AWS-SystemsManager-AutomationAdministrationRole Fails to setup in my Org

0

I am following this doc: https://docs.aws.amazon.com/systems-manager/latest/userguide/running-automations-multiple-accounts-regions.html to try to setup the role in my Org. I have downloaded the AWS-SystemsManager-AutomationExecutionRole (org).zip mentioned in the doc.

When I try to push it out with CloudFormation every where I try to push it to I get this error.

ResourceLogicalId:AWSSystemsManagerAutomationExecutionRole, ResourceType:AWS::IAM::Role, ResourceStatusReason:Resource handler returned message: "Invalid principal in policy: "AWS":"arn:aws:iam::846356300000:role/AWS-SystemsManager-AutomationAdministrationRole-org" (Service: Iam, Status Code: 400, Request ID: 7e669f62-4ba9-4cc9-97ea-e7a24d4a84e0)" (RequestToken: 3088bbd6-97e2-e0a1-e1fb-f202a1438945, HandlerErrorCode: InvalidRequest).

The only thing I can think of as a possible problem is the length of the principal name.

2 個答案
0
已接受的答案

Hello,

Just wanted to check if you had set up the AWS-SystemsManager-AutomationAdministrationRole-org first as described here. Looking at your question and the error, it seems like you were trying to set up the execution role and the error indicates an issue related to the administration role.

AWS
已回答 7 個月前
0

Hello,

Greetings!

I understand this issue occurred while Setting up automation role for your organisation. Please make sure the below mentioned details are followed:

-> You must have AWS-SystemsManager-AutomationAdministrationRole setup in the central/admin account. The error mentions the issue with this particular role so its probable that it is missing/ not well configured.

-> Please note that you are supposed to repeat the procedure in every account that you want to target to run multi-Region and multi-account automations. [+] https://docs.aws.amazon.com/systems-manager/latest/userguide/running-automations-multiple-accounts-regions.html#multiple-console:~:text=To%20create%20the%20required%20IAM%20automation%20role%20for%20multi%2DRegion%20and%20multi%2Daccount%20automations%20by%20using%20AWS%20CloudFormation

-> Kindly make sure the AdminAccountId and OrganizationID provided under the Parameters is correct.

[+] Principal : https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

Please note that, this kind of issue may occur due to a lot of reason, hence if the above doesn’t address the concern, I advise you to reach out to AWS premium support for further troubleshooting as this may require access to resources or live troubleshooting. [+] How do I get technical support from AWS? 
https://repost.aws/knowledge-center/get-aws-technical-support

I hope this addressed your query.

Have a good day!

AWS
支援工程師
Parul_g
已回答 7 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南