I have a situation.
I've delegated administrator rights for AWS Organizations to the AWS Backup account. This allows me to create and modify AWS Backup policies, which is exactly what I need. However, I've run into an issue when attempting to create the policy using Terraform within the AWS Backup account. I'm receiving the error message "AccessDeniedException: You don't have permissions to access this resource." I've already granted access from the AWS main account to the delegated administrator for AWS Organizations policies for both root users and Terraform.
Do you have any idea?
000000000000 -> AWS backup account
111111111111 -> AWS main account
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOrganizationsRead",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:user/Terraform",
"arn:aws:iam::000000000000:root"
]
},
"Action": [
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
},
{
"Sid": "AllowBackupPoliciesCreation",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:user/Terraform",
"arn:aws:iam::000000000000:root"
]
},
"Action": "organizations:CreatePolicy",
"Resource": "*",
"Condition": {
"StringEquals": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
},
{
"Sid": "AllowBackupPoliciesModification",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:user/Terraform",
"arn:aws:iam::000000000000:root"
]
},
"Action": [
"organizations:DescribePolicy",
"organizations:UpdatePolicy",
"organizations:DeletePolicy"
],
"Resource": "arn:aws:organizations::352286888395:policy/*/backup_policy/*",
"Condition": {
"StringEquals": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
},
{
"Sid": "AllowBackupPoliciesAttachmentAndDetachmentToAllAccountsAndOUs",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:user/Terraform",
"arn:aws:iam::000000000000:root"
]
},
"Action": [
"organizations:AttachPolicy",
"organizations:DetachPolicy"
],
"Resource": [
"arn:aws:organizations::111111111111:root/*",
"arn:aws:organizations::111111111111:ou/*",
"arn:aws:organizations::111111111111:account/*",
"arn:aws:organizations::111111111111:policy/*/backup_policy/*"
],
"Condition": {
"StringEquals": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
}
]
}
Long story short: From AWS console i'm able to create the policy, but from Terraform i'm getting that error
Thank you.
The problem was because of this stupid tags policy, they weren't added:
"organizations:TagResource",
"organizations:UntagResource"
Like this is working:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOrganizationsRead",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:root"
]
},
"Action": [
"organizations:Describe*",
"organizations:List*"
"organizations:TagResource",
"organizations:UntagResource"
],
"Resource": "*"
},
{
"Sid": "AllowBackupPoliciesCreation",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:root"
]
},
"Action": "organizations:CreatePolicy",
"Resource": "*",
"Condition": {
"StringEquals": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
},
{
"Sid": "AllowBackupPoliciesModification",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:root"
]
},
"Action": [
"organizations:DescribePolicy",
"organizations:UpdatePolicy",
"organizations:DeletePolicy"
],
"Resource": "arn:aws:organizations::352286888395:policy/*/backup_policy/*",
"Condition": {
"StringEquals": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
},
{
"Sid": "AllowBackupPoliciesAttachmentAndDetachmentToAllAccountsAndOUs",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::000000000000:root"
]
},
"Action": [
"organizations:AttachPolicy",
"organizations:DetachPolicy"
],
"Resource": [
"arn:aws:organizations::111111111111:root/*",
"arn:aws:organizations::111111111111:ou/*",
"arn:aws:organizations::111111111111:account/*",
"arn:aws:organizations::111111111111:policy/*/backup_policy/*"
],
"Condition": {
"StringEquals": {
"organizations:PolicyType": "BACKUP_POLICY"
}
}
}
]
}