Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AssumeRole not working with Multi-Accounts and S3 Backend #3826

Open
1 task
alexedwardjones opened this issue Feb 14, 2025 · 0 comments
Open
1 task

AssumeRole not working with Multi-Accounts and S3 Backend #3826

alexedwardjones opened this issue Feb 14, 2025 · 0 comments
Labels
bug Something isn't working new Un-triaged issue

Comments

@alexedwardjones
Copy link

alexedwardjones commented Feb 14, 2025
edited
Loading

Expected Behavior

I have three accounts that I'm trying to set up with the necessary roles and permissions for people to assume roles across accounts.

Accounts:

  • Root
  • Identity (IAM Users, Groups)
  • Production (Workload)

I've created an IdentityStack using cdktf that has created the roles and permissions. Initially I was using a LocalBackend and everything was working fine.

I've since migrated my state to an S3Backend and I expected things to continue working as long as I set the correct assumeRole on the S3Backend.

Actual Behavior

Instead I'm now getting the following error.

infrastructure-identity-stack  Initializing the backend...
infrastructure-identity-stack  Error refreshing state: AccessDenied: Access Denied

Unless I'm misunderstanding something, my guess is that it doesn't seem to be correctly assuming the role needed to access the configured S3Backend.

I've run the equivalent command using the AWS CLI and my credentials have the necessary permissions to assume the role without any issue.

aws sts assume-role --role-arn "arn:aws:iam::123456789098:role/OrganizationAccountAccessRole" --role-session-name foo

N.B.
I'm only using OrganizationAccountAccessRole because my next step was going to be to create a dedicated role for terraform. Up until this point OrganizationAccountAccessRole had been working fine for bootstrapping the accounts.

Steps to Reproduce

Here's an example of my stack. The credentials I'm using are from the Root account and have permissions to assume the OrganizationAccountAccessRole in Identity and Production.

export default class IdentityStack extends TerraformStack {
  private groups: Record<string, IamGroup> = {};

  constructor(scope: Construct, id: string) {
    super(scope, id);

    // Default provider for identity account resources (users, groups)
    new awsProvider.AwsProvider(this, "aws", {
      region: "eu-west-1",
      assumeRole: [{
        roleArn: `arn:aws:iam::${Account.IDENTITY}:role/OrganizationAccountAccessRole`,
      }],
    });

    // Identity stack remote state lives in the identity account
    new S3Backend(this, {
      bucket: REMOTE_STATE_BUCKET_NAME_IDENTITY,
      key: `${id}/terraform.tfstate`,
      region: "eu-west-1",
      dynamodbTable: REMOTE_STATE_LOCK_TABLE_NAME,
      assumeRole: {
        roleArn: `arn:aws:iam::${Account.IDENTITY}:role/OrganizationAccountAccessRole`,
      },
    });

    // Create account providers
    const accountProviders = {
      [Account.PRODUCTION]: new awsProvider.AwsProvider(this, "aws-production", {
        alias: "production",
        region: "eu-west-1",
        assumeRole: [{
          roleArn: `arn:aws:iam::${Account.PRODUCTION}:role/OrganizationAccountAccessRole`,
        }],
      }),
      [Account.ROOT]: new awsProvider.AwsProvider(this, "aws-root", {
        alias: "root",
        region: "eu-west-1",
      }),
      [Account.IDENTITY]: new awsProvider.AwsProvider(this, "aws-identity", {
        alias: "identity",
        region: "eu-west-1",
        assumeRole: [{
          roleArn: `arn:aws:iam::${Account.IDENTITY}:role/OrganizationAccountAccessRole`,
        }],
      }),
    };
...

Versions

cdktf debug gives me...

External Error: Could not determine cdktf version. Please make sure you are in a directory containing a cdktf project and have all dependencies installed.

I'm using these versions...
Node: v22.11.0

  "cdktf": "^0.20.11",
  "cdktf-cli": "^0.20.11",
  "constructs": "^10.4.2",

Providers

cdktf provider list gives me...

External Error: Could not determine cdktf version. Please make sure you are in a directory containing a cdktf project and have all dependencies installed.

I'm using these versions...

  "@cdktf/provider-aws": "^19.48.1",
  "@cdktf/provider-random": "^11.0.3",

Gist

No response

Possible Solutions

No response

Workarounds

No response

Anything Else?

No response

References

No response

Help Wanted

  • I'm interested in contributing a fix myself

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@alexedwardjones alexedwardjones added bug Something isn't working new Un-triaged issue labels Feb 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working new Un-triaged issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@alexedwardjones