Skip to main content

Hi Experts,
I'm setting up AWS Cross-Account Data Collection by following the reference links. However, it prompted me with the error of "failed to AssumeRole".
I have double-checked the settings as well as the policies needed, but I still have no idea what is the cause of this error. can help to have a look at it and possibly let me know where the part I miss off?
Reference links:  https://docs.cribl.io/stream/usecase-aws-x-account/

425_9caef55b13bd4eb28ae338e0e15d1ae0.png

Have you provided credentials in the configuration tab or left it to Auto? If you left it with auto you need to either configure the AWS CLI authentication on each of your workers or add the workers ARN to a role that is trusted to assume the role of your secondary account to have the right permissions.

Here is a good example:  https://repost.aws/knowledge-center/iam-assume-role-cli 

add the workers ARN to a role that is trusted to assume the role of your secondary account to have the right permissions.

just to clarify this part, as my worker is reside in cloud which has an instance role attached. this worker arn (instance role) need to add to another iam role which allows to assume the role of my secondary account ?

you need to allow that instance role to assume the role of the service policy you want to use

So the assume role sits in the account with the service you want to use.

425_25917be05e604ae9b52b41edfbefb2c6.png

The IAM Role of the trusting account needs to allow the IAM User ( or in your case Instance Role) to assume its role.

The ARN of the role associated with your ec2 Instance Profile needs to appear in the Trust Policy of the role you are attempting to assume.

ermm the error still persist. My account A is having the instance role. Account B is having the assume role (called cribl-test). so I have allowed the instance role to be assume by the cribl-test role under trust policy in acct B. is there anything I miss ?

425_bbf8a76b387342e98f03084d1fca846d.png

Hopefully this image helps, it's how my team have configured cross account access for cribl. Also make sure you've got the correct assume role options active:

425_faf45a80ec3f41138422166d213d227b.png

I have set up accordingly to the advices. However, the same error still persist, "Failed to assumerole".

The current existing setup

Account A (roleA):

  • allow RoleB (sts:AssumeRole) in the trusted policy
  • allow RoleB (sts:AssumeRole) in the permission policy

Account B (roleB)

  • allow RoleA (sts:AssumeRole) in the trusted policy
  • allow RoleA (s3:PUTObject, s3:ListAllBucket) in the pemission policy

cribl edge Destination setup

  • enable the option for AssumeRole S3
  • input the RoleB arn

Anywhere I can resolve this ?

Reply


Terms & ConditionsCookie settings