I am new to AWS. I am trying to import an OVA to a AMI and use it for an EC2 instance as described here:
One of the commands it asks you to run is
aws ec2 describe-import-image-tasks --import-task-ids import-ami-1234567890abcdef0
When I do this I get
An error occurred (UnauthorizedOperation) when calling the DescribeImportImageTasks operation: You are not authorized to perform this operation.
I believe this means I need to add the appropriate Role (with a policy to be able to describe-import-image-tasks) to my cli user.
In the IAM console, I see this search feature to filter policies for a role which I will assign to my user. However it doesn't seem to have any results for describe-import-image-tasks
Is there an easy way to determine which policies are needed to run an AWS Cli command?
There is not an easy way. The CLI commands usually (but not always) map to a single IAM action that you need permission to perform. In your case, it appears you need the ec2:DescribeImportImageTasks permission, as listed here.
Related
I need to run the command aws s3 cp <filename> <bucketname> from an EC2 RHEL instance to copy a file from the instance to an S3 bucket.
When I run this command, I receive this error: An error occurred (ExpiredToken) when calling the PutObject operation: The provided token has expired
I also found that this same error occurs when trying to run many other CLI commands from the instance.
I do not want to change my IAM role because the command was previously working perfectly fine and IAM policy changes must go through an approval process. I have double checked the IAM role the instance is assuming and it still contains the correct configuration for allowing PutObject on the correct resources.
What can I do to allow AWS CLI commands to work again in my instance?
AWS API tokens are time-sensitive, and VMs in the cloud tend to suffer from clock drift.
Check that time is accurate on the RHEL instance, and use ntp servers to make sure any drift is regularly corrected.
I am having trouble creating ec2 instances with my IAM role.
The permissions I gave are
List
DescribeInstances
DescribeKeyPairs
Read
DescribeTags
Tagging
CreateTags
Write
CreateKeyPair
DeleteKeyPair
ImportKeyPair
RunInstances
TerminateInstances
The error is
error while describing instance(...) attribute (instanceInitiatedShutdownBehaviour): UnnauthorizedOperation: You are no authorized to perform this operation.
However, on the AWS console, the ec2 instance is created. I am unable to terraform destroy it due to the same error.
It works if I give full ec2 access (ec2:*) so it has nothing to do with my terraform code.
Thank you.
I went through the same error and it is because of lack of permission. In the error:
error while describing instance(...) attribute (instanceInitiatedShutdownBehaviour): UnnauthorizedOperation: You are no authorized to perform this operation.
the UnnauthorizedOperation is trying to describe an instance attribute since you do not have the ec2:DescribeInstanceAttribute permission.
Depending on how your terraform config looks like for the instances, you may require more permissions. You can enable debug logs in your apply command to get more information:
TF_LOG=DEBUG terraform apply
Use the visual policy editor to add permissions to your IAM role and look out for
Action Warnings. It will tell you if you are missing any permissions required by the existing permission.
is there a way to find out what all resources are using an IAM role. Because I want to modify that and wanted to check what all could affect my modification.
Not quite.
Services can "assume" a role. This happens when the activity is run (eg when an AWS Lambda function is invoked, or when an Amazon EC2 instance is launched). Thus, there is no permanent 'link' between roles and services. Therefore, it is not possible to say "list me everything that is using this IAM Role".
However, you could list services and see which roles they are configured to use. For example, you could describe EC2 instances and check what IAM Role they are configured to use. However, you would need to do this for all services that you know are potentially using the roles.
You can find where an IAM role is used from based on the past usage.
I can think of few ways.
method 1 - Access Advisor
click the "Access Advisor" tab section that appears when you click an IAM role
check last accessed time of each services
method 2 - Cloudtrail
the cli command will tell you which services/user assumed the role and also the action they performed.
aws cloudtrail lookup-events --max-results 20 --lookup-attributes AttributeKey=ResourceName,AttributeValue=arn:aws:iam::012345678901:role/lambdaRole --output json --query "Events[*].[CloudTrailEvent]"
I am following these instructions in order to send our EKS cluster logs to CloudWatch:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs.html
Since it wasn't working I ran the suggested to command to tail the logs for one of the fluentd pods:
kubectl logs fluentd-cloudwatch-fc7vx -n amazon-cloudwatch
I am seeing this error:
error_class=Aws::CloudWatchLogs::Errors::AccessDeniedException
error="User:
arn:aws:sts::913xxxxx71:assumed-role/eksctl-prod-nodegroup-standard-wo-NodeInstanceRole-1ESBFXHSI966X/i-0937e3xxxx07ea6
is not authorized to perform: logs:DescribeLogGroups on resource:
arn:aws:logs:us-west-2:913617820371:log-group::log-stream:"
I have a role that has the right permissions, but how can I give the role to the arn:aws:sts::913xxxxx71:assumed-role/eksctl-prod-nodegroup-standard-wo-NodeInstanceRole-1ESBFXHSI966X/i-0937e3xxxx07ea6 user?
You need to perform step to attach the CloudWatchAgentServerPolicy policy to cluster worker node role documented here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-prerequisites.html
To do this, you need to assume the role. This can be done a few different ways:
You can setup an AWS profile and use that to execute commands as a different role.
You can use a tool like awsudo
One caveat is the the role you are assuming must have a trust relationship setup so that is permits others to assume it. There is an example of this trust relationship setup in the link for (1) above.
That being said, you probably shouldn't be doing any of this for your use case.
If your other role is in a state where it needs to be updated to allow assumption, it is going to be much easier and more secure for you to just update the eksctl-prod-nodegroup-standard-wo-NodeInstanceRole-1ESBFXHSI966X role directly with the permissions you need.
Ideally you can associate the role with the same policy that is attached to the other role with the desired permissions.
I'm using AWS DataPipeline to run an aws-cli command that creates an EMR Cluster, but I'm getting the following error when the command runs:
user ... is not authorized to perform: elasticmapreduce:RunJobFlow
I want to associate the right Policy to authorise this, but how do I know which policy is needed?
Select a User > Add Permissions > Attach existing policies directly > AmazonElasticMapReduceFullAccess
I suspect you didn't use the roles that are created by default in your account to run pipelines (DataPipelineDefaultResourceRole and DataPipelineDefaultRole). If this is the case just use that and it should work.