When I try to create a cluster, I get a message that Stack [eksctl-eksdemo2-cluster] already exists but when I try to delete it I get a message is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:eu-west-2:327352963247:cluster/eksdemo1 and I can't seem to manually delete it as I do not find it in the aws console. When I try to create one with a new name I see the error user is not authorized to perform: eks:TagResource on resource: arn:aws:eks:eu-west-2:327352963247:cluster/eksdemo3. What roles do I need to create a cluster as it seems that at each stage I need to attach a new policy
Related
I need to create an IAM custom permission policy that grants to create, update and delete elastic-beanstalk environment variables. Could you guys please help me to figure out how to do this? My user group already have grant to read all elastic beans settings but when trying to edit a elastic environment variable it throws bellow error message:
Validation Error
User: arn:aws:iam::XXXXX:user/XXXXX is not authorized to perform: elasticbeanstalk:ValidateConfigurationSettings on resource: arn:aws:elasticbeanstalk:us-east-2:XXXXXX:environment/XXXXXXX
I have external-secrets operator v0.5.1 installed and working with a SecretStore for retrieve AWS parameter store. Also tried updating to V0.5.8
This is working fine with IRSA but if I try to create a external-secret for AWS secrets, with a new SecretStore, the SecretStore' status is Valid but the ExternalSecret that references this SecretStore got the following error: SecretSyncedError
AccessDeniedException: User: arn:aws:sts::12345678:assumed-role/eks-backend-role-pre/external-secrets-provider-aws is not authorized to perform: secretsmanager:GetSecretValue on resource: /backend/pre/PRE_PRIVPGPKEY because no identity-based policy allows the secretsmanager:GetSecretValue action status code: 400,
Please, note the STS is trying to use eks-backend-role-pre/external-secrets-provider-aws which it doesn't exist. The role which exist is eks-backend-role-pre I'm not sure who is adding the suffix external-secrets-provider-aws which invalidate the role name.
Both SecretStore, the one dedicated to AWS Parameter Store and the other that is dedicated to gather from AWS Secrets has the same service account associated.
Why is working one External Secret and the other using the same service account don't?
There was a typo in the policy.
As documentation shows, this is the correct way to declare a principal:
arn:${Partition}:secretsmanager:${Region}:${Account}:secret:${SecretId}
I have incorrect declared the principal:
"arn:aws:secretsmanager:eu-west-1:1234567890:secret/backend/pre/*"
Correct:
"arn:aws:secretsmanager:eu-west-1:1234567890:secret:/backend/pre/*"
In contrast to SSM Parameter store that you declare your principal "arn:aws:ssm:eu-west-1:1234567890:parameter/backend/pre/*"
, with SecretsManager you need to add a colon after the service :secret:
I am trying to create aws eks cluster with terraform. I want to use an existing iam role. I won't be creating a new role. I tried this.
module 'eks' {
...
iam_role_arn = "arn:aws:iam::11111111:role/cluster-role"
...
}
But I get 403 permission denied. How can I this? Thanks.
Edit: added error.
failed creating IAM Role (green-eks-node-group): AccessDenied: User: arn:aws:iam::*******:user/****** is not authorized to perform: iam:TagRole on resource: arn:aws:iam::*******:role/green-eks-node
First for good measure: Please do not post pictures here of either code or error messages. Just copy paste the stuff and format it.
That said: I think the error tells you exactly what is wrong (or at least what the first error is, because in my experience it takes a few iterations of this to get your IAM permissions straight).
The role that you use you execute terraform does not have the permission:
iam:TagRole
on the resource:
arn:aws:iam:xxxxxxxxxxx:role/eks-cluster
So you will need to add it to it's policy.
First time deploying an app to AWS and it's been an adventure. My current error:
Dec 21 03:49:33 ip-172-31-31-185 web: botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetParameter operation: User: arn:aws:sts::[my account number]:assumed-role/aws-elasticbeanstalk-ec2-role/[the instance number] is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-2:[my account number]:parameter/Dev/WebServer/[thing I want to get] because no identity-based policy allows the ssm:GetParameter action
The docs are very good at telling me what I need to do-- it appears I need to add an IAM policy to the instance using AWS systems manager. I even have the policy-- but less good in telling me how to do it. Where can you add instance policies in AWS Console?
Based on the error message - it comes from Beanstalk, the documentation is https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles-instance.html
So likely you already have an instance profile based on an existing role. So that is the role you need to change. The policy is managed in IAM (not Systems Manager), just add ssm:GetParameter rule there either with a star (which may be good enough to debug in the dev environment) and if it works then limit it to your arn, if you for arn:aws:ssm:us-east-2:[my account number]:parameter/Dev/WebServer/[thing I want to get] make [thing I want to get] something like myapp-prefix-[thing I want to get] then you can easily limit the access only to parameters which belongs to this given app. Or you can use tags.
Can anyone help me with any solution to solve this error while creating an AWS Lambda application from IAM user account:
Error creating application: You are not authorized to perform: serverlessrepo:GetApplication.
My permissions are:
In IAM console, firstly go into Policy to create policy and choose the service name Serverless Application Repository. And config actions and resources for your requirement (by default, the selected option of Resources is a specific repository).
After created, go to User in IAM console and attach the new policy for this user.
Now you should be able to perform: serverlessrepo:GetApplication. If you found that refreshing page does not take effect, please log out and log in again to apply the policy.
As the exception says
You are not authorized to perform: serverlessrepo:GetApplication
This means that your IAM user, or the role assumed by the deployment process, does not have an Allow effect for the serverlessrepo:GetApplication action.
To resolve this add a policy with an Allow effect for serverlessrepo:GetApplication to your IAM user, or the role being assumed by the deployment function.