Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initialize org-formation with root user #43

Open
NickDarvey opened this issue Aug 25, 2021 · 3 comments
Open

Initialize org-formation with root user #43

NickDarvey opened this issue Aug 25, 2021 · 3 comments

Comments

@NickDarvey
Copy link

Step 5 of the README says that:

In this step, you run OrgFormation locally using the credentials of the root user of the management account

however running the update command gives me this result:

> org-formation update ./src/organization.yml --verbose "--profile" "dangerous"

WARN: Hi there!
WARN: You just ran into an error when assuming the role OrganizationFormationBuildAccessRole in account x.
WARN: Possibly, this is due a breaking change in org-formation v0.9.15.
WARN: From v0.9.15 onwards the org-formation cli will assume a role in every account it deploys tasks to.
WARN: This will make permission management and SCPs to deny / allow org-formation tasks easier.
WARN: More information: https://github.com/org-formation/org-formation-cli/tree/master/docs/0.9.15-permission-change.md
WARN: Thanks!
WARN: ======================================
ERROR: error: AccessDenied, aws-request-id: x
ERROR: Roles may not be assumed by root accounts.

(I think the warning is irrelevant in this case.)

I believe I could workaround this by creating an IAM account and specifying it as one of the assumeRolePrincipals for the next step:

aws cloudformation create-stack --stack-name org-formation-role --template-body file://src/templates/000-org-build/role.yml

Is this what I should be doing? Or have I likely got something else wrong?
@BJClark
Copy link

BJClark commented Oct 12, 2021

@NickDarvey did you ever figure out a work around? I'm having the same issue

@OlafConijn
Copy link
Member

hi!
completely missed this before.
The error is: ERROR: Roles may not be assumed by root accounts.
I kinda wonder what the intention was behind running these commands as root, but this step will need to be ran as an IAM user.

you might already have an IAM user provisioned in the target account (or otherwise temporarily create one) you can use by running aws configure or setting up your credentials in ~/.aws/credentials.

@stefan-karlsson
Copy link
Contributor

I managed to run the script after the following changes:

  1. Created an IAM account in my MasterAccount
  2. Assigned the predefined AdministratorAccess Permissions policy to the user created in 1.
  3. Added a custom inline policy to allow assuming a role:
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AssumeRole",
			"Effect": "Allow",
			"Action": "sts:AssumeRole",
			"Resource": "*"
		}
	]
}
  1. Generated access keys for the IAM user created in step 1
  2. Configured my AWS CLI to use the access key generated in step 4
  3. Executed the following command to create the OrganizationFormationBuildAccessRole role:
    aws cloudformation create-stack --stack-name org-formation-role --template-body file://src/templates/000-org-build/role.yml --region eu-north-1 --capabilities CAPABILITY_NAMED_IAM
  4. Ensured to update line 74 and line 77 with the correct email domain and address.
  5. Finally executed npx org-formation update ./src/organization.yml --verbose to build.

This seems to be the expected procedure! If so, updating the documentation or creating a bootstrap script for this would be beneficial. I am happy to help out!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@BJClark @OlafConijn @NickDarvey @stefan-karlsson