-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IAM Role (arn:aws:iam::<REDACTED>:role/Admin) cannot be assumed #1
Comments
@tbekas Also getting this error, it caused the tf apply to break and now I have half created aws resources. |
I have concluded it definitely is a change on AWS side. The root AWS account cannot, in any way, impersonate other IAM roles like it used to do. So you cannot use My solution was:
|
Do you happen to have that config handy for reference? |
Just hit this too during experimentation -- an "idiot's guide" to doing this? |
I ended up using separate terraform repositories. The first authenticates the AWS provider with root credentials, sets up an IAM user (not a role!) in the root account, sets up sub-accounts in the organization. Usage of this repository is considered very restricted, we don't run it in CI you have to clone it locally and credentials are not saved anywhere and must be manually provided. The second repository authenticates the AWS provider with the IAM user of the root account that was set by the first repository. Being an IAM user and not the root user it can |
I'm trying your examples (thanks for the nice post and the repo!) and I keep getting these errors as soon as I try to do anything with the aliased providers that are using
assume_role
.I'm suspecting that it could be due to me using a pristine root AWS account, as said in Switching to an IAM role (AWS CLI):
So I guess your code cannot be run from the root user and I should instead prepare some IAM identity from the root user and then use that to manage organizations and accounts with code like yours? If that's the case I would propose to make it clear in
README.md
and maybe in your blog post?The text was updated successfully, but these errors were encountered: