introduce regions to reduce authorization errors #599
Comments
|
Thanks for submitting this request. Knowledge of specific organizational SCPs would be outside the scope of the solution, but allowing spokes to individually define which regions they would like to be within scope for scheduling may be a possible enhancement in the future, though this comes at the trade-off of additional configuration complexity. If anybody else would also like to see per-spoke account configuration of scheduled regions, please add a thumb's up reaction to the original request and reply to this thread with any additional context on your use-case that may be helpful in the design of such a feature. |
|
Hi,
So if some users don't care, they leave their config as is, and nothing breaks. The ones who care (i.e. sysadmins supporting accounts in the Orgs they have no control over) would simply add the required {} to their config attributes for the regions that cause errors (and streams of CloudTrail alarms :) ) |
SCP-blocked regions cause floods of errors in the logs
To my understanding, the scheduler enters an account and tries to act upon all available regions.
The problem with that is, that some regions are blocked with SCP policies causing:
{IAM Role} not authorized to perform: `tag:GetResources` with an explicit deny in a service control policyProposed solution(s)
An additional attribute in DDB to define regions (needs to be account->[regions] to allow for full customisation of regions per account.
Alternatively, to avoid changing the item's attribute:
Implement in the code a catch for a region definition, if exists.
Example:
remote_account_ids : "123456789012{eu-west-1,us-east-1},123456789011{eu-central-1}"The text was updated successfully, but these errors were encountered: