Error in Assume role /
Closed this issue · 2 comments
Hello,
After deployment I had this issue :
(An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::XXXXX:assumed-role/test_scheduler-SchedulingRequestHandler-Role/main-test-scheduler-insta-schedulingRequestHandler-jjzoPiu7Imc5 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::YYYYY:role/test_scheduler-Scheduler-Role)
to deploy the remote stack I use
esource "aws_cloudformation_stack" "terra-stack-remote" {
#checkov:skip=CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
name = "sched-remote-stack"
parameters = {
InstanceSchedulerAccount = "XXXXX"
Namespace = "test_scheduler"
}
template_body = file("./resources/instance-scheduler-on-aws-remote.template")
capabilities = ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM"]
}
and for the main stack I use :
esource "aws_cloudformation_stack" "main_sched_instances" {
#checkov:skip=CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
name = "main-test-scheduler-instances"
provider = aws.infra_01_sandbox
parameters = {
Regions = "eu-west-1,ap-southeast-1"
DefaultTimezone = "Europe/Paris"
Trace = "Yes"
TagName = "schedule_ccoe"
MemorySize = "1024"
StartedTags = ""
Namespace = "test_scheduler"
StoppedTags = ""
#ScheduledServices = "Both"
Principals = "YYYYYY"
}
template_url = "https://awsschedsource.s3.eu-west-1.amazonaws.com/instance-scheduler-on-aws/v3.0.1.cpl/instance-scheduler-on-aws.template"
capabilities = ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM"]
Can you please help me to resolve this issue ?
Regards,
Mohamed BENCHEIKH
When updating instance scheduler, the spoke stacks must be updated after the hub stack to ensure that the correct permissions are set up. If the spokes are updated first, it's possible that the trust relationship on the scheduler roles may be broken during the update of the hub stack.
it's Ok for me, thank you 🙏