I’m trying to get a CI pipeline going with multiple AWS accounts and am running into a bit of an issue. The setup is using AWS Organizations with roles to have serverless deploy into child accounts. I have a role in the child account with AdminAccess, a role in the parent account that is allowed to assume the role in the child account, and an ec2 instance in the parent account with that role assigned.
Using the .aws/credentials file i set up a profile to work with serverless on the ec2 box using role_arn and credential_source=Ec2InstanceMetadata. Using ‘aws iam list-users’ I can verify aws is using the proper profile, however when I try to use serverless it appears to use the role to deploy to the parent account rather than the child account:
User: arn:aws:sts::000000000000:assumed-role/AssumeRoleServerlessTestAccountAdmin/i-05b9a0da90ee682a1 is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:us-east-1:000000000000:stack/flask-api-demo-dev/*
I thought I had this working the other day, but perhaps I had some actual aws credentials rather than using roles. In either case, it appears serverless is using the role in the parent account, it’s just targeting the parent account which it does not have permissions to operate on. if i use a workaround and set the assumed credentials manually serverless does target the child account correctly.
Has anyone run into this problem or successfully used EC2 roles to allow cross-account deployment?