Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make deploy-infra: not authorized to perform acm:RequestCertificate #1720

Closed
brainstorm opened this issue Nov 15, 2018 · 3 comments
Closed

make deploy-infra: not authorized to perform acm:RequestCertificate #1720

brainstorm opened this issue Nov 15, 2018 · 3 comments

Comments

@brainstorm
Copy link
Contributor

Software version (git hash, date, branch)

81547e1
2018-11-14
master

Expected behavior

After make deploy-infra creates the buckets on AWS and GCP, it moves on to domain creation. I would have expected that the certificate requesting process has enough permissions to carry on the AWS side, but that's not documented.

Actual behavior

aws_route53_zone.selected: Creation complete after 36s (ID: AZONEID)

Error: Error applying plan:

1 error(s) occurred:

* aws_acm_certificate.cert: 1 error(s) occurred:

* aws_acm_certificate.cert: Error requesting certificate: AccessDeniedException: User: arn:aws:sts::ACCOUNT_ID:assumed-role/AN_UNDER_DOCUMENTED_HCA_ROLE/i-0fff715198f95c782 is not authorized to perform: acm:RequestCertificate
        status code: 400, request id: d62bd656-e88d-11e8-8558-7b99a1b44e3e

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.


make[2]: *** [Makefile:37: apply] Error 1
make[2]: Leaving directory '/home/ubuntu/data-store/infra'
make[1]: *** [Makefile:17: apply-all] Error 1
make[1]: Leaving directory '/home/ubuntu/data-store/infra'
make: *** [Makefile:80: deploy-infra] Error 2

Steps to reproduce the behavior

make deploy-infra
@brainstorm brainstorm changed the title README.md: make deploy-infra: not authorized to perform acm:RequestCertificate make deploy-infra: not authorized to perform acm:RequestCertificate Nov 15, 2018
@melainalegaspi
Copy link

Outdated bug

@brainstorm
Copy link
Contributor Author

"Outdated bug" means that you actually took steps to reproduce and fix it so that it's not a problem anymore?

Just closing bug reports because they are "outdated" does not necessarily fix them :-S

@amarjandu
Copy link
Contributor

I've not seen this bug show its face; terraform has its own method(s) of getting credentials to use for the make deploy-infra command.

https://www.terraform.io/docs/providers/aws/index.html we use the "Shared Credentials file".

The infra/build_deploy_config.py does not make modification to what AWS iam role is being used to setup the domain, however if the role that you are using does not have sufficient privileges to create an domain you would get an error like this this.

To resolve this one would need to attach the sufficient policies to the role that is making the request to AWS for a new certificate.

There is a small section about certificates in the readme;
https://github.com/HumanCellAtlas/data-store#certificates

@amarjandu amarjandu mentioned this issue Dec 2, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brainstorm @amarjandu @melainalegaspi