New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ComputeOptimizerModule] Missing permission iam:UntagRole on ComputeOptimizer-StackSetExecutionRole #1093

Open

CorinneVerheyde opened this issue Jan 9, 2025 · 1 comment

CorinneVerheyde commented Jan 9, 2025 •

edited

Loading

When upgrading datacollection stack on the local account with a change in default_tags, the upgrade and the rollback both failed (From version 3.4.2 to version 3.5.0).
Our specific usecase is that we removed one of our standard tags (in the default provider tags).

provider "aws" {
  default_tags {
    tags = var.tags
  }
}

It seems that the role ComputeOptimizer-StackSetExecutionRole miss the permission iam:UntagRole. Could you add it ?

Steps to reproduce:

Remove a tag in the default_tags provider.
Try to upgrade.

In the same role, there is a non existing permission "s3:Set*".
It does work, but there is a warning in the AWS console so this could be fixed too on the same issue ?

The text was updated successfully, but these errors were encountered:

Collaborator

iakov-aws commented Jan 9, 2025

Thanks for reporting this.

For reference the role is declared here: https://github.com/awslabs/cid-framework/blob/main/data-collection/deploy/module-compute-optimizer.yaml#L140C1-L140C32

Hey team, @aws-samples/cid-contributors can you have a look?

iakov-aws mentioned this issue

add unTagRole awslabs/cid-framework#276

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment