Hi!! I am having problems with cross-account configuration. Can someone help me?
Hi @pet-labrador,
What issues are you facing? Can you describe your setup? Please share any errors you are seeing, as well as a redacted copy of your cconfig.
Error: failed to sync v3 source org-accounts: rpc error: code = Internal desc = failed to init plugin: failed to initialize client: no AWS accounts were successfully configured. See warning messages in the logs for details
Ok. That means that CloudQuery wasn’t able to find any credentials. Can you describe your setup and share a redacted copy of your config?
kind: source
spec:
name: org-accounts
path: cloudquery/aws
version: "v22.19.2"
tables: ["aws_organizations_accounts"]
destinations: ["postgresql"]
spec:
regions:
- us-east-1
accounts:
- id: "Number manager"
role_arn: "arn:aws:iam::Number:role/CloudqueryManageAccountRole"
---
kind: source
spec:
name: "aws"
path: "cloudquery/aws"
registry: "cloudquery"
version: "v22.19.2"
tables: ["aws_s3_buckets", "aws_ec2_instances"]
destinations: ["postgresql"]
spec:
regions:
- us-east-1
org:
admin_account:
role_arn: "arn:aws:iam::Number:role/CloudqueryManageAccountRole"
member_role_name: CloudqueryMemberAccountRole
organization_units:
- ou-
- ou-
Is this running on an EC2 instance? How are you specifying your credentials?
If you are running on Fargate, then you want to be sure your task definition is invoking CQ with the --log-console flag. This will ensure all of the logs are available in CloudWatch to properly understand what is going on.
You can see our guide to deploying CloudQuery on ECS here.
So can you go into the logs to see any more errors that may have been sent to CloudWatch?
Prior to that, were there any warnings?
I found the following error:
{
"error": "failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 6d71a164-94a3-4bd2-b9fa-67b2a7b9470d, api error AccessDenied: User: arn:aws:sts::556795726410:assumed-role/ecsTaskExecutionRole/8fe62ae968cb47a88b81fb4dbe40b945 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::556795726410:role/CloudqueryManageAccountRole"
}
Could someone help me understand why this is happening?
Is that the trust policy?
The trust policy dictates what entities can perform the Action on the associated resource. So in this case, the ECS-Task and Events services can perform the AssumeRole action on that IAM role. You need to attach a policy to that IAM role that allows it to call sts:AssumeRole on another resource. In this case, you would attach a policy to that role to give it access to sts:AssumeRole.
Here is an example policy:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::556795726410:role/CloudqueryManageAccountRole*"
}
}
I know there’s a problem with ec2:DescribeRegions:
{
"error": "operation error EC2: DescribeRegions, https response error StatusCode: 403, RequestID: 85aa9fb5-ed7f-4dc7-8315-ee49dc74c926, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::556795726410:assumed-role/CloudqueryManageAccountRole/aws-go-sdk-1702415928259154915 is not authorized to perform: ec2:DescribeRegions because no identity-based policy allows the ec2:DescribeRegions action",
"message": "Failed to find disabled regions for account when checking: us-east-1"
}
It seems that the issue is related to permissions. You may need to check the IAM policies associated with the role CloudqueryManageAccountRole to ensure that it has the necessary permissions to perform the ec2:DescribeRegions operation.
the CloudqueryManageAccountRole needs ec2:DescribeRegions in order to check that regions aren’t disabled. If you are following the guide I linked before, I think this probably means that you missed attaching the ReadOnly policy to the role:
aws iam attach-role-policy --role-name <REPLACE_WITH_TASK_ROLE_NAME> --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
You also will need to add ec2:DescribeRegions.
Thanks, bro!
I know it’s working, but in some cases, it gives me this error:
operation error Organizations: ListDelegatedServicesForAccount, https response error StatusCode: 400, RequestID: e26bc8f8-f6f3-4bfe-a22e-5e882933d7c6, AccountNotRegisteredException: The provided account is not a registered delegated administrator for your organization
That is a normal error. Not every account can resolve every resource. Some of the resources in the aws_organizations_* tables can only be resolved by delegated admin accounts or the root account.