We Keep Coding

An error occurred (UnauthorizedOperation) when calling the DescribeLaunchTemplates operation? - amazon-web-services

I was trying to deploy launch template in my AWS autoscaling group using ansible!
Here was my script
- name: base64 conversion
command: base64 -w 0 roles/inspect/tasks/user_data_cs.sh
register: userdata
- debug:
var: userdata.stdout
#To deploy the user data in lauch template
- name: User data deployment
ec2_launch_template:
name: "{{ LT_name }}"
image_id: "ami-##########"
key_name: "aws-dev"
block_device_mappings:
- device_name: "/dev/sdb"
ebs:
volume_size: 20
encrypted: true
- device_name: "/dev/xvda"
ebs:
volume_size: 10
volume_type: gp2
delete_on_termination: yes
encrypted: true
default_version: 1
ebs_optimized: no
iam_instance_profile: "aws-ec2-role"
network_interfaces:
- device_index : 0
delete_on_termination: yes
associate_public_ip_address: no
groups: ["sg-##########"]
instance_type: t3.small
user_data: "{{ userdata.stdout }}"
when: name_env == "dev"
It was showing error
TASK [inspect : User data deployment] ****************************************** An exception occurred during task execution. To see the full traceback, use -vvv. The error was: botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the DescribeLaunchTemplates operation: You are not authorized to perform this operation. [WARNING]: The value 1 (type int) in a string field was converted to '1' (type string). If this does not look like what you expect, quote the entire value to ensure it does not change. fatal: [127.0.0.1]: FAILED! => {"boto3_version": "1.24.38", "botocore_version": "1.27.38", "changed": false, "error": {"code": "UnauthorizedOperation", "message": "You are not authorized to perform this operation."}, "msg": "Could not check existing launch templates. This may be an IAM permission problem.: An error occurred (UnauthorizedOperation) when calling the DescribeLaunchTemplates operation: You are not authorized to perform this operation.", "response_metadata": {"http_headers": {"cache-control": "no-cache, no-store", "content-type": "text/xml;charset=UTF-8", "date": "Thu, 05 Jan 2023 13:17:02 GMT", "server": "AmazonEC2", "strict-transport-security": "max-age=31536000; includeSubDomains", "transfer-encoding": "chunked", "vary": "accept-encoding", "x-amzn-requestid": "c0cd0411-c88e-4569-bd91-21dd46708224"}, "http_status_code": 403, "request_id": "c0cd0411-c88e-4569-bd91-21dd46708224", "retry_attempts": 0}}
Here was my IAM permssions!
There seems to be no action as "DescribeLaunchTemplate"
I tried with autoscaling:DescribeLaunchTemplate elasticloadbalancing:DescribeLaunchTemplate
application-autoscaling:DescribeLaunchTemplate
also only
DescribeLaunchTemplate
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:CreateOrUpdateTags"
],
"Resource": "*"
}
]
}
and
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"application-autoscaling:RegisterScalableTarget",
"application-autoscaling:DeleteScheduledAction",
"application-autoscaling:DescribeScalableTargets",
"application-autoscaling:DeleteScalingPolicy",
"elasticloadbalancing:DescribeLoadBalancers",
"autoscaling:DescribeAutoScalingGroups",
"application-autoscaling:DescribeScalingActivities",
"application-autoscaling:DescribeScalingPolicies",
"application-autoscaling:PutScalingPolicy",
"elasticloadbalancing:DescribeTargetGroups",
"autoscaling:DescribeLoadBalancerTargetGroups",
"application-autoscaling:DescribeScheduledActions",
"application-autoscaling:PutScheduledAction",
"application-autoscaling:DeregisterScalableTarget"
],
"Resource": "*"
}
]
}
I also tried adding "DescribeLaunchTemplates" but there seems to be no action on IAM like that checked with asg and everything.

Adding
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions"
Resolved this issue

Related

I've created a new eks cluster using terraform , couple of developers when they try to access the cluster in aws console get the following error.
Can someone pls point me what i'm missing.
cluster version: 1.18
User: arn:aws:iam::xxxx:user/yyy is not authorized to perform: eks:AccessKubernetesApi on resource: arn:aws:eks:us-east-1:xxxx:cluster/cluster
Each user has this policy attached
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"eks:ListFargateProfiles",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:DescribeFargateProfile",
"eks:ListTagsForResource",
"eks:ListUpdates",
"eks:DescribeUpdate",
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
}
my aws-auth config looks
apiVersion: v1
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxx:role/cluster182020111918162137770000002f
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- groups:
- system:masters
rolearn: arn:aws:iam::xxxx:role/abc-role
username: abc-xac
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::xxx:role/cluster_eks_worker_role
username: system:node:{{EC2PrivateDNSName}}
mapUsers: |
- groups:
- system:developers
userarn: arn:aws:iam::xxx:user/yyy
username: yyy
....

Its already mentioned that user dosen't have access to eks:AccessKubernetesApi in error.
Just add this to the IAM role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"eks:AccessKubernetesApi",
"eks:ListFargateProfiles",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:DescribeFargateProfile",
"eks:ListTagsForResource",
"eks:ListUpdates",
"eks:DescribeUpdate",
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
}

When deploying Spinnaker to EKS via hal deploy apply, Spinnaker Clouddriver pod goes to CrashLoopBackOff with the following error,
Caused by: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/Spinnaker-k8s-Worker-Node-Role/i-yyyyyyyyyyyyyyy is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxx:role/Spinnaker-Managed-Role
My Halyard config is like follows,
currentDeployment: default
deploymentConfigurations:
- name: default
version: 1.17.6
providers:
appengine:
enabled: false
accounts: []
aws:
enabled: true
accounts:
- name: my-account
requiredGroupMembership: []
providerVersion: V1
permissions: {}
accountId: 'xxxxxxxxxxxx' # my account id here
regions:
- name: us-east-1
assumeRole: Spinnaker-Clouddriver-Role
lifecycleHooks: []
primaryAccount: my-account
bakeryDefaults:
baseImages: []
defaultKeyPairTemplate: '{{name}}-keypair'
defaultRegions:
- name: us-east-1
defaults:
iamRole: BaseIAMRole
My Spinnaker-Clouddriver-Role IAM role has PowerUserAccess permissions at the moment and has following as the Trust Relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"ecs.amazonaws.com",
"application-autoscaling.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxx:role/Spinnaker-k8s-Worker-Node-Role"
},
"Action": "sts:AssumeRole"
}
]
}
How can I get this resolved?
The full log can be found on https://gist.github.com/agentmilindu/d9d31ee4287c87fb87e5060e0709989d#file-awssecuritytokenserviceexception-log-L3

Take a look at an AWS IAM policy that works flawlessly.
Refer to Armory AWS IAM set up and EC2 provider set up
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"cloudformation:*",
"ecr:*"
],
"Resource": [
"*"
]
},
{
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::123456789012:role/SpinnakerManagedRoleAccount1",
"arn:aws:iam::101121314157:role/SpinnakerManagedRoleAccount2",
"arn:aws:iam::202122232425:role/SpinnakerManagedRoleAccount3"
],
"Effect": "Allow"
}
]
}

I would like to ask you how can I run Codepipeline when test.json is changed?
I tried to use CloudWatch but trigger was not running
{
"source": [
"aws.s3"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"s3.amazonaws.com"
],
"eventName": [
"PutObject",
"UploadPart",
"GetObject",
"PutObjectAcl"
],
"requestParameters": {
"bucketName": [
"ap-stacks-configuration"
],
"key": [
"test.json"
]
}
}
}
Here is my Role. What I am doing wrong?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codepipeline:StartPipelineExecution"
],
"Resource": [
"*"
]
}
]
}

You can just make the first stage of the pipeline an S3 source that points at your object.
Stages:
- Name: Source
Actions:
- Name: MySource
ActionTypeId:
Category: Source
Owner: AWS
Provider: S3
Version: '1'
Configuration:
S3Bucket: MyS3Bucket
S3ObjectKey: BucketKey
PollForSourceChanges: 'true'
OutputArtifacts:
- Name: MyOutput
RoleArn: RoleArn
RunOrder: 1

I have created a lambda function through which I want to launch an ec2 instance using pre-baked AMI along with a bunch of other tags.
Lambda function:
require 'json'
require 'aws-sdk'
def lambda_handler(event:, context:)
client = Aws::EC2::Client.new(region: 'us-west-2')
images = client.describe_images({
filters: [
{
name: "tag:metatag",
values: ["app"],
},
],
owners: ["<owner_id>"],
dry_run: false,
}).images
latest_image_id = images.first.image_id
ec2 = Aws::EC2::Resource.new(region: 'us-west-2')
instance = ec2.create_instances({
image_id: latest_image_id,
min_count: 1,
max_count: 1,
key_name: '<key-name>',
security_group_ids: ['ApplicationSG'],
instance_type: 't3.large',
subnet_id: '<subnet>',
iam_instance_profile: {
arn: '<arn>'
}
})
instance.batch_create_tags({ tags: [
{ key: 'Name', value: 'testapp08' }
]})
{ statusCode: 200, body: JSON.generate("latest_image_id:#{latest_image_id}, instance: #{instance.inspect}") }
end
Created a role with an inline policy to provide required ec2 launch permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:RebootInstances",
"ec2:ResetImageAttribute",
"ec2:DeregisterImage",
"ec2:DeleteTags",
"ec2:CreateTags",
"ec2:ResetSnapshotAttribute",
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:CreateVolume",
"ec2:Describe*",
"ec2:ModifySnapshotAttribute",
"ec2:StartInstances"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "logs:*",
"Resource": "arn:aws:logs:*:*:*"
}
]
}
Currently getting the following error while permissions as ec2:RunInstances is enabled
{
"errorMessage": "You are not authorized to perform this operation. Encoded authorization failure message: sGOne-.....",
"errorType": "Function<Aws::EC2::Errors::UnauthorizedOperation>",
"stackTrace": [
"/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/plugins/raise_response_errors.rb:15:in `call'",
"/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/jsonvalue_converter.rb:20:in `call'",
"/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/idempotency_token.rb:17:in `call'",
"/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/param_converter.rb:24:in `call'",
"/var/runtime/gems/aws-sdk-core-3.40.0/lib/aws-sdk-core/plugins/response_paging.rb:10:in `call'",
"/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/plugins/response_target.rb:23:in `call'",
"/var/runtime/gems/aws-sdk-core-3.40.0/lib/seahorse/client/request.rb:70:in `send_request'",
"/var/runtime/gems/aws-sdk-ec2-1.60.0/lib/aws-sdk-ec2/client.rb:27423:in `run_instances'",
"/var/runtime/gems/aws-sdk-ec2-1.60.0/lib/aws-sdk-ec2/resource.rb:392:in `create_instances'",
"/var/task/lambda_function.rb:21:in `lambda_handler'"
]
}

This property:
iam_instance_profile: {
arn: '<arn>'
}
requires iam:PassRole permission.
This is because a normal user who only has limited permissions might try to launch an EC2 instance with a role that has super-user access. Therefore, they require iam:PassRole permission to be able to launch an instance with a role. The policy that grants this permission can then restrict which roles they are allowed to 'pass'.
Therefore, add iam:PassRole permission to the policy.

I need a queue in my elastic beanstalk application and I therefore create the queue and the queue policy with this snippet in my .ebextensions/app.conf:
Resources:
BackgroundTaskQueue:
Type: "AWS::SQS::Queue"
AllowWorkerSQSPolicy:
Type: "AWS::SQS::QueuePolicy"
Properties:
Queues:
-
Ref: "BackgroundTaskQueue"
PolicyDocument:
Version: "2008-10-17"
Id: "PublicationPolicy"
Statement:
-
Sid: "Allow-Create-Task"
Effect: "Allow"
Principal:
AWS: "*"
Action:
- "sqs:SendMessage"
Resource:
Fn::GetAtt:
- "BackgroundTaskQueue"
- "Arn"
Unfortunately I cannot find a way to reference the Instance profile of my EC2 instances in the autoscaling group. (At the moment the queue is open to the world) I tried two approaches:
Reading the configuration:
Principal:
AWS:
Fn::GetOptionSetting:
OptionName: "IamInstanceProfile"
The OptionName is always retrieved from the aws:elasticbeanstalk:customoption namespace but the IamInstanceProfile is defined in the aws:autoscaling:launchconfiguration namespace as far as I know. -> No luck
Reading from the actual AWSEBAutoScalingLaunchConfiguration resource:
Principal:
AWS:
Fn::GetAtt:
- "AWSEBAutoScalingLaunchConfiguration"
- "IamInstanceProfile"
This approach fails cause the property IamInstanceProfile is not exposed.
Has anyone found a way to make such a policy work?
Does anyone know how to instruct GetOptionSetting to look in a different namespace?
Anyone found a way to GetAtt the instance profile?

You need setup the instances profile outside of eb environment. You can use 'aws iam' command to create policies, roles and instance profiles (http://docs.aws.amazon.com/cli/latest/reference/iam/index.html#cli-aws-iam), then specify the profile in option settings:
namespace: aws:autoscaling:launchconfiguration
option_name: IamInstanceProfile
value: your-instance-profile-name
If you are using eb_deployer, there is a self-contained way doing it:
Create a CloudFormation template to define your resources stack, e.g. config/my-resources.json:
{
"Outputs": {
"InstanceProfile": {
"Description": "defines what ec2 instance can do with aws resources",
"Value": { "Ref": "InstanceProfile" }
}
},
"Resources": {
"Role": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com"]
},
"Action": ["sts:AssumeRole"]
}]
},
"Path": "/",
"Policies": [ {
"PolicyName": "S3Access",
"PolicyDocument": {
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject"
],
"Resource": "*"
}
]
}
}, {
"PolicyName": "SQSAccess",
"PolicyDocument": {
"Statement": [ {
"Effect": "Allow",
"Action": [
"sqs:ChangeMessageVisibility",
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Resource": "*"
}]
}
}]
}
},
"InstanceProfile": {
"Type": "AWS::IAM::InstanceProfile",
"Properties": {
"Path": "/",
"Roles": [ { "Ref": "Role" } ]
}
}
}
}
Add a "resources" section into your eb_deployer.yml
resources:
template: config/my-resources.json
capabilities:
- CAPABILITY_IAM
outputs:
InstanceProfile:
namespace: aws:autoscaling:launchconfiguration
option_name: IamInstanceProfile
In the above example we defined an instance profile with policies enable specific accesses to S3 and SQS. Then map the instance profile name (output of the template) to Elastic Beanstalk option settings.
Take a look at this: https://github.com/ThoughtWorksStudios/eb_deployer/wiki/Elastic-Beanstalk-Tips-and-Tricks#setup-instance-profile-for-your-ec2-instances