Cross Account rule deployment does not work with Custom Lambda code deployed in central account due to (AccessDenied) when calling the AssumeRole operation #338
Comments
|
For the lambda function of a custom rule, it needs to assume a role with AWS Config access in order to execute the rule and upload result to Config. By default, it is using the service role created when you initiate your AWS Config setup. You can easily change the role in the console. Another option is to add the following in your rule's parameter.json. This will provide you ability to specify the role you are going to assume for a specific rule. |
|
Hi @rickychau2780 , Thank you very much for the help. It worked as expected. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Here is problem:
Login in the central sec account
step 1. rdk init --config-bucket-exists-in-another-account
step 2. rdk create Rulename --runtime python3.9 --resource-types AWS::IAM::User ( change the parameter ASSUME_ROLE_MODE = True)
Step 3. rdk deploy -f sampleRulename ( deploys the lambda in central sec account)
Step 4. rdk create-rule-template -o remote-rule-template-ruleonly.json --rulename sampleRulename ( deploys the rule only with reference to custom lamda funtion deployed in central account)
Error while execution of Rule .
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts:::assumed-role/RDK-Config-Rule-Functions-rdkLambdaRole-/RDK-Rule-Function-sampleRulename is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::******:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig.
We have our configs enabled via Organisation account through the cloudformation stack set . Hence our config has AWSServiceRoleForConfig role and this role does not have trust permission to lambda .
Any suggestion ?
The text was updated successfully, but these errors were encountered: