Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Why does my call to aws servicecatalog update-provisioned-product fail when assuming a role?

0

This works:

aws servicecatalog update-provisioned-product \
  --product-name my-product-name \
  --provisioned-product-id pp-123 \
  --provisioning-artifact-name latest \
  --profile mypro

This fails:

aws servicecatalog update-provisioned-product \
  --product-name my-product-name \
  --provisioned-product-id pp-123 \
  --provisioning-artifact-name latest \
  --profile mypro-github-cdk

An error occurred (ResourceNotFoundException) when calling the UpdateProvisionedProduct operation: Product with name my-product-name not found

The only difference is the profile - mypro-github-cdk assumes the role arn:aws:iam::1234:role/GitHub-CDK-Deploy:

[profile mypro]
region = us-east-1
credential_process = /usr/local/bin/aws_creds aws/mypro

[profile mypro-github-cdk]
region = us-east-1
role_arn = arn:aws:iam::1234:role/GitHub-CDK-Deploy
source_profile = mypro

The arn:aws:iam::1234:role/GitHub-CDK-Deploy role has the following inline policy, which should allow anything[1]:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

Grateful for any pointers, I'm lost.

[1] Yes, I'll drop it down to much more limited permissions once it's working!

Argomenti
Gestione e amministrazioneSicurezza, identità e conformità
Tag
Interfaccia a riga di comando AWSAWS CloudFormationCatalogo dei servizi AWSPolitiche IAM
Lingua
English
Rob Elliot
posta un anno fa515 visualizzazioni
2 Risposte
0
Risposta accettata

The problem was that I had not associated the role with the Service Catalog Portfolio.

In the UI, navigate to Service Catalog > Portfolios > my-portfolio.

Go into the Access tab.

Click Grant Access, choose Roles, select GitHub-CDK-Deploy and add it.

Rob Elliot
con risposta un anno fa
0

It is likely that the role you are assuming does not have the necessary permissions to perform the update-provisioned-product operation. You should check the IAM policy attached to the role and make sure it has the required permissions.

profile picture
Divyam Chauhan
con risposta un anno fa
  • Rob Elliot
    un anno fa

    I posted the IAM policy attached to the role in the question. It's all permissions on all resources.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente