Troubleshoot cross-account analyses in
Reachability Analyzer
The following information can help you troubleshoot common issues with running cross-account analyses in Reachability Analyzer.
Issues
"StackSet is not empty" or "StackSet already exists"
If you receive one of these errors while enabling trusted access, do the following to resolve the issue.
To resolve the issue
-
Choose Turn off trusted access.
-
Wait until you see a banner at the top of the screen indicating that the operation was successful.
-
Choose Turn on trusted access.
"Error fetching resources"
If you receive this error while attempting to access resources from another account in the organization, it usually indicates that your account doesn't have all permissions required.
-
Verify that you have permission to call the
AssumeRole
andSetSourceIdentity
API actions. For example, the following policy grants permission to call these actions.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole", "sts:SetSourceIdentity" ], "Resource": "*" } ] }
-
Verify that you have permission to call AWS CloudFormation API actions. For example, the AWSCloudFormationFullAccess and AWSCloudFormationReadOnlyAccess policies grant permissions to call these actions.
-
Verify that you have permission to call AWS Organizations API actions. For example, the AWSOrganizationsFullAccess and AWSOrganizationsReadOnlyAccess policies grant permissions to call these actions.
"Organizational unit not found in StackSet"
If you receive this error while disabling trusted access, do the following to resolve the issue.
To resolve the issue
-
Open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation
. -
In the navigation pane, choose StackSets.
-
Select
ReachabilityAnalyzerCrossAccountResourceAccessStackSet
and then choose Actions, Delete StackSet. -
Return to the Reachability Analyzer settings page and refresh the page.
-
Choose Turn off trusted access.