When trying to change authentication to AssumeRole for an AWS Cloud Account instead of IAM User you are presented with an error
search cancel

When trying to change authentication to AssumeRole for an AWS Cloud Account instead of IAM User you are presented with an error

book

Article ID: 326081

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Allow users of VMware Aria Automation 8.14.1 - 8.16.1 to update their existing AWS Cloud accounts to use the AssumeRole feature.

Symptoms:
  • You have an existing AWS Cloud accounts setup to authenticate via IAM user.
  • You have validated the AssumeRole works and have already set up a trusted identity.
  • You have tested configuring a new AWS Cloud account with the AssumeRole and it works.
  • You receive the following error when trying to change the configuration of the existing Cloud Account to use the AssumeRole:
    Failed to validate credentials. Error: Unable to validate credentials in any AWS region!


Environment

VMware Aria Automation 8.16.x
VMware Aria Automation 8.14.x

Cause

The UI populates and sends the incorrect data to the backend service.

Resolution

This issue is resolved in VMware Aria Automation 8.16.2.

Workaround:
  • In order to use the AssumeRole feature in versions 8.14.1 through 8.16.1, you must use the API to PATACH the Cloud Account with the correct information.

Prerequisites

  • You have backups of the VMware Aria Automation 8.x appliance(s).
    • You must back up all VMware Aria Automation appliances, at the same time - simultaneously for all nodes.
    • If you are making the snapshots manually, you must start the snapshots of the second and the third node not more than 40 seconds after you start the snapshots for the first node.
    • When you back up the VMware Aria Automation appliance, disable in-memory snapshots and enable quiescing (quiescing is a requirement only for version 8.9 and newer).
  • You have access to the root username and password to the Aria Automation appliances to access curl or have another similar utility such as POSTMAN.

Procedure

  1. Use the following API to PATCH the cloud account:
    env/iaas/api/cloud-accounts/{id}?apiVersion=2021-07-15
    Note: Where env equals the URL for your Aria Automation instance / FQDN.
Request Body:
{
    "cloudAccountProperties": {
        "arn": "arn_id",
        "externalId": "externalId",
        "dcId": "onprem"
    }
}
Note:
  • arn_id - is the id of the role in AWS
  • externalID - the orgId{}