You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cross Account rule deployment does not work with Custom Lambda code deployed in central account due to (AccessDenied) when calling the AssumeRole operation
#338
Closed
cool-raj opened this issue
Mar 30, 2022
· 2 comments
Here is problem:
Login in the central sec account
step 1. rdk init --config-bucket-exists-in-another-account
step 2. rdk create Rulename --runtime python3.9 --resource-types AWS::IAM::User ( change the parameter ASSUME_ROLE_MODE = True)
Step 3. rdk deploy -f sampleRulename ( deploys the lambda in central sec account)
Step 4. rdk create-rule-template -o remote-rule-template-ruleonly.json --rulename sampleRulename ( deploys the rule only with reference to custom lamda funtion deployed in central account)
Error while execution of Rule .
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts:::assumed-role/RDK-Config-Rule-Functions-rdkLambdaRole-/RDK-Rule-Function-sampleRulename is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::******:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig.
We have our configs enabled via Organisation account through the cloudformation stack set . Hence our config has AWSServiceRoleForConfig role and this role does not have trust permission to lambda .
Any suggestion ?
The text was updated successfully, but these errors were encountered:
For the lambda function of a custom rule, it needs to assume a role with AWS Config access in order to execute the rule and upload result to Config. By default, it is using the service role created when you initiate your AWS Config setup. You can easily change the role in the console.
Another option is to add the following in your rule's parameter.json. This will provide you ability to specify the role you are going to assume for a specific rule.
{
...
"Parameters":{
...
"InputParameters": "{"ExecutionRoleName": "my-role-path-if any/my-exeution-role-name"}",
...
}
...
}
Here is problem:
Login in the central sec account
step 1. rdk init --config-bucket-exists-in-another-account
step 2. rdk create Rulename --runtime python3.9 --resource-types AWS::IAM::User ( change the parameter ASSUME_ROLE_MODE = True)
Step 3. rdk deploy -f sampleRulename ( deploys the lambda in central sec account)
Step 4. rdk create-rule-template -o remote-rule-template-ruleonly.json --rulename sampleRulename ( deploys the rule only with reference to custom lamda funtion deployed in central account)
Error while execution of Rule .
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts:::assumed-role/RDK-Config-Rule-Functions-rdkLambdaRole-/RDK-Rule-Function-sampleRulename is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::******:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig.
We have our configs enabled via Organisation account through the cloudformation stack set . Hence our config has AWSServiceRoleForConfig role and this role does not have trust permission to lambda .
Any suggestion ?
The text was updated successfully, but these errors were encountered: