Comments (5)
It's not in the instructions, but I logged in as the SSO user, in which I clumsily added AdministratorAccess, but now it complains of OrganizationFormationBuildAccessRole... where does that come from?
(ins)hendry-tw-mbp~/orgtest/org-formation-reference$ npx org-formation update ./src/organization.yml --profile AdministratorAccess-381831929214 --verbose
WARN: ======================================
WARN: Hi there!
WARN: You just ran into an error when assuming the role OrganizationFormationBuildAccessRole in account 381831929214.
WARN: Possibly, this is due a breaking change in org-formation v0.9.15.
WARN: From v0.9.15 onwards the org-formation cli will assume a role in every account it deploys tasks to.
WARN: This will make permission management and SCPs to deny / allow org-formation tasks easier.
WARN: More information: https://github.com/org-formation/org-formation-cli/tree/master/docs/0.9.15-permission-change.md
WARN: Thanks!
WARN: ======================================
ERROR: error: AccessDenied, aws-request-id: 7835fcc5-0fa4-4e54-afc3-3734ae8f77c8
ERROR: User: arn:aws:sts::381831929214:assumed-role/AWSReservedSSO_AdministratorAccess_a6e0c532b831eac0/hendry is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::381831929214:role/OrganizationFormationBuildAccessRole
from org-formation-reference.
Hi, the first error was indeed because being logged in as the root user doesn't allow you to assume roles.
The second and the third error seem very similar: both are users that exist in the account "381831929214" that try to assume a role on that same account.
the error reads "is not authorized to perform", which to me would suggest that the user doesn't have the right permissions. though Administrator should (obviously) be more than enough.
would you be able to check:
- whether the role
OrganizationFormationBuildAccessRole
exists - what the assume role policy is on this role
- whether there are SCPs that would prevent you from assuming this role?
thanks in advance
from org-formation-reference.
That role doesn't exist, this is a fresh AWS account btw 😅
from org-formation-reference.
just rereading the steps:
- you have gone through all steps up to "5-initialize-org-formation"
- you got the error above on step 5.2 running
https://github.com/org-formation/org-formation-reference#5-initialize-org-formation
it seems that you are missing the role that is created in step 5.3? maybe these step should be inverted?
from org-formation-reference.
To move forward, my colleague and I basically ignored this repo and went to https://github.com/org-formation/org-formation-cli#getting-started
We init and init-bootstrap using root credentials, and that's how we managed to get org-formation going.
from org-formation-reference.
Related Issues (20)
- 080-aws-config-inventory: decide on ConfigTopic HOT 1
- 000-org-build: should OrgPipelineRole be toned down? HOT 1
- 020-secure-defaults: allow for accounts with public s3 buckets HOT 1
- documentation: add the readme's HOT 1
- types: check and verify whether we are using the right/latest versions
- 000-org-build: move artficats buckets name to toplevel _parameters
- project: add a github action to perform linting upon checking and PR
- 080-aws-config-inventory: consolidate to a single template
- Error when configuring SSO HOT 4
- Run linters on every commit HOT 2
- add transit gateway to reference project
- SCP template: required key [Content] not found , extraneous key [PolicyDocument] is not permitted. HOT 2
- Initialize org-formation with root user HOT 3
- Patterns used here versus those in org-formation-cli/examples HOT 2
- "Master" branch isn't the default branch when creating a new CodeCommit repo
- Can't create deny-unsupported-regions SCP HOT 5
- Had to complete steps out of order
- 020-secure-defaults: Error validating schemaHandlerPackage
- Can't configure service control policies (SCPs) with org-formation
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from org-formation-reference.