Hi There, I am working on deploying terraform into a multi-account model for AWS. The high level overview is:
- Jenkins running in Account A with the Jenkins server acting as the worker node.
- IAM user created in AccountA that has a policy attached that allows it to perform sts:AssumeRole to a role in AccountB that has full admin access.
We are able to create, modify and destroy resources in AccountB using this process. Once we had tested and verified the workflow we destroyed all resources and attempted to migrate the state file to an S3 bucket in AccountB, when we attempt to do this we get 403 errors.
Spent some time with AWS support verified all IAM setup, we even got on the Jenkins server, switched to the Jenkins user, manually peformed the sts:AssumeRole call and were able to copy a file to the s3 bucket.
At this point not sure what the issue is and am hoping someone out here has ran into a similar issue and can point me in the right direction.
Thanks!