Description
Hi 👋
in the company I want to use aws copilot in, AWS credentials are provided through a custom-built company portal. Each of these credentials are short-lived session credentials issued by AWS STS and have a source identity and transitive session tags. Both of these are transitive and are passed to chained assume-role calls.
When deploying a new copilot app and env, copilot creates a new environment manager role using these credentials. However, for the first deployment (or package) of the environment, I get the following error message:
get template version of environment production: get metadata for stack aws-copilot-production: get template summary: AccessDenied: User: arn:aws:sts::...:assumed-role/role-name/session-name is not authorized to perform: sts:SetSourceIdentity on resource: arn:aws:iam::...:role/aws-copilot-production-EnvManagerRole
status code: 403, request id: 32e97d48-...
as the env manager role does not allow the sts:SetSourceIdentity
nor the sts:TagSession
permission in it's assume role policy. I tried to "fix" that with a yaml override, however, it seems that overrides are not taken into account by copilot when first initialising a new app/env?
Activity