Skip to main content
hamburger menu
+ Create a topic
Solved

Issue with Lucidscale cloudformation import with an AWS Org with multiple OU's

  • June 20, 2025
  • 12 replies
  • 132 views
S
Forum|alt.badge.img+1

i’m trying to run the cloudformation ‘configure permissions with cloudformation’ to deploy the necessary resources in my AWS organization.  I have a single account as the master payer and then over 30 accounts in various OU’s.  I need to be able to use Lucidscale to create documentation of each account in these multiple OU’s.  

 

I’m getting a failure on the deployment of this initial stackset.  “Properties validation failed for resource MemberRoleStackSet with message: [#/StackInstancesGroup/0/DeploymentTargets/OrganizationalUnitIds/0: string [usedmyorgnazitional ID] does not match pattern ^(ou-[a-z0-9]{4,32}-[a-z0-9]{8,32}|r-[a-z0-9]{4,32})$]

I need to discover all accounts which reside in multiple OU’s.  Nothing i’ve tried has helped with this.    Any help?  What should go in the parameters for 

  • BastionRootOrOrganizationalUnitId\
  • MembersRootOrOrganizationalUnitId

Best answer by Humas1985

Hi ​@sean.kaminsk 

The error sounds from an invalid or missing IAM role principal in the trust policy.

Kindly ensure the referenced role exists in the correct account, has fully propagated, and that trust relationships are configured according to Lucidscale’s workflow rules listed.

This is a usual us what i see with in multi-account, multi-OU AWS Organization setups.

Best Regards

Comments

Humas1985
Lucid Legend Level 10
Forum|alt.badge.img+24
  • Humas1985Lucid Legend Level 10
  • Lucid Legend Level 10
  • June 20, 2025

Hi ​@sean.kaminsk 

This could be because of an invalid Organizational Unit / Root ID format in the OrganizationalUnitIds section of your StackSet

AWS works best in the below shown formats
Organizational Unit ID: 
Example: ou-abcd-12345678

Root ID:
Example: r-1a2b

Can you give a try and let me know the outcome.

Hope this helps - Happy to help further!!
Thank you very much and have a great one!
Warm regards

Huma || Lucid Legend
S
Forum|alt.badge.img+1

I retried this and it got further.   but now getting this on the MemberRoleStackSet

Resource handler returned message: "Resource of type 'Stack set operation [c2a9493d-2572-410f-8104-0682f1cf48d3] was unexpectedly stopped or failed. status reason(s): [ResourceLogicalId:MemberAccountRole, ResourceType:AWS::IAM::Role, ResourceStatusReason:Resource handler returned message: "Invalid principal in policy: "AWS":"arn:aws:iam::190816833194:role/lucid-import-bastion-role" (Service: Iam, Status Code: 400, Request ID: 8da5851e-8193-46a0-9b73-89f011a17fae) (SDK Attempt Count: 1)" (RequestToken: 6579d9aa-9598-09bf-5e7b-5fe23b3c5337, HandlerErrorCode: InvalidRequest).]' with identifier 'LucidOrgImportMemberAccountStackSet:f7307430-1aae-4dd9-83e0-fc5381c12c3a' did not stabilize." (RequestToken: d7c30b3e-2c2c-264f-851b-284c961e8972, HandlerErrorCode: NotStabilized)

Humas1985
Lucid Legend Level 10
Forum|alt.badge.img+24
  • Humas1985Lucid Legend Level 10
  • Lucid Legend Level 10
  • Answer
  • June 20, 2025

Hi ​@sean.kaminsk 

The error sounds from an invalid or missing IAM role principal in the trust policy.

Kindly ensure the referenced role exists in the correct account, has fully propagated, and that trust relationships are configured according to Lucidscale’s workflow rules listed.

This is a usual us what i see with in multi-account, multi-OU AWS Organization setups.

Best Regards

Huma || Lucid Legend
S
Forum|alt.badge.img+1

From what this says, the first cloudformation should create the roles in all the accounts?  

below are the parameters I used.  

BastionAccountId

1xxxxxxxx33194

-

BastionRoleName

lucid-import-bastion-role

-

BastionRootOrOrganizationalUnitId

r-9xxn

-

LucidAccountId

799803075172

-

LucidExternalId

866b1b06-60a8-4909-842e-a20560724f9f

-

MemberRoleName

lucid-import-account-role

-

MembersRootOrOrganizationalUnitId

r-9xxn
S
Forum|alt.badge.img+1

Nothing I’ve been able to do will let the organizational initial cloudformation to run.  Its complaining about the role being missing however, based on teh documentation, the first step’s goal is to create the roles.  Am I missing something?

S
Forum|alt.badge.img+1

After trying a few things, it looks like the first Cloudformation template which clearly says “Configure Permissions with Cloudformation” doesn’t create the bastion permission???  Seems kind of strange?  

 

What I did was run a single account cloudformation which created the role.  I then used the role that was created there as the role for my “bastion” role in the Organizational Cloudformation template.  That seems to have worked as the Cloudformation and all the stacksets in the member accounts are running successfully.

Please update the cloudformation to create the initial role or improve the documentation so that its clear that the role needs to exist ahead of time.

S
Forum|alt.badge.img+1

well.. unfortunately, when trying to import, all of the accounts fail.  So i’m still looking into this.

Leianne C
Forum|alt.badge.img+15
  • Leianne C
  • Lucid support team
  • June 25, 2025

Hi ​@sean.kaminsk, thank you for posting in the community and sorry to hear you’re experiencing issues with Lucidscale cloudformation import. I see you have already submitted support ticket for this and someone from our team is assisting you there. Please continue referring to the ticket for further correspondence. If you have any questions, please let us know. Thanks! 

N
Forum|alt.badge.img

Hi Sean, hi Leianne.

I am having the same problem. It is possible that the problem is that the template is using an array for a single value and it is also using the Fn::Sub function inside that array?

"Principal": {
  "AWS": [
    {"Fn::Sub": "arn:aws:iam::${BastionAccountId}:role/${BastionRoleName}"}
  ]
}

If I launch a custom Cloud Formation without the array, the Stack works, but Lucid still does not connect. I understand that custom Cloud Formation deployments are not supported by Lucid, so I would like to be part of the solution.

S
Forum|alt.badge.img+1

For some reason, it seems that the Bastion Role stackset doesn’t deploy the role which causes the other stackset to fail.  

I had a call with Lucid this week and we opted to create the bastion role (in the bastion account) manually.  Then re-ran the  full cloudformation and it worked.  

If the LucidOrgImportBastionAccountStackSet fails to deploy the bastion role, one can be created manually on the bastion account with the following policies.
 
Permission Policy

{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Action": [

        "organizations:DescribeAccount",

        "organizations:DescribeOrganization",

        "organizations:DescribeOrganizationalUnit",

        "organizations:ListAccounts",

        "organizations:ListAccountsForParent",

        "organizations:ListChildren",

        "organizations:ListOrganizationalUnitsForParent",

        "organizations:ListParents",

        "organizations:ListRoots"

      ],

      "Resource": "*",

      "Effect": "Allow"

    },

    {

      "Action": [

        "sts:AssumeRole"

      ],

      "Resource": "arn:aws:iam::*:role/lucid-import-account-role",

      "Effect": "Allow"

    }

  ]

}

 
 
Trust Policy

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Effect": "Allow",

            "Principal": {

                "AWS": "arn:aws:iam::799803075172:root"

            },

            "Action": "sts:AssumeRole",

            "Condition": {

                "StringEquals": {

                    "sts:ExternalId": "EXTERNAL_ID_HERE"

                }

            }

        }

    ]

}

 
 
After this policy is deployed, the LucidOrgImportMemberAccountStackSet stackset can be redeployed and should no longer fail due to an invalid principal. 

N
N
Forum|alt.badge.img

Hi Sean, we also used a workaround. We use YAML for our CloudFormation deployments so we had to recreate everything (LucidOrgImportMemberAccountStackSet, BastionRoleStackSet, MemberRoleStackSet and the ResourcePolicy stack).

Seems like the problem is in the array containing the principal, indeed.

The YAMLs are adapted to our pipelines. They work, but need more parameters.

Import 

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  LucidAccountId:
    Description: The Lucid AWS account that will assume the role for resource imports
    Type: String
  LucidExternalId:
    Description: The externalId generated by Lucid
    Type: String
  BastionRootOrOrganizationalUnitId:
    Description: The id of the organizational unit or root containing the bastion account.
    Type: String
  MembersRootOrOrganizationalUnitId:
    Description: The id of the organizational unit or root containing the member accounts.
    Type: String
  BastionAccountId:
    Description: The account acting as the main entrypoint for cloud import
    Type: String
  BastionRoleName:
    Description: The name of the role that will be assumed in the bastion account
    Type: String
    Default: lucid-import-bastion-role
  MemberRoleName:
    Description: The name of the role that will be assumed in member accounts
    Type: String
    Default: lucid-import-account-role
  ArtifactsUrl:
    Type: String
    Description: '(Required) The URL for the artifacts source'
    AllowedPattern: "https?:\\/\\/(([a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9])\\.){0,}([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\\-]*[A-Za-z0-9]){1,}(:[0-9]{1,5})?((\\/[a-zA-Z0-9][a-zA-Z0-9\\-]*[a-zA-Z0-9]))*"
  Release:
    Type: String
    Description: Release identifier
    AllowedPattern: "(develop|master)|(((feat\\/)|((((rls\\/rc?_)|(hf\\/)|(mnto\\/))([0-9]+\\.){1,2}[0-9])+_?))([A-Za-z0-9_\\-]+)?)"
    ConstraintDescription: 'Must specity release identifier, for example: master, develop, 1.0.5-rc, 1.0.5 or 1.0.5.1'
Resources:
  BastionRoleStackSet:
    Type: AWS::CloudFormation::StackSet
    DeletionPolicy: Retain
    Properties:
      StackSetName: !Sub 'LucidOrgImportBastionAccountStackSet-${Release}'
      Description: Lucid stackset for importing resources from multiple AWS accounts in an organization.
      PermissionModel: SERVICE_MANAGED
      Capabilities:
        - CAPABILITY_NAMED_IAM
      CallAs: DELEGATED_ADMIN
      AutoDeployment:
        Enabled: true
        RetainStacksOnAccountRemoval: true
      StackInstancesGroup:
        - DeploymentTargets:
            OrganizationalUnitIds:
              - !Ref BastionRootOrOrganizationalUnitId
            AccountFilterType: INTERSECTION
            Accounts:
              - !Ref BastionAccountId
          Regions:
            - us-east-1
      ManagedExecution:
        Active: true
      Tags:
        - Key: Lucid
          Value: CloudImport
      Parameters:
        - ParameterKey: LucidAccountId
          ParameterValue: !Ref LucidAccountId
        - ParameterKey: LucidExternalId
          ParameterValue: !Ref LucidExternalId
        - ParameterKey: BastionRoleName
          ParameterValue: !Ref BastionRoleName
        - ParameterKey: MemberRoleName
          ParameterValue: !Ref MemberRoleName
      TemplateURL: !Sub '${ArtifactsUrl}/AWS_Lucidscale/${Release}/cloudformation/bastion.yaml'
  MemberRoleStackSet:
    Type: AWS::CloudFormation::StackSet
    DeletionPolicy: Retain
    DependsOn: BastionRoleStackSet
    Properties:
      StackSetName: !Sub 'LucidOrgImportMemberAccountStackSet-${Release}'
      Description: Lucid stackset set for importing resources from multiple AWS accounts in an organization.
      PermissionModel: SERVICE_MANAGED
      Capabilities:
        - CAPABILITY_NAMED_IAM
      CallAs: DELEGATED_ADMIN
      AutoDeployment:
        Enabled: true
        RetainStacksOnAccountRemoval: true
      StackInstancesGroup:
        - DeploymentTargets:
            OrganizationalUnitIds:
              - !Ref MembersRootOrOrganizationalUnitId
          Regions:
            - us-east-1
      ManagedExecution:
        Active: true
      Tags:
        - Key: Lucid
          Value: CloudImport
      Parameters:
        - ParameterKey: BastionAccountId
          ParameterValue: !Ref BastionAccountId
        - ParameterKey: BastionRoleName
          ParameterValue: !Ref BastionRoleName
        - ParameterKey: MemberRoleName
          ParameterValue: !Ref MemberRoleName
      TemplateURL: !Sub '${ArtifactsUrl}/AWS_Lucidscale/${Release}/cloudformation/member.yaml'

Bastion

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  LucidAccountId:
    Description: The Lucid AWS account that will assume the role for resource imports
    Type: String
  LucidExternalId:
    Description: The externalId generated by Lucid
    Type: String
  BastionRoleName:
    Description: The name of the role that will be assumed in the bastion account
    Type: String
    Default: lucid-import-bastion-role
  MemberRoleName:
    Description: The name of the role that will be assumed in member accounts
    Type: String
    Default: lucid-import-account-role
Resources:
  BastionAccountRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref BastionRoleName
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AssumeRolePolicy
            Effect: Allow
            Principal:
              AWS: !Ref LucidAccountId
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref LucidExternalId
      Path: '/'
  BastionAccountRolePolicy:
    Type: AWS::IAM::Policy
    DependsOn: BastionAccountRole
    Properties:
      PolicyName: LucidImportBastionPolicy
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Action:
              - 'organizations:DescribeAccount'
              - 'organizations:DescribeOrganization'
              - 'organizations:DescribeOrganizationalUnit'
              - 'organizations:ListAccounts'
              - 'organizations:ListAccountsForParent'
              - 'organizations:ListChildren'
              - 'organizations:ListOrganizationalUnitsForParent'
              - 'organizations:ListParents'
              - 'organizations:ListRoots'
            Resource: '*'
          - Effect: Allow
            Action:
              - 'sts:AssumeRole'
            Resource: !Sub 'arn:aws:iam::*:role/${MemberRoleName}'
      Roles:
        - !Ref BastionRoleName

Member

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  BastionAccountId:
    Description: The account acting as the main entrypoint for cloud import
    Type: String
  BastionRoleName:
    Description: The name of the role that will be assumed in the bastion account
    Type: String
  MemberRoleName:
    Description: The name of the role that will be assumed in member accounts
    Type: String
    Default: lucid-import-account-role
Resources:
  MemberAccountRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Ref MemberRoleName
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Sid: AssumeRolePolicy
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${BastionAccountId}:role/${BastionRoleName}'
            Action: 'sts:AssumeRole'
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/ReadOnlyAccess'
      Path: '/'

Policy

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  BastionAccountId:
    Description: The account acting as the main entrypoint for cloud import
    Type: String
Resources:
  ResourcePolicy:
    DeletionPolicy: Retain
    Type: AWS::Organizations::ResourcePolicy
    Properties:
      Content:
        Version: '2012-10-17'
        Statement:
          - Sid: DelegatedOrganizationsRead
            Effect: Allow
            Principal:
              AWS: !Sub 'arn:aws:iam::${BastionAccountId}:root'
            Action:
              - 'organizations:ListAccounts'
              - 'organizations:ListAccountsForParent'
              - 'organizations:ListChildren'
              - 'organizations:ListParents'
              - 'organizations:ListRoots'
              - 'organizations:DescribePolicy'
              - 'organizations:DescribeOrganizationalUnit'
              - 'organizations:DescribeOrganization'
              - 'organizations:DescribeAccount'
              - 'organizations:ListOrganizationalUnitsForParent'
            Resource: '*'

 

 

Leianne C
Forum|alt.badge.img+15
  • Leianne C
  • Lucid support team
  • July 21, 2025

Hi ​@sean.kaminsk ​@Nicolas S., thank you for taking the time to share your workarounds. We have passed this information on to our engineering team and will update this thread if we have any additional information. 

Please let us know if you have any questions in the meantime -- we are happy to help! 

Level up your skills & unlock exclusive perks!

Join Lucid Legends
Lucid Software Inc. Supplemental Community TermsAccessibility statement

Get Started

Products

Solutions

Resources

Company

Privacy Legal Cookie privacy choices Cookie policy
© 2025  Lucid Software Inc.