AccessDenied error preventing STNO actions
Closed this issue · 1 comments
zoellner commented
This is an account that had it's aws-transit-network-orchestrator-hub stack deleted. I removed the old resources (TGW with all attachments) and recreated the stack.
Now I'm getting the following error
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::123456789012:assumed-role/TransitNetworkOrchestratorSMLambdaRole-eu-west-1/TransitNetworkOrchestratorSMLambda is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/TransitNetworkExecutionRole-eu-west-1
The TransitNetworkOrchestratorSMLambda policy inside arn:aws:iam::123456789012:role/TransitNetworkOrchestratorSMLambdaRole-eu-west-1 is unchanged, see below. It explicitly includes the sts:AssumeRole action that it is complaining about.
Any ideas on how to fix a broken STNO?
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:eu-west-1:123456789012:log-group:/aws/lambda/*"
],
"Effect": "Allow"
},
{
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"iam:GetRole"
],
"Resource": "arn:aws:iam::eu-west-1:role/*",
"Effect": "Allow"
},
{
"Action": [
"ssm:PutParameter",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:DeleteParameter",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:eu-west-1:123456789012:parameter/*",
"Effect": "Allow"
},
{
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:CreateTransitGatewayRoute",
"ec2:DeleteTransitGatewayRoute",
"ec2:ModifyTransitGatewayVpcAttachment",
"ec2:CreateTransitGatewayVpcAttachment",
"ec2:DeleteTransitGatewayVpcAttachment",
"ec2:AssociateTransitGatewayRouteTable",
"ec2:DisableTransitGatewayRouteTablePropagation",
"ec2:DisassociateTransitGatewayRouteTable",
"ec2:EnableTransitGatewayRouteTablePropagation"
],
"Resource": [
"arn:aws:ec2:eu-west-1:*:transit-gateway-route-table/*",
"arn:aws:ec2:eu-west-1:123456789012:transit-gateway/*",
"arn:aws:ec2:eu-west-1:*:transit-gateway-attachment/*",
"arn:aws:ec2:eu-west-1:*:vpc/*",
"arn:aws:ec2:eu-west-1:*:subnet/*",
"arn:aws:ec2:eu-west-1:*:route-table/*"
],
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGatewayRouteTables",
"ec2:GetTransitGatewayAttachmentPropagations",
"ec2:GetTransitGatewayRouteTableAssociations",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:SearchTransitGatewayRoutes"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::*:role/TransitNetworkExecutionRole-eu-west-1",
"Effect": "Allow"
},
{
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"arn:aws:lambda:eu-west-1:123456789012:function:TransitNetworkOrchestratorSMLambda"
],
"Effect": "Allow"
},
{
"Action": [
"dynamodb:PutItem"
],
"Resource": "arn:aws:dynamodb:eu-west-1:123456789012:table/StackSet-CustomControlTower-stno-hub-development-6aab4035-584b-4b00-93ae-7f6ea75a7706-DynamoDbTable-R9U8XGY0HRNO",
"Effect": "Allow"
},
{
"Action": [
"sns:Publish"
],
"Resource": "arn:aws:sns:eu-west-1:123456789012:AWS-Transit-Network-Approval-Notifications",
"Effect": "Allow"
}
]
}
zoellner commented
This fixed itself after a few days. Probably some caching issue in one of the lambdas?