From d49c103e422cfc077ae638efa52d2f8a95badbb0 Mon Sep 17 00:00:00 2001
From: Martin <github@grusy.de>
Date: Fri, 17 Aug 2018 17:16:54 +1000
Subject: [PATCH] fix tag enabled groups in multi account setup (#136)

---
 iam_crossaccount_policy.json | 4 ++++
 import_users.sh              | 6 +++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/iam_crossaccount_policy.json b/iam_crossaccount_policy.json
index bf51b7a..c03f714 100644
--- a/iam_crossaccount_policy.json
+++ b/iam_crossaccount_policy.json
@@ -6,5 +6,9 @@
     "Resource": [
       "arn:aws:iam::<YOUR_USERS_ACCOUNT_ID_HERE>:role/<YOUR_USERS_ACCOUNT_ROLE_NAME_HERE>"
     ]
+  },{
+    "Effect": "Allow",
+    "Action": "ec2:DescribeTags",
+    "Resource": "*"
   }]
 }
diff --git a/import_users.sh b/import_users.sh
index 07cdcf8..933df65 100755
--- a/import_users.sh
+++ b/import_users.sh
@@ -234,9 +234,6 @@ function sync_accounts() {
     # Check if local marker group exists, if not, create it
     /usr/bin/getent group "${LOCAL_MARKER_GROUP}" >/dev/null 2>&1 || /usr/sbin/groupadd "${LOCAL_MARKER_GROUP}"
 
-    # setup the aws credentials if needed
-    setup_aws_credentials
-
     # declare and set some variables
     local iam_users
     local sudo_users
@@ -249,6 +246,9 @@ function sync_accounts() {
     get_iam_groups_from_tag
     get_sudoers_groups_from_tag
 
+    # setup the aws credentials if needed
+    setup_aws_credentials
+    
     iam_users=$(get_clean_iam_users | sort | uniq)
     if [[ -z "${iam_users}" ]]
     then