Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

account assignment throwing errors in master account only where we have configured SSO service #15

Open
pavankumarshambhu opened this issue Feb 22, 2023 · 5 comments
Open

account assignment throwing errors in master account only where we have configured SSO service #15

pavankumarshambhu opened this issue Feb 22, 2023 · 5 comments
Assignees
@aurimasmick

Comments

@pavankumarshambhu
Copy link

pavankumarshambhu commented Feb 22, 2023
edited
Loading

module "sso" {
source = "../terraform-modules/sso"

permission_sets = {

  master-rtc-finance = {
  description      = "Finance Team Of RTC Access To AWS Master Account",
  session_duration = "PT8H",
  relay_state      = "https://s3.console.aws.amazon.com/s3/buckets/rtc-monthly-invoices?region=eu-central-1&tab=objects"
  inline_policy    = file("policies/finance_rtc_policy.json")
},

}

account_assignments = [

 {
  principal_name = "app_sso_aws_sinch_rtc_finance"
  principal_type = "GROUP"
  permission_set = "master-rtc-finance"
  account_ids    = ["797180668684"]
},

]
}

==============

No issues when i use the module when its trying to create the permission set at first. Issue is only when i am trying to do the account assiggnment is when im seeing this issue. This happens only when trying to create the resources in master account where i have configured the sso service

================

TERRAFORM PLAN OUTPUT

Terraform will perform the following actions:

Terraform will perform the following actions:

module.sso.aws_ssoadmin_account_assignment.this["app_sso_aws_sinch_rtc_finance.master-rtc-finance.797180668684"] will be created

  • resource "aws_ssoadmin_account_assignment" "this" {
    • id = (known after apply)
    • instance_arn = "arn:aws:sso:::instance/ssoins-6987325f4070a778"
    • permission_set_arn = (known after apply)
    • principal_id = "9967182253-cbe1a0b4-a479-43f6-9a0e-a8da3523e720"
    • principal_type = "GROUP"
    • target_id = "797180668684"
    • target_type = "AWS_ACCOUNT"
      }

module.sso.aws_ssoadmin_permission_set.this["master-rtc-finance"] will be created

module.sso.aws_ssoadmin_permission_set_inline_policy.this["master-rtc-finance"] will be created

  • resource "aws_ssoadmin_permission_set_inline_policy" "this" {
    • id = (known after apply)
    • inline_policy = jsonencode(
      {
      + Statement = [
      + {
      + Action = [
      + "s3:ListBucket",
      + "s3:GetObject",
      ]
      + Effect = "Allow"
      + Resource = [
      + "arn:aws:s3:::rtc-monthly-invoices",
      + "arn:aws:s3:::rtc-monthly-invoices/",
      ]
      },
      + {
      + Action = "s3:HeadBucket"
      + Effect = "Allow"
      + Resource = "      "
      },
      ]
      + Version = "2012-10-17"
      }
      )
    • instance_arn = "arn:aws:sso:::instance/ssoins-6987325f4070a778"
    • permission_set_arn = (known after apply)
      }

Plan: 3 to add, 0 to change, 0 to destroy.
module.sso.aws_ssoadmin_permission_set.this["master-rtc-finance"]: Creating...
module.sso.aws_ssoadmin_permission_set.this["master-rtc-finance"]: Creation complete after 1s [id=arn:aws:sso:::permissionSet/ssoins-6987325f4070a778/ps-d3d988f762fbd9d1,arn:aws:sso:::instance/ssoins-6987325f4070a778]
module.sso.aws_ssoadmin_permission_set_inline_policy.this["master-rtc-finance"]: Creating...
module.sso.aws_ssoadmin_account_assignment.this["app_sso_aws_sinch_rtc_finance.master-rtc-finance.797180668684"]: Creating...
module.sso.aws_ssoadmin_permission_set_inline_policy.this["master-rtc-finance"]: Creation complete after 6s [id=arn:aws:sso:::permissionSet/ssoins-6987325f4070a778/ps-d3d988f762fbd9d1,arn:aws:sso:::instance/ssoins-6987325f4070a778]

│ Error: waiting for SSO Account Assignment for GROUP (9967182253-cbe1a0b4-a479-43f6-9a0e-a8da3523e720) to be created: unexpected state 'FAILED', wanted target 'SUCCEEDED'. last error: %!s()

│ with module.sso.aws_ssoadmin_account_assignment.this["app_sso_aws_sinch_rtc_finance.master-rtc-finance.797180668684"],
│ on ../terraform-modules/sso/main.tf line 95, in resource "aws_ssoadmin_account_assignment" "this":
│ 95: resource "aws_ssoadmin_account_assignment" "this" {
@aurimasmick
Copy link
Contributor

Hi @pavankumarshambhu,
This looks like the issue described here:
hashicorp/terraform-provider-aws#22952
Can you check if you are not hitting any SSO limits?
https://docs.aws.amazon.com/singlesignon/latest/userguide/limits.html

@aurimasmick aurimasmick self-assigned this Feb 26, 2023
@noce2
Copy link

noce2 commented Apr 6, 2023

Getting this issue also. @pavankumarshambhu / @aurimasmick any fixes? I checked in my case and I was not running into any limits

@maxvandermeij
Copy link

Got similar issues described above. Found out using the aws cli it was due to permission errors. It seems the management account does not use the Service principal and thus uses the role/user you are assigned with to create/list/update Saml identity providers required for the account assignment.

I've solved it by adding the following permissions to the role running terraform:

 "iam:GetSAMLProvider",
 "iam:ListSAMLProviderTags",
 "iam:ListSAMLProviders",
 "iam:TagSAMLProvider",
 "iam:UntagSAMLProvider",
 "iam:UpdateSAMLProvider",

You can see the actual error with the following commands

aws sso-admin list-account-assignment-creation-status --instance-arn arn:aws:sso:::instance/$id
aws sso-admin describe-account-assignment-creation-status --instance-arn  arn:aws:sso:::instance/$id--account-assignment-creation-request-id $request-id

@pavankumarshambhu
Copy link
Author

@maxvandermeij thanks a lot.
those two commands shared really helped in checking which permissions were missing in the role being used by terraform.

"iam:CreateRole",
"iam:PutRolePolicy",
"iam:AttachRolePolicy",

it was missing above permissions in my case.
now im able to deploy resources through terraform in master account

command output which helped in determing it for one of the failed request id

aws sso-admin describe-account-assignment-creation-status --instance-arn arn:aws:sso:::instance/$id--account-assignment-creation-request-id $request-id

{
"AccountAssignmentCreationStatus": {
"Status": "FAILED",
"RequestId": "3d6f474f-2267-451d-9d8c-40352a683aaa",
"FailureReason": "Received a 403 status error: Access denied by IAM. Please check your policy, or wait for role propagation to complete. IAM Error: User: arn:aws:sts:::assumed-role/SSO-Terraform-Role/terraform-aws-sso is not authorized to perform: iam:AttachRolePolicy on resource: role AWSReservedSSO_Master-Billing-Cost_2257a6c066c3e619 because no identity-based policy allows the iam:AttachRolePolicy action (Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied; Request ID: 16181209-4cbe-4617-b3c6-094f96e7c31b; Proxy: null)",
"TargetId": "",
"TargetType": "AWS_ACCOUNT",
"PermissionSetArn": "arn:aws:sso:::permissionSet/ssoins-6987325f4070a778/ps-80768d1c308e5daf",
"PrincipalType": "GROUP",
"PrincipalId": "9967182253-70973ba0-162e-4d9b-a35f-1e2f2486be35",
"CreatedDate": "2023-05-23T16:10:00.135000+05:30"
}
}

@aurimasmick
Copy link
Contributor

Also worth mentioning that adding account assignments in the Management account requires MFA. So when using AWS cli, in the profile config (in ~/.aws/config) make sure that you have the below:
mfa_serial = arn:aws:iam::1234567890:mfa/MFA_NAME

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aurimasmick aurimasmick

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aurimasmick @noce2 @maxvandermeij @pavankumarshambhu