trying to use a custom role - where all do I change it?

[jsheflin]

Thanks for sharing this, BTW, it will be wonderful when I get it working.

Need to deploy with an existing role due to permission issues.

I replaced the role in lambda_iam.tf (2 times), but I am still getting the "Access Denied" while deploying.

Where else should I add my custom role?

thanks

[ryandeivert]

@jsheflin is the custom role you need for creating the resources? it sounds like you might need something like this:

provider "aws" {
  assume_role {
    role_arn     = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
    session_name = "SESSION_NAME"
    external_id  = "EXTERNAL_ID"
  }
}

if so, you'd have to edit the main.tf with your values

[jsheflin]

thank you so much for the quick response. Yes, to create resources. I changed role in main.tf and lambda_iam.tf, but still seeing the same access denied, can't create s3bucket, even after I already created the bucket and put it in terrafrom.tfvars. I am brand new to terraform, so perhaps I am doing something ditzy.

…

On Tue, Aug 4, 2020 at 8:05 PM ryandeivert ***@***.***> wrote: @jsheflin <https://github.com/jsheflin> is the custom role you need for creating the resources? it sounds like you might need something like this <https://registry.terraform.io/providers/hashicorp/aws/latest/docs#assume-role>. if so, you'd have to edit the main.tf <https://github.com/airbnb/binaryalert/blob/master/terraform/main.tf> with your values — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#161 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFMBD5232NWPVAXZ4IVC3VLR7C47JANCNFSM4PU7AIHQ> .

[ryandeivert]

@jsheflin please follow the above advice and do not change the lambda_iam.tf file itself. if you're getting access denied with the role you're supplying in the provider block (using role_arn) then you should check to make sure that role has the permissions you need

[jsheflin]

will do, thanks

…

On Tue, Aug 4, 2020 at 8:38 PM ryandeivert ***@***.***> wrote: @jsheflin <https://github.com/jsheflin> please follow the above advice and do not change the lambda_iam.tf file itself. if you're getting access denied with the role you're supplying in the provider block (using role_arn) then you should check to make sure that role has the permissions you need — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#161 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFMBD57K4YXOS6RRSMAZ32DR7DAYXANCNFSM4PU7AIHQ> .

[jsheflin]

So I can't assume the roles I need to run the deploy. I guess my only route is to request more permissions from the owner? Or is there any route around? I can create the buckets, logs, policies, SQS, SNS, via aws console.

I know this is not a binaryalert issue, so thanks for the help already.