Why does my call to aws servicecatalog update-provisioned-product fail when assuming a role?

Question

This works:
```bash
aws servicecatalog update-provisioned-product \
  --product-name my-product-name \
  --provisioned-product-id pp-123 \
  --provisioning-artifact-name latest \
  --profile mypro
```

This fails:
```bash
aws servicecatalog update-provisioned-product \
  --product-name my-product-name \
  --provisioned-product-id pp-123 \
  --provisioning-artifact-name latest \
  --profile mypro-github-cdk

An error occurred (ResourceNotFoundException) when calling the UpdateProvisionedProduct operation: Product with name my-product-name not found
```

The only difference is the profile - `mypro-github-cdk` assumes the role `arn:aws:iam::1234:role/GitHub-CDK-Deploy`:
```
[profile mypro]
region = us-east-1
credential_process = /usr/local/bin/aws_creds aws/mypro

[profile mypro-github-cdk]
region = us-east-1
role_arn = arn:aws:iam::1234:role/GitHub-CDK-Deploy
source_profile = mypro
```

The `arn:aws:iam::1234:role/GitHub-CDK-Deploy` role has the following inline policy, which should allow anything[1]:
```json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}
```

Grateful for any pointers, I'm lost.

[1] Yes, I'll drop it down to much more limited permissions once it's working!

Accepted Answer

The problem was that I had not associated the role with the Service Catalog Portfolio.

In the UI, navigate to `Service Catalog > Portfolios > my-portfolio`.

Go into the `Access` tab.

Click `Grant Access`, choose `Roles`, select `GitHub-CDK-Deploy` and add it.

Answer

It is likely that the role you are assuming does not have the necessary permissions to perform the update-provisioned-product operation. You should check the IAM policy attached to the role and make sure it has the required permissions.

Why does my call to aws servicecatalog update-provisioned-product fail when assuming a role?

相关内容