https://serverless-stack.com/ logo
Join Slack
Powered by
I’m running `sst deploy` on an EC2 instance as par...
# help
p
I’m running 
sst deploy
on an EC2 instance as part of our build pipeline, and having problems getting it to use an AWS_PROFILE that resides in another account. In 
~/.aws/config
the profile looks like so:
Copy code
[profile sandbox]
role_arn = arn:aws:iam.../SandboxAdmin
region = eu-west-2
credential_source = Ec2InstanceMetadata
and the pipeline just tries to run 
AWS_PROFILE=sandbox sst deploy --stage test
, but the error I get is:
Copy code
reparing your SST app
Deploying stacks
AccessDenied: User: arn:aws:sts::035571076409:assumed-role/GitlabRunner/i-0da27111607bdae26 is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:eu-west-2:... because no identity-based policy allows the cloudformation:DescribeStacks action
This suggests to me that it’s not reading that aws sandbox profile at all. This GitlabRunner IAM role definitely has permission to assume these roles, it and the 
~/.aws/config
file have been used for a while in our terraform environment. If I swap the 
~/.aws/config
out and point [profile sandbox] at my own 
role_session_name
and then provide my credentials in 
~/.aws/credentials
, it works. Both my role and the GitlabRunner role have perms to assume this sandbox role in the other account. How do I correctly point at AWS profiles that the IAM role has permissions to assume, when using Ec2InstanceMetadata?
f
Hmm.. yeah it seems it’s not handling assume role properly. Lemme take a quick took.
p
Hey Frank, would you like me to go ahead and raise an issue on the repo for this? I'm aware it might not be a trivial thing to get fixed.
f
Hey @Piers Williams, that’d be great.
Btw, are you blocked by this?
p
We're not blocked by this but it will require some workarounds for us - medium priority but low severity. Issue is raised here: https://github.com/serverless-stack/serverless-stack/issues/1328
Open in Slack
PreviousNext
Powered by