AccessDeniedException: User: arn:aws:sts::123:assumed-role/function is not authorized to perform: firehose:PutRecord on resource: arn:aws:firehose:eu-west-1:123:deliverystream
In the logs for my lambda that uses AWS SDK to put file to firehose gets this error, the odd thing is that is in the same AWS account so no idea why its complaining?
Any ideas how to resolve?
Related
What are the correct policies for EC2 Data Pipeline Default Resource Role. I am creating a datapipeline and struggling to give proper permissions to this role.
This is the error I get from the Datapipeline --> WARNING: Error occurred while validating resourceRole 'MyDatapipelineEC2Role'. Need iam:ListRolePolicies and iam:GetRolePolicy to validate. Error: User: arn:aws:sts::*********:assumed-role/MyDataPipelineRole/EDPSession is not authorized to perform: iam:ListRolePolicies on resource: role MyDatapipelineEC2Role because no identity-based policy allows the iam:ListRolePolicies action (Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied; Request ID: f6566144-d887-4804-a041-cccc437933e2; Proxy: null)
I am using apache airflow to issue a ssm send and list command via a bash script to each core node of my emr cluster. Airflow is hosted on an ec2 instance. That instance inherits this permission configuration for ssm in my IAM role:
- Effect: Allow
Resource: '*'
Action:
- ssm:SendCommand
- ssm:ListCommands
The above works, and I'm able to issue the commands successfully. However, my IAM policy shows this warning in the aws console:
How do I get rid of this warning? I tried separating out the ssm commands and explicitly listing the document and ec2 instance, as show below, but that produces the error:
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the SendCommand operation: User: arn:aws:sts::************:assumed-role/MyRole/i-***************** is not authorized to perform: ssm:SendCommand on resource: arn:aws:ec2:us-east-1:************:instance/i-***************** because no identity-based policy allows the ssm:SendCommand action
- Effect: Allow
Resource:
- arn:aws:ssm:*:*:document/AWS-RunShellScript,
- arn:aws:ec2:*:*:instance/*
Action:
- ssm:SendCommand
- Effect: Allow
Resource: '*'
Action:
- ssm:ListCommands
Up until now I have been able to run aws sts assume-role --role-arn arn:aws:iam::<accountID>:role/<iam_role> --role-session-name <a_session_name> --profile <the_profile_name> without a hitch...
Now I'm getting an error An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::<accountID>:assumed-role/<iam_role>/botocore-session-xxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<accountId>:role/<iam_role>
Is this due to me being in an assumed role state and then attempting to assume the same role again? If that is the case then whats the solution for clearing out the botocore cache?
I have cleared the ~/.aws/cache directory
I have been successful assuming this role until today, no security credentials have been removed from my AWS account
I've killed and restated iTerm session
executing aws sts get-caller-identity --profile picklerick nets me the same results: both arn: and userId have the same botocore-session-xxxxx attached
these question are not dupes of this question:
Access denied when assuming role as IAM user via boto3
AWS cli: not authorized to perform: sts:AssumeRole on resource
python boto3 error: Not authorized to perform assumed role on resource
if any of this makes sense to you then you might also be able to explain what caused this in the first place - i've had no issues up until this, never cared or saw mention of boto
I created a EKS cluster on aws, and when I tried to access it from aws cli, I bumped into access right issue.
-- my cli user permssion:
-- definition of policy sts_AssumeRol,
-- then when I try to run
siguser#x220:~/ws/aws/eks$ ./kubectl get svc
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::xxxxx:user/shichao-aws-cli is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxx:role/eks-sg-bd-role
what could be the possible cause here? i have tried to run >>aws configure a few times, but to no avail.
============================== edit 1:=======================
trust relationship for role eks-sg-bd-role:
policy simulator:
============================== edit 2:=======================
siguser#x220:~/ws/aws/eks$ ./kubectl get svc
error: You must be logged in to the server (Unauthorized)
my own solution:
i end up working around the issue with eksctl instead.
eksctl create cluster --name eks-cluster-SG-BD --version 1.16 --region us-east-2 --fargate
Every post on "User is not authorized to perform: dynamodb:PutItem on resource" from amazon's lambda leads to the same repeatedly stated answer and lots of cheerful reply after the following fix applied:
Add the appropriate permissions to the IAM role assigned to the Lambda function.
Apparently it is not enough:
"An error occurred (AccessDeniedException) when calling the PutItem operation: User: arn:aws:sts::759832573084:assumed-role/operator/get-orders is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:ap-southeast-2:759832573084:table/queue"
The IAM role assigned to the Lambda function here I believe is the user 'operator', who has:
AWSLambdaFullAccess
AmazonDynamoDBFullAccess
AWSLambdaDynamoDBExecutionRole
AmazonDynamoDBFullAccesswithDataPipeline
As you can see I oversupplied 'operator' user permissions in order to overcome the problem.
Other things I checked are:
The error is reproducible in the AWS console's lambda debugger
The table 'queue' has a Amazon Resource Name the same as stated in the error message.
Lambda is created in the same region (Asia Pacific 2) as the dynamodb table.
lambda documents mentioned that for fine-tuning permission on the table, its primary key has to be a string, so I changed my table 'queue' primary key to a string. Didn't help.
Don't think it's relevant but the language used in the lambda is Python 3.6