Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IAM Role (arn:aws:iam::<REDACTED>:role/Admin) cannot be assumed #1

Open
lesinigo opened this issue May 15, 2021 · 5 comments
Open

IAM Role (arn:aws:iam::<REDACTED>:role/Admin) cannot be assumed #1

lesinigo opened this issue May 15, 2021 · 5 comments

Comments

@lesinigo
Copy link

I'm trying your examples (thanks for the nice post and the repo!) and I keep getting these errors as soon as I try to do anything with the aliased providers that are using assume_role.

I'm suspecting that it could be due to me using a pristine root AWS account, as said in Switching to an IAM role (AWS CLI):

You cannot assume a role when you are signed in as the AWS account root user.

So I guess your code cannot be run from the root user and I should instead prepare some IAM identity from the root user and then use that to manage organizations and accounts with code like yours? If that's the case I would propose to make it clear in README.md and maybe in your blog post?
@stephenlacy
Copy link

@tbekas Also getting this error, it caused the tf apply to break and now I have half created aws resources.

@lesinigo
Copy link
Author

lesinigo commented Jul 8, 2021

I have concluded it definitely is a change on AWS side. The root AWS account cannot, in any way, impersonate other IAM roles like it used to do. So you cannot use assume_role in an aws provider that is using root credentials.

My solution was:

  • pass root credentials to TF for its aws provider (unaliased)
  • use that provider to set up the aws organization and IAM users (not roles) in that organization
  • use another aws provider to log in with one of those IAM users and then that one can do assume_role to other IAM roles

@stephenlacy
Copy link

Do you happen to have that config handy for reference?
I ended up manually importing the accounts and using a tf_user in the root account for the remaining resources.

@mattgodbolt
Copy link

Just hit this too during experimentation -- an "idiot's guide" to doing this?

@lesinigo
Copy link
Author

I ended up using separate terraform repositories.

The first authenticates the AWS provider with root credentials, sets up an IAM user (not a role!) in the root account, sets up sub-accounts in the organization. Usage of this repository is considered very restricted, we don't run it in CI you have to clone it locally and credentials are not saved anywhere and must be manually provided.

The second repository authenticates the AWS provider with the IAM user of the root account that was set by the first repository. Being an IAM user and not the root user it can assume_role in other accounts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mattgodbolt @stephenlacy @lesinigo