Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

make deploy-infra: not authorized to perform acm:RequestCertificate #1720

Closed
brainstorm opened this issue Nov 15, 2018 · 3 comments
Closed

Comments

@brainstorm
Copy link
Contributor

Software version (git hash, date, branch)

81547e1
2018-11-14
master

Expected behavior

After make deploy-infra creates the buckets on AWS and GCP, it moves on to domain creation. I would have expected that the certificate requesting process has enough permissions to carry on the AWS side, but that's not documented.

Actual behavior

aws_route53_zone.selected: Creation complete after 36s (ID: AZONEID)

Error: Error applying plan:

1 error(s) occurred:

* aws_acm_certificate.cert: 1 error(s) occurred:

* aws_acm_certificate.cert: Error requesting certificate: AccessDeniedException: User: arn:aws:sts::ACCOUNT_ID:assumed-role/AN_UNDER_DOCUMENTED_HCA_ROLE/i-0fff715198f95c782 is not authorized to perform: acm:RequestCertificate
        status code: 400, request id: d62bd656-e88d-11e8-8558-7b99a1b44e3e

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.


make[2]: *** [Makefile:37: apply] Error 1
make[2]: Leaving directory '/home/ubuntu/data-store/infra'
make[1]: *** [Makefile:17: apply-all] Error 1
make[1]: Leaving directory '/home/ubuntu/data-store/infra'
make: *** [Makefile:80: deploy-infra] Error 2

Steps to reproduce the behavior

make deploy-infra

@brainstorm brainstorm changed the title README.md: make deploy-infra: not authorized to perform acm:RequestCertificate make deploy-infra: not authorized to perform acm:RequestCertificate Nov 15, 2018
@melainalegaspi
Copy link

Outdated bug

@brainstorm
Copy link
Contributor Author

"Outdated bug" means that you actually took steps to reproduce and fix it so that it's not a problem anymore?

Just closing bug reports because they are "outdated" does not necessarily fix them :-S

@amarjandu
Copy link
Contributor

I've not seen this bug show its face; terraform has its own method(s) of getting credentials to use for the make deploy-infra command.

https://www.terraform.io/docs/providers/aws/index.html we use the "Shared Credentials file".

The infra/build_deploy_config.py does not make modification to what AWS iam role is being used to setup the domain, however if the role that you are using does not have sufficient privileges to create an domain you would get an error like this this.

To resolve this one would need to attach the sufficient policies to the role that is making the request to AWS for a new certificate.

There is a small section about certificates in the readme;
https://github.com/HumanCellAtlas/data-store#certificates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants