Hi There! 

Are you running into an error similar to: “Invalid principle in policy: "AWS":"arn:aws:iam::000000000000:role/lucid-import-bastion-role” while setting up your AWS organization import? 

This error typically happens when you're setting up an AWS organization import for Lucid and you've incorrectly configured the "bastion" account. A bastion account is the one used to coordinate the import with Lucid.

You have two options to fix this:

Option 1: Use a Non-Management Account as the Bastion Account (Recommended)

1. Log in to the AWS management account.
2. Use the "Configure permissions with CloudFormation" template.
3. When prompted for the BastionAccountId, enter the ID of the non-management account you've chosen to be your bastion.
4. Log in to the non-management account (the bastion account) and manually create the bastion role. You can use the template as a reference.
5. Log back into the AWS management account and use the "Enable discovery with CloudFormation" template. This grants the bastion role permission to scan the organization's structure.

Option 2: Use the Management Account as the Bastion Account 

1. Manually create the bastion role within the AWS management account. You cannot use the CloudFormation template for this step because of an AWS restriction. Use the template as a reference for creating the role.
2. The "Enable discovery with CloudFormation" template is not required for this setup. The manual creation of the bastion role automatically handles the necessary permissions.

If you continue to experience issues, please feel free to add additional details to this thread or contact us directly at support@lucid.co with the steps you have tried and an outline of the issue, and we would be happy to help!