Skip to content

EnvManagerRole does not support source identities or tagged sessions #5358

Open
@FlorianSW

Description

Hi 👋

in the company I want to use aws copilot in, AWS credentials are provided through a custom-built company portal. Each of these credentials are short-lived session credentials issued by AWS STS and have a source identity and transitive session tags. Both of these are transitive and are passed to chained assume-role calls.

When deploying a new copilot app and env, copilot creates a new environment manager role using these credentials. However, for the first deployment (or package) of the environment, I get the following error message:

get template version of environment production: get metadata for stack aws-copilot-production: get template summary: AccessDenied: User: arn:aws:sts::...:assumed-role/role-name/session-name is not authorized to perform: sts:SetSourceIdentity on resource: arn:aws:iam::...:role/aws-copilot-production-EnvManagerRole
        status code: 403, request id: 32e97d48-...

as the env manager role does not allow the sts:SetSourceIdentity nor the sts:TagSession permission in it's assume role policy. I tried to "fix" that with a yaml override, however, it seems that overrides are not taken into account by copilot when first initialising a new app/env?

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions