aws-deployment-framework icon indicating copy to clipboard operation
aws-deployment-framework copied to clipboard

Published 20 hours ago verified publisher icon awslabs

[Bug]: Management account cannot be managed by ADF's account management

Open sbkok opened this issue 2 years ago • 0 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Describe the bug

The AccountManagementStateMachine is responsible for creating and updating accounts that are configured in the adf-accounts folder of the aws-deployment-framework-bootstrap repository.

If that contains a file that instructs ADF to configure the management account, this will fail in the ConfigureAccountAlias step.

A note about the impact:

The management account cannot be created, obviously, otherwise there wouldn't be an organization where ADF can run from. However, this feature is sometimes used to update the account configuration with ADF.

This issue only impacts ADF installations where the management account is configured in the adf-accounts folder.

Expected Behavior

It should be able to update the account alias of the management account.

Current Behavior

It fails to determine the account aliases configured for the management account.

The error states that it is missing the iam:ListAccountAliases permission for the cross account access role.

Steps To Reproduce

  1. Create an adf-accounts file for the management account.
  2. Wait for the AccountManagementStateMachine to process that.

Possible Solution

Add the missing permission to the adf-master-account-bootstrap-policy.

Additional Information/Context

Please note: I am working on a fix to address this in v3.2.1.

ADF Version

v3.2.0

sbkok avatar Jan 27 '23 17:01 sbkok