUnits:
- Infrastructure
- name: AWS-AdminManagementOnly
permissionSetName: AdministratorAccess
principals:
- type: GROUP
name: AWS-AdminManagement
deploymentTargets:
accounts:
- Management
All assignments worked except for the one to the Management Account, despite including the Management Account via deploymentTargets > organizationalUnits > Root
in one assignment and trying via deploymentTargets > accounts > Management
in another.
After investigating, I found that when creating an external Identity Provider in IAM Identity Center, it also creates an Identity Provider within the IAM Console. It appears SSO tries to create an Identity Provider from the Management Account when creating Management Account Assignments. Since it is not available (as the external Identity Provider integration was created from my SharedServices Account, the delegated Admin of IIC as per best practices), the process fails unless the Custom IIC Assignments resource in the Management Account has the correct permissions, and currently it does not to support the above workflow.
The new update (v1.7.0) deploys IIC-related resources in the Management Account (as noted in the v1.7.0 release notes), and it needs to use the SAML Provider which is not available within the Management Account, if the external Identity Provider is first created from the IIC Delegated Admin Account
Here are screenshots from the IAM Console in the Identity Providers section:
To fix this, it appears the Management Account also needs a SAML Identity Provider to create assignments. I recommend the LZA Team test this process and include the necessary permissions in a future release, as once the permission for iam:CreateSAMLProvider is added, more may still be needed so a full replication/investigation is required from the LZA Team.
Additionally, clarifying the process of using Delegated Admins vs. Management Account for IIC could prevent future customers from encountering this issue.
Thanks and I look forward to your feedback.
Best,
from landing-zone-accelerator-on-aws.
Related Issues (20)
- LZA creates some KMS keys with key rotation disabled HOT 4
- "Unexpected end of JSON input" error in Diff stage HOT 1
- Accelerator Metadata Configuration resource name needs to be updated in documentation HOT 1
- Broken Links in TypeDocs HOT 1
- Required least privilege permissions to run LZA upgrades
- v1.8.0 Diff stage error "find: ‘./cdk.out’: No such file or directory" HOT 1
- Feature to tag roles HOT 1
- CDK Fails to deploy Customizations using Global Replacements Syntax (v1.7.1) HOT 1
- Build version failing if not using the latest version HOT 2
- Add support for Security Hub centralized configuration HOT 1
- Add more options for Access Analyzer
- Prettify Security SNS Topic JSON
- Build version failing but I am using the latest version (v1.8.1) HOT 4
- Landing Zone Upgrade from v1.7.1 to 1.8.1 Failure - SecurityAudit HOT 3
- How to view the logArchive logs in S3 bucket? HOT 2
- Pseudo parameters in config files
- The baseline 'AWSControlTowerBaseline' cannot be enabled on the Security OU* HOT 8
- LZA Pipeline Stuck on Finalize Stage Due to SCP Update Failure HOT 4
- network-config, customisaton-config and replacements-config interfaces are not exported HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from landing-zone-accelerator-on-aws.