fix tag enabled groups in multi account setup (#136)

grusy · michaelwittig · commit d49c103e422c · 2018-08-17T09:16:54.000+02:00
diff --git a/iam_crossaccount_policy.json b/iam_crossaccount_policy.json
@@ -6,5 +6,9 @@
     "Resource": [
       "arn:aws:iam::<YOUR_USERS_ACCOUNT_ID_HERE>:role/<YOUR_USERS_ACCOUNT_ROLE_NAME_HERE>"
     ]
+  },{
+    "Effect": "Allow",
+    "Action": "ec2:DescribeTags",
+    "Resource": "*"
   }]
 }
diff --git a/import_users.sh b/import_users.sh
@@ -234,9 +234,6 @@ function sync_accounts() {
     # Check if local marker group exists, if not, create it
     /usr/bin/getent group "${LOCAL_MARKER_GROUP}" >/dev/null 2>&1 || /usr/sbin/groupadd "${LOCAL_MARKER_GROUP}"
 
-    # setup the aws credentials if needed
-    setup_aws_credentials
-
     # declare and set some variables
     local iam_users
     local sudo_users
@@ -249,6 +246,9 @@ function sync_accounts() {
     get_iam_groups_from_tag
     get_sudoers_groups_from_tag
 
+    # setup the aws credentials if needed
+    setup_aws_credentials
+    
     iam_users=$(get_clean_iam_users | sort | uniq)
     if [[ -z "${iam_users}" ]]
     then

Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,9 @@`
`6`	`6`	`"Resource": [`
`7`	`7`	`"arn:aws:iam::<YOUR_USERS_ACCOUNT_ID_HERE>:role/<YOUR_USERS_ACCOUNT_ROLE_NAME_HERE>"`
`8`	`8`	`]`
	`9`	`+ },{`
	`10`	`+ "Effect": "Allow",`
	`11`	`+ "Action": "ec2:DescribeTags",`
	`12`	`+ "Resource": "*"`
`9`	`13`	`}]`
`10`	`14`	`}`