This works:
aws servicecatalog update-provisioned-product \
--product-name my-product-name \
--provisioned-product-id pp-123 \
--provisioning-artifact-name latest \
--profile mypro
This fails:
aws servicecatalog update-provisioned-product \
--product-name my-product-name \
--provisioned-product-id pp-123 \
--provisioning-artifact-name latest \
--profile mypro-github-cdk
An error occurred (ResourceNotFoundException) when calling the UpdateProvisionedProduct operation: Product with name my-product-name not found
The only difference is the profile - mypro-github-cdk
assumes the role arn:aws:iam::1234:role/GitHub-CDK-Deploy
:
[profile mypro]
region = us-east-1
credential_process = /usr/local/bin/aws_creds aws/mypro
[profile mypro-github-cdk]
region = us-east-1
role_arn = arn:aws:iam::1234:role/GitHub-CDK-Deploy
source_profile = mypro
The arn:aws:iam::1234:role/GitHub-CDK-Deploy
role has the following inline policy, which should allow anything[1]:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Grateful for any pointers, I'm lost.
[1] Yes, I'll drop it down to much more limited permissions once it's working!
I posted the IAM policy attached to the role in the question. It's all permissions on all resources.