Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

CPAM AWS cross-account connector showing error in LOG ANALYZER - aws.saas.firstCrossAccountRoleArn

alexb
New Contributor
New Contributor

We are receiving error once we save the AWS Connector, eventhough it shows "connection sucessfully" when we analyze in LOG Analyzer it gives the following message.

Q. What could be the possible solution to resolve this?

--------------------- LOG -------------------------

2023-04-18T14:35:58+03:00-ecm-worker-{"log":"2023-04-18 11:35:58,604 [pool-8-thread-1] DEBUG aws.IAMService - Exception in generateCredentialReport : com.amazonaws.services.identitymanagement.model.AmazonIdentityManagementException: User: arn:aws:sts::42xxxxxxx730:assumed-role/xxx-partner-eks-workernode-role/i-03xxxxxxxxxxxxxfd is not authorized to perform: iam:GenerateCredentialReport on resource: * because no identity-based policy allows the iam:GenerateCredentialReport action (Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied; Request ID: 2507cc30-baca-41bb-a0c7-c00a6fa7db34)\n","stream":"stdout","time":"2023-04-18T11:35:58.604341604Z"}
-------------------------------
 
We are using option-1 for making trust between saviynt and aws, please find link below.
 
All reports permissions asked were added to the role, required here:
To create a credential report: iam:GenerateCredentialReport
To download the report: iam:GetCredentialReport
 
So another information that might be relevant, on our configuration file, the SaaS config it's looking like this
------------------------
#SAAS Config
aws.saas.enabled=true
# CPAM info below info provided by Saviynt ticket 16xxxx4
aws.saas.accountid=42xxxxxxx30
aws.saas.rolearn=arn:aws:iam::42xxxxxxx30:role/nixu-partner-eks-workernode-role
aws.saas.rolestackname=xxxx-partner-eks-workernode-role
# CPAM below fields are from partner side
aws.saas.firstCrossAccountRoleArn=arn:aws:iam::48xxxxxx49:role/SaviyntCPAM-SaviyntAWSRole-1XxxxxxxxxxIO
aws.sns.topic.arn = <snstopicname>
-------------------
We have tried to change the rolearn from, main role arn and rolestack arn, but same error persist.
Error
--------------------------------------
aws.saas.firstCrossAccountRoleArn=arn:aws:iam::486448854749:role/SaviyntCPAM-SaviyntAWSRole-1XFMBW0BFG8IO
Error - Failed to import AWS accounts : User:
arn:aws:sts::42xxxxxxx30:assumed-role/xxxx-partne
r-eks-workernode-role/i-03xxxxxxxxxfd is not
authorized to perform: iam:GetAccountSummary on
resource: * because no identity-based policy
allows the iam:GetAccountSummary action (Service:
AmazonIdentityManagement; Status Code: 403; Error
Code: AccessDenied; Request ID:
80c97787-d78e-47a8-be1e-e0e47223deef)
-------------------------------------------
Another information is when running the job for importing the entitlement, entitlement shows up, but job runs with errors.
CPAM_AWS_IAM importError - to Import AWS Data correctly:
com.amazonaws.services.s3control.model.AWSS3Contro
lException: Caller id does not match the account
id in the endpoints. (Service: AWSS3Control;
Status Code: 403; Error Code: AccessDenied;
Request ID: RJ3XMGVXJH5AQ1YB)
 
Any thoughts ?
7 REPLIES 7

NageshK
Saviynt Employee
Saviynt Employee

@alexb Thanks for posting your issue. This is related to connectors and so I have requested for this post to be moved under IGA category for better reach. 

In the meanwhile can you please add more details on when you are seeing the error related to the GenerateCredentialReport. Is it during the import process? Also, please check if the cross account role indeed has the specified permission of iam:GenerateCredentialReport. 

Thanks,

Nagesh K

alexb
New Contributor
New Contributor

Thanks for the reply,

Yes it is during the job import process that the error shows up. (status shows failed) but also on Log Analyzer shows the error shown above "...AccessDenied...".

Refering to the GenerateCredentialReport, GetCredentialReport could you specify it this is a custom policy that we need to create or it's a OOTB policy from AWS? and to where the policy should be applied, (whole account, user, role or as mentioned create one from scratch)?

Yes, it's a full job import with the following custom import config:

---------------------

{
"importEntTypes": {
"IAMPolicy": {},
"AWSRole": {},
"AWSGroup": {}
},
"excludeEntTypes": {
"EC2Instance": {"storeIAMRoleForEC2Instance":"true"}
}
}

{
"importEntTypes": {
"IAMPolicy": {},
"AWSRole": {},
"AWSGroup": {},
"EC2Instance": {"storeIAMRoleForEC2Instance":"true"}
},
"excludeEntTypes": {
"SecurityGroup": {},
"AMI": {},
"ElasticLoadBalancer": {},
"DhcpOption": {},
"VPC": {},
"Subnet": {},
"NACL": {},
"S3Bucket": {},
"EBSVolume": {},
"EBSSnapshot": {},
"DBSecurityGroup": {},
"RdsDbInstance": {},
"RouteTable": {},
"VpcPeering": {},
"InternetGateway": {},
"CloudTrail": {},
"NetworkInterface": {},
"RedShiftClusterSecurityGroup": {},
"RedShiftCluster": {},
"ElasticIP": {},
"CloudFormation": {},
"EncryptionKey": {},
"NatGateway": {},
"SnsTopic": {},
"SQS": {},
"AWSConfig": {},
"DynamoDB": {},
"VpcFlowLog": {},
"Glacier": {},
"RDSSnapshot": {},
"EFS": {},
"MountTarget": {},
"ReputedIP": {},
"ElasticSearch": {},
"CloudFormationTemplatesFromS3": {},
"EMR": {},
"VpcEndpoint": {},
"VirtualMFADevice": {},
"CloudWatchLogGroup": {},
"CloudWatchAlarm": {},
"Workspace": {},
"Directory": {},
"WorkspaceBundle": {},
"AppELB": {},
"ACM": {},
"AutoScaling": {},
"LaunchConfig": {},
"Route53": {},
"CloudFront": {},
"RDSEventSubscription": {},
"AWSLambda": {},
"GuardDuty": {},
"WAFCondition": {},
"WAFWebACL": {},
"RedShiftParameterGroup": {},
"WAFRule": {},
"AWSAccountSettings": {}
}
}

------------

 

alexb
New Contributor
New Contributor

We did add the policies generatecredentialreport and getcredentialreport to Saviynt Role and cpam user, but would be nice to know which specific requires the policy.

The error we are getting during the import is:

----------------
: User:
arn:aws:sts::42299XXXX730:assumed-role/nixu-partne
r-eks-workernode-role/i-0318f2fXXXX7a7ffd is not
authorized to perform: iam:GetAccountSummary on
resource: * because no identity-based policy
allows the iam:GetAccountSummary action (Service:
AmazonIdentityManagement; Status Code: 403;
---------------------------

NageshK
Saviynt Employee
Saviynt Employee

@alexb This will most probably require a working session to review the cross account role and the policy associated to it. I suggest opening a FD ticket to take this further.

Also, in the first post you mentioned that you switched the roles in externalconfig properties post which you got the error at GetAccountSummary. Did you revert those changes yet? 

Thanks,

Nagesh K

alexb
New Contributor
New Contributor

Yes, we believe a session it's probably the most appropriate form to avoid too much messages going around. 

Yes, we did revert back to original role, we tried a variety of try and errors possible solutions, but none did proceed.

Could you please advise on, what is the best way to arrange this session?

NageshK
Saviynt Employee
Saviynt Employee

@alexb As I mentioned in my previous response, you have to open an FD ticket to take this further.

Thanks,

Nagesh K

alexb
New Contributor
New Contributor

Hi Nagesh, 

Thanks, already done!