I'm trying to update one lambda to the AWS Cloud, but suddenly this error started to appear:
Error attempting to fix the trust policy for IAM Role...
Checking the "Trust Relationoships" tab on AWS Web Console, like demanded by the error message, averything looks like ok:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Some idea about how to fix it?
How I use more then one account, some time I change this credentials (I know that is possible to configure profiles).
You can define multiple profiles within the credentials files that live in the .aws folder under your user home folder. Information about these files can be found at https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/credentials.html
If your credentials are simple access key - secret key pairings, you can use the AWS Toolkit to create new profiles. In Visual Studio, go to the View menu and select AWS Explorer. From the AWS Explorer, there will be buttons that allow you to add/edit/delete credentials profiles. Using these will allow you to create or modify a profile's access key and secret key. More details about this workflow can be found at https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/keys-profiles-credentials.html
I figure out that my credentials are wrong.
The AWS Toolkit uses credentials configured in the terminal and saves it under the folder ".aws" into the user home folder.
How I use more then one account, some time I change this credentials (I know that is possible to configure profiles).
Related
I am struggling trying to create my first React app. I have connected the app to the CodeCommit repository but the build on the Amplify console fails with this message:
2020-12-14T09:25:04.155Z [ERROR]: !!! Unable to assume specified IAM Role. Please ensure the selected IAM Role has sufficient permissions and the Trust Relationship is configured correctly.
The provision phase works perfectly:
I have created the service role AmplifyConsoleServiceRole-AmplifyRole as suggested on this guide and I am logged in as a user with AdministratorAccess authorization. Git commits to the repository from my PC console works perfectly.
It is not clear to me what IAM role the AWS Amplify Console is unable to assume. The AmplifyConsoleServiceRole-AmplifyRole which I have selected as Service role during the App creation I think. The permissions of this role are AdministratorAccess, as well. How can I check if the Trust Relationship is configured correctly?
I've contacted Amazon support. They answered that something is not working on their side using eu-south-1.
I've just tried on eu-central-1 and the build process worked as expected. So no there were no permissions problems but simply a bug. They told me that it will be addressed soon.
Edit: Amazon support team found the problem in the trust relationship to be used with the eu-south-1 region. It must be defined in the following way:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["amplify.eu-south-1.amazonaws.com","amplify.amazonaws.com"]
},
"Action": "sts:AssumeRole"
}
]
}
I'm running a tech stack of react -> graphQL -> appsync -> lambda -> go
When I run my graphQL query from the client I recieve this error back:
Unable to assume role arn:aws:iam::<SOMENUMBER>:role/service-role/MyRoleForMyLambda.
In fact this was all running fine until I accidentally changed the function ARN and roles on my Datasource to other ones. I changed them back but now Appsync seems to be unable to find the role and function ARN. I tried creating a completely new Datasource but I have the same issue. Often the function ARN and/or roles don't appear in the dropdown and I enter them manually. Sometimes it lets me save without errors - other times when attempting to save the Datasource I get the helpful error message "Error". Sometimes after saving when I go to look at them again the function ARN field is blank unless I click on the 'not in drop down' link.
I don't think the problem is with my role itself as it appears that appsync can't even assume the role to start with. I've read about trust policies as a solution but I don't know where to put them.
Any help much appreciated.
In your IAM console, you need to add the Appsync service as a trusted entity to the role you are trying to assume
Click edit trust relationship and enter the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I have set up an EMR cluster with Zeppelin installed on it. I configured Zeppelin with Active Directory authentication and I have associated those AD users with IAM roles. I was hoping to restrict access to specific resources on S3 after logging into zeppelin using the AD credentials. However, it doesn't seem to be respecting the permissions the IAM role has defined. The EMR role has S3 access so I am wondering if that is overriding the permissions or that is actually the only role it cares about in this scenario
Does anyone have any idea?
I'm actually about to try to tackle this problem this week. I will try to post updates as I have some. I know that this is an old post, but I've found so many helpful things on this site that I figured it might help someone else even if doesn't help the original poster.
The question was if anyone has any ideas, and I do have an idea. So even though I'm not sure if it will work yet, I'm still posting my idea as a response to the question.
So far, what I've found isn't ideal for large organizations because it requires some per user modifications on the master node, but I haven't run into any blockers yet for a cluster at the scale that I need it to be. At least nothing that can't be fixed with a few configuration management tool scripts.
The idea is to:
Create a vanilla Amazon EMR cluster
Configure SSL
Configure authentication via Active Directory
(this step is what I am currently on) Configure Zeppelin to use impersonation (i.e. run the actual notebook processes as the authenticated user), which so far seems to require creating a local OS (Linux) user (with a username matching the AD username) for each user that will be authenticating to the Zeppelin UI. Employing one of the impersonation configurations can then cause Zeppelin run the notebooks as that OS user (there are a couple of different impersonation configurations possible).
Once impersonation is working, manually configure my own OS account's ~/.aws/credentials and ~/.aws/config files.
Write a Notebook that will test various access combinations based on different policies that will be temporarily attached to my account.
The idea is to have the Zeppelin notebook processes kick off as the OS user that is named the same as the AD authenticated user, and then have an ~/.aws/credentials and ~/.aws/config file in each users' home directory, hoping that that might cause the connection to S3 to follow the rules that are attached to the AWS account that is associated with the keys in each user's credentials file.
I'm crossing my fingers that this will work, because if it doesn't, my idea for how to potentially accomplish this will become significantly more complex. I'm planning on continuing to work on this problem tomorrow afternoon. I'll try to post an update when I have made some more progress.
One way to allow access to S3 by IAM user/role is to meet these 2 conditions:
Create S3 bucket policy matching S3 resources with IAM user/role. This should be done in S3/your bucket/Permissions/Bucket Policy.
Example:
{
"Version": "2012-10-17",
"Id": "Policy...843",
"Statement": [
{
"Sid": "Stmt...434",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account-id>:user/your-s3-user",
"arn:aws:iam::<account-id>:role/your-s3-role"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::target-bucket/*",
"arn:aws:s3:::other-bucket/specific-resource"
]
}
]
}
Allow S3 actions for your IAM user/role. This should be done in IAM/Users/your user/Permissions/Add inline policy. Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket",
"s3:ListObjects"
],
"Resource": "s3:*"
}
]
}
Please note this might be not the only and/or best way, but it worked for me.
I'm getting the following error when I try to create a development endpoint for AWS Glue.
{ "service":"AWSGlue",
"statusCode":400,
"errorCode":"ValidationException",
"requestId":"<here goes an UUID>",
"errorMessage":"Role arn:aws:iam::<IAM ID>:role/AWSGlueServiceRole-DefaultRole
should be given assume role permissions for Glue Service.\n",
"type":"AwsServiceError" }
And my role has the following permissions.
AmazonS3FullAccess
AWSGlueServiceNotebookRole
AmazonAthenaFullAccess
AWSGlueServiceRole
CloudWatchLogsReadOnlyAccess
AWSGlueConsoleFullAccess
AWSCloudFormationReadOnlyAccess
Any clues on what am I missing?
In your trust relationship, the trust should be established with glue.amazonaws.com. Your role (AWSGlueServiceRole-DefaultRole) may not have this. To confirm, go to the IAM roles console, select the IAM role: AWSGlueServiceRole-DefaultRole and click on the Trust Relationship tab.
The json for this should look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "glue.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Example screenshot for the Trust relationship:
I was tripped up by this as well; the problem is that when you use the console to create a default glue service role it ends up creating the IAM role like this:
arn:aws:iam:::role/service-role/AWSGlueServiceRole-DefaultRole
Make note of the "service-role" in the path.
But then when choosing that role as the role you want to use in the console wizard for setting up a new dev endpoint it doesn't include the "service-role" in the path and looks for a role named like this:
arn:aws:iam:::role/AWSGlueServiceRole-DefaultRole
I think this is just a bug in the console wizard for creating dev endpoints. I got around it by creating a new role that doesn't have "service-role" in the path and then chose that role in the console wizard and was able to successfully create a dev endpoint.
The problem was somehow related to an old Role that I already messed up with. Created a brand new role just for development following this link and this link, worked like a charm.
I am trying to setup code deployment using aws, but when I try to perform deployment, I am getting this error:
2016-06-08 23:57:11 ERROR [codedeploy-agent(1207)]: InstanceAgent::Plugins::CodeDeployPlugin::CommandPoller: Cannot reach InstanceService: Aws::CodeDeployCommand::Errors::AccessDeniedException -
2016-06-08 23:58:41 INFO [codedeploy-agent(1207)]: Version file found in /opt/codedeploy-agent/.version.
2016-06-08 23:58:41 INFO [codedeploy-agent(1207)]: [Aws::CodeDeployCommand::Client 400 0.055741 0 retries] poll_host_command(host_identifier:"IAM-user-ARN") Aws::CodeDeployCommand::Errors::AccessDeniedException
I have two IAM roles - one for EC2 instance, and one for deployment app.
S3 bucket have permission set for iam role which is used for deployment:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "XXXXXXXX:role/TestRole"
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::pmcdeploy/*"
}
]
}
What is going on?
Is the error consistent? On looking at the agent code, it seems like the agent might having trouble talking to EC2. If this is a persistent problem, you can share the EC2 instance profile.
Also starting the agent with verbose option enabled gives a lot more information about what's going on.
Thanks
This is actually something related to the order of credential loading. The host agent is running with root user by default and also uses instance profile.
The exception is got when you've setup a root credential which has priority over instance profile according to: http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html#config-settings-and-precedence
Then the aws sdk used by host agent will use the credential configured for the root user instead of instance profile to configure the requests.
One of the workaround would be run the agent with a different user and don't configure any credential for that user.
We had what I think the same issue.
Our systems had a /root/.aws/credentials in place which CodeDeploy absolutely uses and I found no way of telling it to not do that.
Especially no documentation...
In the end, we rewrote everything on our end to ensure we'll no longer need a credentials file in place.
From that moment on, CodeDeploy used the instance profile and it was working fine.
I deleted /home/ubuntu/.aws and rebooted codedeploy agent service and it worked for me :-)