Skip to content

Blog Article on how to update SRA Solutions #297

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
janahockenberger opened this issue Apr 14, 2025 · 7 comments
Open

Blog Article on how to update SRA Solutions #297

janahockenberger opened this issue Apr 14, 2025 · 7 comments

Comments

@janahockenberger
Copy link

Hi,
I saw in your backlog that you will work on an update procedure of SRA.
I wrote a blogpost which steps worked for us, maybe this helps you for your task:
https://dev.to/janahockenberger/how-to-update-aws-sra-in-your-control-tower-environment-4naf

Kind regards,
Jana
@mukavik
Copy link

mukavik commented Apr 15, 2025

Hi Jana

Thanks for sharing this with us. Would you be ok we posting this on LinkedIn to share it with others ?

Thanks
Avik

@janahockenberger
Copy link
Author

Hi Avik,

Sure, that would be cool! You can also mark my LinkedIn: https://www.linkedin.com/in/jana-hockenberger/

Kind regards,
Jana

@sbrown-tecracer
Copy link

Is there an official release of the SRA update process?

I am asking because the Blog entry fails with access denied:

`[Container] 2025/04/30 18:03:18.004435 Running command aws sts get-caller-identity
{
"UserId": "AROAVRUVPHSNCAQVQLIPV:AWSCodeBuild-ee26e4e1-d214-43c5-9db2-44c2720ce72c",
"Account": "xxxxxxxxxxxx",
"Arn": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/sra-codebuild-role/AWSCodeBuild-ee26e4e1-d214-43c5-9db2-44c2720ce72c"
}
[Container] 2025/04/30 18:03:29.926987 Running command echo Deploying SRA staging bucket cloudformation template...
Deploying SRA staging bucket cloudformation template...
[Container] 2025/04/30 18:03:29.931192 Running command aws cloudformation deploy --template-file ./aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml --stack-name $SRA_STAGING_S3_BUCKET_STACK_NAME --capabilities CAPABILITY_NAMED_IAM

An error occurred (AccessDenied) when calling the GetTemplateSummary operation: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/sra-codebuild-role/AWSCodeBuild-ee26e4e1-d214-43c5-9db2-44c2720ce72c is not authorized to perform: cloudformation:GetTemplateSummary on resource: arn:aws:cloudformation:eu-central-1:xxxxxxxxxxxxxx:stack/sra-common-prerequisites-staging-s3-bucket/6e87abd0-9606-11ef-a900-0a711dd571e7 because no identity-based policy allows the cloudformation:GetTemplateSummary action

[Container] 2025/04/30 18:03:30.847180 Command did not exit successfully aws cloudformation deploy --template-file ./aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml --stack-name $SRA_STAGING_S3_BUCKET_STACK_NAME --capabilities CAPABILITY_NAMED_IAM exit status 254
[Container] 2025/04/30 18:03:30.852209 Phase complete: BUILD State: FAILED
[Container] 2025/04/30 18:03:30.852226 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: aws cloudformation deploy --template-file ./aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml --stack-name $SRA_STAGING_S3_BUCKET_STACK_NAME --capabilities CAPABILITY_NAMED_IAM. Reason: exit status 254
[Container] 2025/04/30 18:03:30.893267 Entering phase POST_BUILD
[Container] 2025/04/30 18:03:30.894430 Running command echo Build completed on date
Build completed on Wed Apr 30 18:03:30 UTC 2025`

@janahockenberger
Copy link
Author

The message quite says it:

An error occurred (AccessDenied) when calling the GetTemplateSummary operation: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/sra-codebuild-role/AWSCodeBuild-ee26e4e1-d214-43c5-9db2-44c2720ce72c is not authorized to perform: cloudformation:GetTemplateSummary on resource: arn:aws:cloudformation:eu-central-1:xxxxxxxxxxxxxx:stack/sra-common-prerequisites-staging-s3-bucket/6e87abd0-9606-11ef-a900-0a711dd571e7 because no identity-based policy allows the cloudformation:GetTemplateSummary action

Just add the cloudformation:GetTemplateSummary action to the sra-codebuild-role

@sbrown-tecracer
Copy link

@janahockenberger, you mean this needs adding to the source code: aws_sra_examples/easy_setup/templates/sra-easy-setup.yaml since this is the creator of the Role?

@mukavik
Copy link

mukavik commented May 5, 2025

Is there an official release of the SRA update process?

I am asking because the Blog entry fails with access denied:

`[Container] 2025/04/30 18:03:18.004435 Running command aws sts get-caller-identity { "UserId": "AROAVRUVPHSNCAQVQLIPV:AWSCodeBuild-ee26e4e1-d214-43c5-9db2-44c2720ce72c", "Account": "xxxxxxxxxxxx", "Arn": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/sra-codebuild-role/AWSCodeBuild-ee26e4e1-d214-43c5-9db2-44c2720ce72c" } [Container] 2025/04/30 18:03:29.926987 Running command echo Deploying SRA staging bucket cloudformation template... Deploying SRA staging bucket cloudformation template... [Container] 2025/04/30 18:03:29.931192 Running command aws cloudformation deploy --template-file ./aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml --stack-name $SRA_STAGING_S3_BUCKET_STACK_NAME --capabilities CAPABILITY_NAMED_IAM

An error occurred (AccessDenied) when calling the GetTemplateSummary operation: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/sra-codebuild-role/AWSCodeBuild-ee26e4e1-d214-43c5-9db2-44c2720ce72c is not authorized to perform: cloudformation:GetTemplateSummary on resource: arn:aws:cloudformation:eu-central-1:xxxxxxxxxxxxxx:stack/sra-common-prerequisites-staging-s3-bucket/6e87abd0-9606-11ef-a900-0a711dd571e7 because no identity-based policy allows the cloudformation:GetTemplateSummary action

[Container] 2025/04/30 18:03:30.847180 Command did not exit successfully aws cloudformation deploy --template-file ./aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml --stack-name $SRA_STAGING_S3_BUCKET_STACK_NAME --capabilities CAPABILITY_NAMED_IAM exit status 254 [Container] 2025/04/30 18:03:30.852209 Phase complete: BUILD State: FAILED [Container] 2025/04/30 18:03:30.852226 Phase context status code: COMMAND_EXECUTION_ERROR Message: Error while executing command: aws cloudformation deploy --template-file ./aws_sra_examples/solutions/common/common_prerequisites/templates/sra-common-prerequisites-staging-s3-bucket.yaml --stack-name $SRA_STAGING_S3_BUCKET_STACK_NAME --capabilities CAPABILITY_NAMED_IAM. Reason: exit status 254 [Container] 2025/04/30 18:03:30.893267 Entering phase POST_BUILD [Container] 2025/04/30 18:03:30.894430 Running command echo Build completed on date Build completed on Wed Apr 30 18:03:30 UTC 2025`

Please stay tuned we are working on an update to the code library solutions that will make deployment and upgrades easier. It will also support dry-run capability along with other enhancements.

@janahockenberger
Copy link
Author

@sbrown-tecracer Either that or add the action in the policy in the console. Depending on how strong your will for a perfect IaC is :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@janahockenberger @mukavik @sbrown-tecracer