Applies to anyone that initialized an org-formation project using version 0.9.14 using a delegated build account e.g:
npx org-formation init-pipeline --region us-east-1 --build-account-id 112233445566
Background and motivation
Delegated build accounts are introduced in version 0.9.14 to make permissions management easier as there is no need to deploy/run any resources from within the organization management account. The delegated build account uses an IAM Role called OrganizationFormationBuildAccessRole to access other accounts.
In v0.9.14 the OrganizationFormationBuildAccessRole IAM role was only assumed for cross account access and not local account access (if a resource is deployed to the build account itself). In order to make permissions management easier from v0.9.15 onwards all access will use the OrganizationFormationBuildAccessRole Role. This allows organization wide SCPs and other access controls to uniquely identify org-formation access by role name.
Identifying compatibility issues
You are likely have ran into this issue if your org-formation build has failed with the following message:
WARN: ======================================'
WARN: Hi there!
WARN: You just ran into an error when assuming the role OrganizationFormationBuildAccessRole in account 112233445566. (112233445566 = BuildAccountName)
WARN: Possibly, this is due a breaking change in org-formation v0.9.15.
WARN: From v0.9.15 onwards the org-formation cli will assume a role in every account it deploys tasks to.
WARN: This will make permission management and SCPs to deny / allow org-formation tasks easier.
WARN: Thanks!
WARN: More information: https://github.com/org-formation/org-formation-cli/tree/master/docs/0.9.15-permission-change.md
WARN: ======================================'
ERROR: Workload MyTaskName in 112233445566/reguin updated failed. reason: User: arn:aws:sts::112233445566:assumed-role/organization-formation-build-service-role/AWSCodeBuild-aabbddeeff-aaaa-bbbbb-ccccc-aabbddeeff is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::112233445566:role/OrganizationFormationBuildAccessRole (112233445566 = BuildAccountName)
User: arn:aws:sts::112233445566:assumed-role/organization-formation-build-service-role/AWSCodeBuild-aabbddeeff-aaaa-bbbbb-ccccc-aabbddeeff is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::112233445566:role/OrganizationFormationBuildAccessRole (use option --print-stack to print stack)
Resolving issues
- In your org-formation project source, search for the task
OrganizationFormationRole. The default location for this task is in the file000-organization-buildorganization-tasks.yml, line 39. - Remove the line
ExcludeAccount: !Ref <BuildAccountName>from the tasks DefaultOrganizationBinding. BuildAccountName will likely have a different name within your organization. - Retry running the build.
Note: Make sure your DependsOn between tasks is correct. if not you might need to run the build multiple times as any task that deploys to the build account will be dependant on this change.
an example of what this task looks like:
OrganizationFormationRole:
Type: update-stacks
DependsOn: MasterOrganizationFormationRole
Template: ./org-formation-role.yml
StackName: !Sub "${resourcePrefix}-role"
StackDescription: Organization Formation Build Infrastructure (IAM Role for cross account access by build process)
TerminationProtection: true
DefaultOrganizationBindingRegion: !Ref primaryRegion
DefaultOrganizationBinding:
IncludeMasterAccount: false
Account: "*"
ExcludeAccount: !Ref <BuildAccountName> # !!! <-- remove this entire line
MaxConcurrentStacks: 10
Parameters:
assumeRolePrincipal: !Ref <BuildAccountName> # you could tighten this up with: !CopyValue [!Sub "${resourcePrefix}-build-role-id", !Ref <BuildAccountName>, !Ref primaryRegion]
TaskRoleName: !GetAtt CurrentAccount.OrganizationAccessRoleName
TaskViaRoleArn: !Sub "arn:aws:iam::${MasterAccount}:role/OrganizationFormationBuildAccessRole"