aws-iam-identity-center-extensions icon indicating copy to clipboard operation
aws-iam-identity-center-extensions copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

"User is missing the following permissions" error when trying to region switch

Open Almenon opened this issue 2 years ago • 1 comments

When following https://github.com/aws-samples/aws-iam-identity-center-extensions/blob/main/docs/documentation/Region-Switch.md I ran into the following error when deploying the discovery stack:

11:55:33 AM | CREATE_FAILED        | Custom::DynamoDBReplica             | awsssoextensionsre...icauseast1D10E0F6F
Received response status [FAILED] from custom resource. Message returned: Failed to describe limits in region: ?US_EAST_1?. User is missing the following permissions: ?dynamodb:DescribeLimits?.

I checked the lambda's execution role and it did have dynamodb describelimits permissions, so maybe it's a timing issue where the policy wasn't attached when the lambda ran.

Screenshot 2023-04-26 at 12 19 35 PM

Logs: https://pastebin.com/gnSW6wXb

Almenon avatar Apr 26 '23 20:04 Almenon

One weird thing I noticed is the lambda is trying to describe us east limits. Not sure why it tried to do that, the lambda was in us-west-2. But the resource was * so it should be able to describe a different region without error.

Also here is the contents of my config/region-switch.yaml:

---
BootstrapQualifier: "ssoutility"
SSOServiceAccountId: "459446695407"
SSOServiceAccountRegion: "us-west-2"
SSOServiceTargetAccountRegion: "us-east-1"

Almenon avatar Apr 26 '23 23:04 Almenon