We have updated our Terms of Service, Code of Conduct, and Addendum.

AWS Cross-Account Data Collection - "failed to AssumeRole"

weiting lau
weiting lau Posts: 4
in General Discussions

Hi Experts,
I'm setting up AWS Cross-Account Data Collection by following the reference links. However, it prompted me with the error of "failed to AssumeRole".
I have double-checked the settings as well as the policies needed, but I still have no idea what is the cause of this error. can help to have a look at it and possibly let me know where the part I miss off?
Reference links:  https://docs.cribl.io/stream/usecase-aws-x-account/

image.png

Tagged:

Answers

  • Oliver Hoppe
    Oliver Hoppe Posts: 50 ✭✭

    Have you provided credentials in the configuration tab or left it to Auto? If you left it with auto you need to either configure the AWS CLI authentication on each of your workers or add the workers ARN to a role that is trusted to assume the role of your secondary account to have the right permissions.

  • Oliver Hoppe
    Oliver Hoppe Posts: 50 ✭✭

    Here is a good example:  https://repost.aws/knowledge-center/iam-assume-role-cli

  • weiting lau
    weiting lau Posts: 4 
    add the workers ARN to a role that is trusted to assume the role of your secondary account to have the right permissions.

    just to clarify this part, as my worker is reside in cloud which has an instance role attached. this worker arn (instance role) need to add to another iam role which allows to assume the role of my secondary account ?

  • Oliver Hoppe
    Oliver Hoppe Posts: 50 ✭✭

    you need to allow that instance role to assume the role of the service policy you want to use

  • Oliver Hoppe
    Oliver Hoppe Posts: 50 ✭✭

    So the assume role sits in the account with the service you want to use.

  • Oliver Hoppe
    Oliver Hoppe Posts: 50 ✭✭
    image.png

  • Oliver Hoppe
    Oliver Hoppe Posts: 50 ✭✭

    The IAM Role of the trusting account needs to allow the IAM User ( or in your case Instance Role) to assume its role.

  • baconesq
    baconesq Posts: 2 mod

    The ARN of the role associated with your ec2 Instance Profile needs to appear in the Trust Policy of the role you are attempting to assume.

  • weiting lau
    weiting lau Posts: 4

    ermm the error still persist. My account A is having the instance role. Account B is having the assume role (called cribl-test). so I have allowed the instance role to be assume by the cribl-test role under trust policy in acct B. is there anything I miss ?

  • Sirius Lange
    Sirius Lange Posts: 10
    edited September 2023
    image.png

    Hopefully this image helps, it's how my team have configured cross account access for cribl. Also make sure you've got the correct assume role options active:

    image.png

  • weiting lau
    weiting lau Posts: 4

    I have set up accordingly to the advices. However, the same error still persist, "Failed to assumerole".

    The current existing setup

    Account A (roleA):

    • allow RoleB (sts:AssumeRole) in the trusted policy
    • allow RoleB (sts:AssumeRole) in the permission policy

    Account B (roleB)

    • allow RoleA (sts:AssumeRole) in the trusted policy
    • allow RoleA (s3:PUTObject, s3:ListAllBucket) in the pemission policy

    cribl edge Destination setup

    • enable the option for AssumeRole S3
    • input the RoleB arn

    Anywhere I can resolve this ?

Categories