copilot-cli icon indicating copy to clipboard operation
copilot-cli copied to clipboard
verified publisher icon aws

Copilot does not work with root account. It needs be IAM user account to build and deploy from local.

Open gopalc-cap opened this issue 5 years ago • 6 comments

Copilot does not work with root account. It needs be IAM user account to build and deploy from local.

gopalc-cap avatar Nov 17 '20 19:11 gopalc-cap

I could reproduce the issue on my end. Example error:

$ copilot env show
Which environment of sampleapp would you like to show? test
✘ describe environment test: list deployed services in env test: get resources by Copilot tags: get resource: AccessDenied: Roles may not be assumed by root accounts.
        status code: 403, request id: xxxxx

Some commands need to retrieve metadata from SSM parameter store. Copilot uses credentails of EnvManagerRole to do that. However, root user cannot call AssumeRole API. https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html

You cannot use AWS account root user credentials to call AssumeRole. You must use credentials for an IAM user or an IAM role to call AssumeRole.

I think it is kind for users to describe it in Copilot's document explicitly.

tam0ri avatar Mar 28 '21 16:03 tam0ri

Workaround:

  1. Create a different account using IAM Service.
  2. Login using a special url for created account/company.
  3. Use the command line and type aws configure and provide access key based on instruction https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
  4. Repete the command of copilot

kubek93 avatar Aug 30 '22 19:08 kubek93

I think it is kind for users to describe it in Copilot's document explicitly.

Also the Copilot CLI should detect this automatically, instead of failing after 5 minutes when it has already created half of the resources!

heidemn avatar Dec 04 '23 09:12 heidemn

It gets even funnier - it can't even clean up its own mess, same error:

$ copilot app delete
Sure? Yes

✘ execute svc delete: delete service: get template body of stack "example-cp-dev-front-end":
   get template example-cp-dev-front-end: AccessDenied: Roles may not be assumed by root accounts.
        status code: 403, request id: ecd53503-3a94-4001-8b52-561675558e2d

heidemn avatar Dec 04 '23 09:12 heidemn

@heidemn sorry for the trouble - agree that ideally copilot should try to detect whether the credential being used is a root account, and error out if it is.

To get you out of the state you are in right now, can you try the following:

  1. Create an IAM user, make sure it has the sts:AssumeRole permission. If you want, it can be an admin-level user that can assume any role in the account. Make sure to delete this role after you are done though, if you don't need it.
  2. Run aws configure to configure the credentials being used to that user.
  3. Try running copilot app delete.

Lou1415926 avatar Dec 06 '23 00:12 Lou1415926

Hi @Lou1415926 thanks :-) I had figured it out, but still it was not such a good experience.

heidemn avatar Dec 09 '23 21:12 heidemn