Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CPAM AWS cross-account connector showing error in LOG ANALYZER - aws.saas.firstCrossAccountRoleArn

alexb
New Contributor
New Contributor

‎05/26/2023 04:43 AM

We are receiving error once we save the AWS Connector, eventhough it shows "connection sucessfully" when we analyze in LOG Analyzer it gives the following message.

Q. What could be the possible solution to resolve this?

--------------------- LOG -------------------------

2023-04-18T14:35:58+03:00-ecm-worker-{"log":"2023-04-18 11:35:58,604 [pool-8-thread-1] DEBUG aws.IAMService - Exception in generateCredentialReport : com.amazonaws.services.identitymanagement.model.AmazonIdentityManagementException: User: arn:aws:sts::42xxxxxxx730:assumed-role/xxx-partner-eks-workernode-role/i-03xxxxxxxxxxxxxfd is not authorized to perform: iam:GenerateCredentialReport on resource: * because no identity-based policy allows the iam:GenerateCredentialReport action (Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied; Request ID: 2507cc30-baca-41bb-a0c7-c00a6fa7db34)\n","stream":"stdout","time":"2023-04-18T11:35:58.604341604Z"}
-------------------------------
 
We are using option-1 for making trust between saviynt and aws, please find link below.
 
All reports permissions asked were added to the role, required here:
To create a credential report: iam:GenerateCredentialReport
To download the report: iam:GetCredentialReport
 
So another information that might be relevant, on our configuration file, the SaaS config it's looking like this
------------------------
#SAAS Config
aws.saas.enabled=true
# CPAM info below info provided by Saviynt ticket 16xxxx4
aws.saas.accountid=42xxxxxxx30
aws.saas.rolearn=arn:aws:iam::42xxxxxxx30:role/nixu-partner-eks-workernode-role
aws.saas.rolestackname=xxxx-partner-eks-workernode-role
# CPAM below fields are from partner side
aws.saas.firstCrossAccountRoleArn=arn:aws:iam::48xxxxxx49:role/SaviyntCPAM-SaviyntAWSRole-1XxxxxxxxxxIO
aws.sns.topic.arn = <snstopicname>
-------------------
We have tried to change the rolearn from, main role arn and rolestack arn, but same error persist.
Error
--------------------------------------
aws.saas.firstCrossAccountRoleArn=arn:aws:iam::486448854749:role/SaviyntCPAM-SaviyntAWSRole-1XFMBW0BFG8IO
Error - Failed to import AWS accounts : User:
arn:aws:sts::42xxxxxxx30:assumed-role/xxxx-partne
r-eks-workernode-role/i-03xxxxxxxxxfd is not
authorized to perform: iam:GetAccountSummary on
resource: * because no identity-based policy
allows the iam:GetAccountSummary action (Service:
AmazonIdentityManagement; Status Code: 403; Error
Code: AccessDenied; Request ID:
80c97787-d78e-47a8-be1e-e0e47223deef)
-------------------------------------------
Another information is when running the job for importing the entitlement, entitlement shows up, but job runs with errors.
CPAM_AWS_IAM importError - to Import AWS Data correctly:
com.amazonaws.services.s3control.model.AWSS3Contro
lException: Caller id does not match the account
id in the endpoints. (Service: AWSS3Control;
Status Code: 403; Error Code: AccessDenied;
Request ID: RJ3XMGVXJH5AQ1YB)
 
Any thoughts ?
0 Kudos
7 REPLIES 7

NageshK
Saviynt Employee
Saviynt Employee

‎06/08/2023 09:08 AM

@alexb Thanks for posting your issue. This is related to connectors and so I have requested for this post to be moved under IGA category for better reach. 

In the meanwhile can you please add more details on when you are seeing the error related to the GenerateCredentialReport. Is it during the import process? Also, please check if the cross account role indeed has the specified permission of iam:GenerateCredentialReport. 

Thanks,

Nagesh K

0 Kudos

alexb
New Contributor
New Contributor
In response to NageshK

‎06/08/2023 09:11 PM

Thanks for the reply,

Yes it is during the job import process that the error shows up. (status shows failed) but also on Log Analyzer shows the error shown above "...AccessDenied...".

Refering to the GenerateCredentialReport, GetCredentialReport could you specify it this is a custom policy that we need to create or it's a OOTB policy from AWS? and to where the policy should be applied, (whole account, user, role or as mentioned create one from scratch)?

Yes, it's a full job import with the following custom import config:

---------------------

{
"importEntTypes": {
"IAMPolicy": {},
"AWSRole": {},
"AWSGroup": {}
},
"excludeEntTypes": {
"EC2Instance": {"storeIAMRoleForEC2Instance":"true"}
}
}

{
"importEntTypes": {
"IAMPolicy": {},
"AWSRole": {},
"AWSGroup": {},
"EC2Instance": {"storeIAMRoleForEC2Instance":"true"}
},
"excludeEntTypes": {
"SecurityGroup": {},
"AMI": {},
"ElasticLoadBalancer": {},
"DhcpOption": {},
"VPC": {},
"Subnet": {},
"NACL": {},
"S3Bucket": {},
"EBSVolume": {},
"EBSSnapshot": {},
"DBSecurityGroup": {},
"RdsDbInstance": {},
"RouteTable": {},
"VpcPeering": {},
"InternetGateway": {},
"CloudTrail": {},
"NetworkInterface": {},
"RedShiftClusterSecurityGroup": {},
"RedShiftCluster": {},
"ElasticIP": {},
"CloudFormation": {},
"EncryptionKey": {},
"NatGateway": {},
"SnsTopic": {},
"SQS": {},
"AWSConfig": {},
"DynamoDB": {},
"VpcFlowLog": {},
"Glacier": {},
"RDSSnapshot": {},
"EFS": {},
"MountTarget": {},
"ReputedIP": {},
"ElasticSearch": {},
"CloudFormationTemplatesFromS3": {},
"EMR": {},
"VpcEndpoint": {},
"VirtualMFADevice": {},
"CloudWatchLogGroup": {},
"CloudWatchAlarm": {},
"Workspace": {},
"Directory": {},
"WorkspaceBundle": {},
"AppELB": {},
"ACM": {},
"AutoScaling": {},
"LaunchConfig": {},
"Route53": {},
"CloudFront": {},
"RDSEventSubscription": {},
"AWSLambda": {},
"GuardDuty": {},
"WAFCondition": {},
"WAFWebACL": {},
"RedShiftParameterGroup": {},
"WAFRule": {},
"AWSAccountSettings": {}
}
}

------------

 

0 Kudos

alexb
New Contributor
New Contributor

‎06/09/2023 12:02 AM

We did add the policies generatecredentialreport and getcredentialreport to Saviynt Role and cpam user, but would be nice to know which specific requires the policy.

The error we are getting during the import is:

----------------
: User:
arn:aws:sts::42299XXXX730:assumed-role/nixu-partne
r-eks-workernode-role/i-0318f2fXXXX7a7ffd is not
authorized to perform: iam:GetAccountSummary on
resource: * because no identity-based policy
allows the iam:GetAccountSummary action (Service:
AmazonIdentityManagement; Status Code: 403;
---------------------------

0 Kudos

NageshK
Saviynt Employee
Saviynt Employee

‎06/09/2023 08:18 AM

@alexb This will most probably require a working session to review the cross account role and the policy associated to it. I suggest opening a FD ticket to take this further.

Also, in the first post you mentioned that you switched the roles in externalconfig properties post which you got the error at GetAccountSummary. Did you revert those changes yet? 

Thanks,

Nagesh K

0 Kudos

alexb
New Contributor
New Contributor
In response to NageshK

‎06/11/2023 11:11 PM

Yes, we believe a session it's probably the most appropriate form to avoid too much messages going around. 

Yes, we did revert back to original role, we tried a variety of try and errors possible solutions, but none did proceed.

Could you please advise on, what is the best way to arrange this session?

0 Kudos

NageshK
Saviynt Employee
Saviynt Employee

‎06/12/2023 06:48 AM

@alexb As I mentioned in my previous response, you have to open an FD ticket to take this further.

Thanks,

Nagesh K

0 Kudos

alexb
New Contributor
New Contributor
In response to NageshK

‎06/12/2023 07:00 AM

Hi Nagesh, 

Thanks, already done!

 

0 Kudos
Copyright © 2024 Khoros, LLC