You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
But, if I put the externalID condition on the cross-account role trust policy, we just receive a plain 403 (which is expected). Something like:
ERRO[0000] AccessDenied: User: arn:aws:sts::xxxxxxxx:assumed-role/atlantis-role/session is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxx:role/some-role
status code: 403, request id: <some uuid here>
ERRO[0000] Unable to determine underlying exit code, so Terragrunt will exit with error code 1
Ater that, I removed the role_configuration include from the service1/terragrunt.hcl file and tried to circumvect the error by templating the provider using the following declarations:
provider "aws" { region = "${region}" # Only these AWS Account IDs may be operated on by this template allowed_account_ids = ["${account_id}"] # Make it faster by skipping something skip_get_ec2_platforms = true skip_metadata_api_check = true skip_region_validation = true skip_credentials_validation = true%{ if assume_role_arn !=""}
assume_role { role_arn = "${assume_role_arn}" external_id = "${external_id}"}
%{ endif }
}
That time, terragrunt didn't reconigzed that should use a cross account role to access the s3 backend and asked about the bucket creation:
DEBU[0000] Initializing remote state for the s3 backend
remote state S3 bucket terraform-state-iac-xxxxxxxxx does not exist or you don't have permissions to access it. Would you like Terragrunt to create it? (y/n)
With that in mind, I ask: is there a way to set an external_id for the iam_role configuration? If not, do you think that a parameter called iam_role_external_id (and the correspondent environment variables) to support this case can be a good contribution? I'm willing to contribute if necessary.
Thanks in advance!
The text was updated successfully, but these errors were encountered:
Hello folks,
I am using terragrunt (plus atlantis) for some time now. Initially we include a file with the
iam_role
configuration and it works flawlessly:service1/terragrunt.hcl
role_configuration.hcl
But, if I put the externalID condition on the cross-account role trust policy, we just receive a plain 403 (which is expected). Something like:
Ater that, I removed the
role_configuration
include from theservice1/terragrunt.hcl
file and tried to circumvect the error by templating the provider using the following declarations:terragrunt.hcl
provider.tpl
That time, terragrunt didn't reconigzed that should use a cross account role to access the s3 backend and asked about the bucket creation:
With that in mind, I ask: is there a way to set an
external_id
for theiam_role
configuration? If not, do you think that a parameter callediam_role_external_id
(and the correspondent environment variables) to support this case can be a good contribution? I'm willing to contribute if necessary.Thanks in advance!
The text was updated successfully, but these errors were encountered: