Cannot Onboard a AWS Account
So after I finally got the CloudFormation working, now I am trying to onboard my AWS account, however, I have the following problem as shown in this (compiled) screenshot:
It doesn't matter how setup the two roles + policies. I get the same error. If anyone has a working configuration and can post the JSON, maybe that would help.
-
Jess,
it seems the Trust relationship is missing in the role. What do you see in your aws account when you hit the Trust relationships tab?
-
The trust relationship looks the same as what you posted for that role.
-
Jesse Spangenberger - I understand you had issues deploying your controller using the CF template so its possible IAM is messed up in the process. here is everything that needs to be in place, take a look and hopefully it will resolve your issue. -https://docs.aviatrix.com/HowTos/HowTo_IAM_role.html#setup-secondary-account-iam-manually
-
Hariram Sankaran Well, that made a few changes but no dice yet. =\
I only think there is some configuration wrong for the Trust relationships.
I did create an org and added a second account but can't it this to work with either the root or the secondary account.
-
Jesse Spangenberger
Exception CloudxErrExt Context:message:Failed to assume role to your aviatrix-role-app. The policy associated with the role must include AssumeRole.
class:CloudxErrExt
cloud_type:[1]
account_name:[Financeware-Aviatrix]
Yeh I think what Hari pointed out in #2, could be the issue here.
In IAM role, can you check if the AWS subscription ID is there?
The ID should be there in the Trust Relationship. -
Shahzad Ali See response below.
-
-
1 - Does the controller ec2 instance have "aviatrix-role-ec2" role attached to it?
2 - Does the Trust relationship column for "aviatrix-role-app" have the controller's own Account number in it?
-
Hariram Sankaran
1 - Does the controller ec2 instance have "aviatrix-role-ec2" role attached to it? Yes
2 - Does the Trust relationship column for "aviatrix-role-app" have the controller's own Account number in it? "controller's own Account number" < this probably an issue. I do not think the Cloudformation created a direct account for the controller. I have been attempting to use my own since there was no information on creation or usage of an account directly for the controller. Is there documentation on this configuration somewhere?
-
Jesse Spangenberger You do not need to create a new one directly for the controller. Let me share my screens in a bit
-
Shahzad Ali hmm, well, where do you get the account id if it's not the root account?
-
Jesse Spangenberger
-
Jesse Spangenberger Click on the Support --> Support Center top right
-
Jesse Spangenberger were you able to fix it?
-
Jesse Spangenberger if you are still running into issue, open an Aviatrix support ticket please
-
Shahzad Ali Not yet. I got busy yesterday. I was going to take a look at it today.
-
Shahzad Ali Okay, so I was missing the AdminstrationAccess policy on the role. hmm. I don't think that was mentioned anywhere either. Thank you for the help!
-
Jesse Spangenberger Glad that it worked for you
-
