dataall icon indicating copy to clipboard operation
dataall copied to clipboard

Published 20 hours ago verified publisher icon data-dot-all

DeployLocally - Failed to assume role

Open sandeephs1 opened this issue 10 months ago • 1 comments

Hello team, we use deploy locally (docker) for Development related unit testing to keep the Dev cycle shorter. But constantly we face this issue (Failed to assume role) when ever start creating Dataset and hence cannot move forward with other features P.S. Environment was bootstrapped successfully.

Any suggestion, having locally running set up help each Dev member to speed up the Dev cycle.

it is data.all 2.0.0 Error -

Failed to assume role arn:aws:iam::0123456789:role/dataallPivotRole due to: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::0123456789::assumed-role/AWSReservedSSO_AdministratorAccess_45dcebf19bca3ec8/[email protected] is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::0123456789:role/dataallPivotRole

sandeephs1 avatar Apr 04 '24 07:04 sandeephs1

Hi @sandeephs1 this issue is most probably due to the permissions of your user and the restrictions of the pivotRole.

Both, dataallPivotRole and dataallPivotRole-cdk have a trust policy that limits the principals that can assume the role. In the CloudFormation definition we restrict it to the following roles:

                  !Sub "arn:aws:iam::${AwsAccountId}:role/*graphql-role",
                  !Sub "arn:aws:iam::${AwsAccountId}:role/*awsworker-role",
                  !Sub "arn:aws:iam::${AwsAccountId}:role/*ecs-tasks-role"

arn:aws:sts::0123456789::assumed-role/AWSReservedSSO_AdministratorAccess_45dcebf19bca3ec8/[email protected] does not fulfill any of the conditions. For local development you can remove that permission so that your role can assume the pivot role.

Thanks for drawing our attention to the issue, we will update the docs

dlpzx avatar Apr 09 '24 15:04 dlpzx

At first we thought about including more documentation, but after speaking with @petrkalos I think we should think of a more streamlined experience for developers. Starting data.all locally should be the easiest of tasks for a developer. As part of these efforts we want to:

  • avoid SSM parameters in the local development
  • avoid trust policies in pivot roles for local development Maybe we can do that through a local configuration file or with docker. What do you think @sandeephs1, @noah-paige, @SofiaSazonova?

dlpzx avatar Apr 15 '24 10:04 dlpzx

@sandeephs1 #1176 should resolve this issue, but we will work on other improvements to simplify the developer experience. If you have any suggestions or pain points please comment in this issue: https://github.com/data-dot-all/dataall/issues/1180

dlpzx avatar Apr 16 '24 08:04 dlpzx