What AWS permission are required to run a particular AWS CLI command - amazon-web-services

I am trying to setup an ec2 instance (A role is associate with this instance).
This instance is responsible to
Create build, and upload to s3 bucket
Create a new application version from this build for elasticbeanstalk
Deploy newly created version on beanstalk
I am running following 3 commands. first 2 are executed successfully.
aws s3 cp api-service-build.zip s3://build-bucket/api-service/2022-11-2022.zip
aws elasticbeanstalk create-application-version
--application-name api-service-stage
--version-label v5
--description "Version 5"
--source-bundle S3Bucket="build-bucket",S3Key="api-service/2022-11-2022.zip"
but when I try to run third command its unable to deploy (please note on CLI its not failing)
aws elasticbeanstalk update-environment
--environment-name api-service-stage-env
--version-label v5
On beanstalk web console I can see following error
User: arn:aws:sts::xxxxxxxxx:assumed-role/MyAssumedRole/i-xxxxxx is not authorized to perform: autoscaling:DescribeAutoScalingGroups because no identity-based policy allows the autoscaling:DescribeAutoScalingGroups action (Service: AmazonAutoScaling; Status Code: 403; Error Code: AccessDenied;
I have updated my policy more than 30 times, to reach to above point, and yet another permission error.
Is there a way or a tool, where I paste my command and it tells me what permissions are required to run this command
aws s3 cp
aws elasticbeanstalk create-application-version
aws elasticbeanstalk update-environment
Permission I have added so far in MyAssumedRoles are as follows, I have added these with lots of hit and tries and yet its asking about another one autoscaling.
S3 Full access
Elastic Beanstalk full access
CloudFormation full access

Based on the error you are missing the AutoScaling permissions. They are different from the ones that you have already added. The best way to test is to use the AWS Policy Simulator. Follow the steps below :
Login to the AWS Console.
Go to the following URL : https://policysim.aws.amazon.com
Under User, Groups & Roles : Select Roles and then the role : MyAssumedRole
You can test the access on the right by selecting the action e.g. under Policy Simulator, select Auto Scaling and then action - DescribeScalingPlans. Policy Simulator will give you the exact policy you need to add for your role.

Related

Unable to deploy code onto AWS EC2 instance from AWS CodeDeploy

I am trying to implement CI/CD using AWS CodeBuild, and trying to deploy an application onto an AWS EC2 instance, but the code deployment is failing and showing the error below:
The IAM role arn:aws:iam::341502448925:role/CodeDeployServiceRole does not give you permission to perform operations in the following AWS service: AmazonEC2
I have even created service role in the IAM console but it's not working for me. Someone let me know how can I resolve this issue.
Except for creating an IAM role you should also install aws codedeploy agent on your ec2 instance:
install aws-codedeploy agent

initiate aws ssm from jenkins in one account to ec2 in another instance for data transfer

Background:
I have jenkins installed in AWS Account #1 (account1234) and it has iam Role-jenkins attached to it. There's github configured with Jenkins.
When I click build job in Jenkins, jenkins pulls all the files from github and can be found in
/var/lib/jenkins/workspace/.
There's an application running in AWS Account #2 (acccount5678) in an ec2 instance (i-xyz123) and the project files are in /home/app/all_files/ ; This ec2 instance role has app-role attached to it.
What I'm trying to achieve:
When I click build, I want jenkins to push files from account 1234 to account 5678 by opening an SSM session from Jenkins ,to the ec2 instance on which app is running.
What I tried:
In the jenkins as part of build shell script I added:
aws ssm send-command --region us-east-1 --instance-ids i-xyz123 --document-name AWS-RunShellScript --comment IP config --parameters commands=ifconfig --output text
to test it. (If successful, I want to pass cp var/lib/jenkins/workspace/ /home/app/all_files/ as the command)
Error:
An error occurred (AccessDeniedException) when calling the SendCommand operation: User: arn:aws:sts::account1234:assumed-role/Role-Jenkins/i-01234abcd is not authorized to perform: ssm:SendCommand on resource: arn:aws:ec2:us-east-1:account1234:instance/i-xyz123
Build step 'Execute shell' marked build as failure
Finished: FAILURE
Issue 1: instance/i-xyz123 is in account5678 but error above shows ssm trying to connect to instance in account1234 ( which shouldn't be happening)
Q1: How do I update my command so that it tries to open an ssm session
with instance/i-xyz123 present in account5678 to accomplish what I'm
trying to do.
I believe I would also need to make each role added as a trusted relationship to the other.
(Note I want to do it via sessions manager as I won't have to deal with credentials of any sort)
If I've understood correctly then you're right; to interact with the resources in account5678, there needs to be a trust relationship so that the Jenkins account can assume the relevant role in account5678 and call SSM from there.
Once you've configured the role relationship (ref: IAM cross account roles )
You should be able to achieve what you need by assuming the role first in your shell script and then running the ssm command. That way Jenkins will use the temp creds and execute the command in the correct account (5678).
This site steps through it pretty well :
Tom Gregory - Jenkins Assume Role
If you just cmd/ctrl f on that page ^ and search for 'shell' you should get to the section you need. Hope this somewhat helps.

AWS SAM deployed Error under hello world template

I'm currently working on AWS serverless lambda function deployment and try to distribute and test with AWS SAM. However, when I followed the AWS SAM hello world template tutorial on official website, I can't really deploy my code to AWS.
I've already
Assigned a working IAM account
Install every package we need for AWS SAM (brew, aws-sam-cli...etc)
Set up AWS configuration
Using a function template provided by AWS
Yet, I got error message
Error: Stack aws-sam-cli-managed-default is missing Tags and/or
Outputs information and therefore not in a healthy state (Current
state:aws-sam-cli-managed-default). Failing as the stack was likely
not created by the AWS SAM CLI
Took me a minute to figure out too.
Open up CloudFormation in AWS and delete the aws-sam-cli-managed-default stack then try to redeploy.
Every time your deploy fails you'll likely have to do this again.
It's aws credentials error - because you not configure it right or not config at all.
If you didn't have aws cli installed on your computer, find aws cli installer for
your filesystem, for mac it's https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-mac.html.
Go to https://console.aws.amazon.com/iam and create new user with AdministratorAccess permission and get aws_access_key_id and aws_secret_access_key.
Go to your terminal and type aws configure.
Enter your credentials.
Try to run sum build && sum deploy --guided
Now it's need to work.
Like #Eli Meiler says, it may well be a credential issue. If you need to see more details here try
$ aws cloudformation describe-change-set --change-set-name InitialCreation --stack-name aws-sam-cli-managed-default
...FAILED User: arn:aws:iam::123:user/<human user> is not authorized to perform:
cloudformation:CreateChangeSet
on resource: arn:aws:cloudformation:eu-central-1:aws:transform/Serverless-2016-10-31
with an explicit deny in an identity-based policy
EDIT
Even though I had full permissions in that AWS account, what I was not aware was that MFA / 2-factor auth is kinda troublesome here.
The advice that worked for me was this github comment to
generate an sts token
set the env vars and
then try sam deploy --guided again
$ aws sts get-session-token --serial-number arn:aws:iam::<account_id>:mfa/<human.user> --duration-seconds 15000 --token-code 123456

The on-premises instance could not be registered because the request included an IAM user ARN that has already been used to register an instance

While debugging this question, I went on and
In IAM console at https://console.aws.amazon.com/iam/
1.1. Deleted one role (CodeDeployServiceRole).
1.2. Created a service role.
In S3 console at https://console.aws.amazon.com/s3/
2.1. Emptied and deleted one bucket (tiagocodedeploylightsailbucket).
2.2. Created a new bucket in EU London (eu-west-2).
Back into the IAM console at https://console.aws.amazon.com/iam/
3.1. Deleted one policy (CodeDeployS3BucketPolicy).
3.2. Created a new policy.
Stay in the IAM console at https://console.aws.amazon.com/iam/
4.1. Delete one user (LightSailCodeDeployUser)
4.2. Created a new user (with that same name).
Navigate to the Lightsail home page at https://lightsail.aws.amazon.com/
5.1. Deleted previous instance (codedeploy).
5.2. Created one new instance with Amazon Linux (Amazon_Linux_1) (Note that if I use Amazon Linux 2 then would reach this problem),
using the script
mkdir /etc/codedeploy-agent/
mkdir /etc/codedeploy-agent/conf
cat <<EOT >> /etc/codedeploy-agent/conf/codedeploy.onpremises.yml
---
aws_access_key_id: ACCESS_KEY
aws_secret_access_key: SECRET_KEY
iam_user_arn: arn:aws:iam::525221857828:user/LightSailCodeDeployUser
region: eu-west-2
EOT
wget https://aws-codedeploy-us-west-2.s3.us-west-2.amazonaws.com/latest/install
chmod +x ./install
sudo ./install auto
Checked that CodeDeploy agent is running and then when running the following command in AWS CLI
aws deploy register-on-premises-instance --instance-name Amazon_Linux_1 --iam-user-arn arn:aws:iam::525221857828:user/LightSailCodeDeployUser --region eu-west-2
I get
An error occurred (IamUserArnAlreadyRegisteredException) when calling
the RegisterOnPremisesInstance operation: The on-premises instance
could not be registered because the request included an IAM user ARN
that has already been used to register an instance. Include either a
different IAM user ARN or IAM session ARN in the request, and then try
again.
Even though I deleted the user, created one with the same name and then deleted the other existing instance, the IAM User ARN is still the same
arn:aws:iam::525221857828:user/LightSailCodeDeployUser
To fix it, I've gone back to step 4 and created a user with a different name; then, updated the script for the instance creation, checked if the CodeDeploy agent is running and now when running in AWS CLI
aws deploy register-on-premises-instance --instance-name Amazon_Linux_1 --iam-user-arn arn:aws:iam::525221857828:user/GeneralUser --region eu-west-2
I get the expected result

AWS - ECS load S3 files in entrypoint script

Hi all!
Code: (entrypoint.sh)
printenv
CREDENTIALS=$(curl -s "http://169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI")
ACCESS_KEY_ID=$(echo "$CREDENTIALS" | jq .AccessKeyId)
SECRET_ACCESS_KEY=$(echo "$CREDENTIALS" | jq .SecretAccessKey)
TOKEN=$(echo "$CREDENTIALS" | jq .Token)
export AWS_ACCESS_KEY_ID=$ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$SECRET_ACCESS_KEY
export AWS_SESSION_TOKEN=$TOKEN
aws s3 cp s3://BUCKET/file.txt /PATH/file.txt
Problem:
I'm trying to fetch AWS S3 files to ECS inspired by:
AWS Documentation
(But I'm fetching from S3 directly, not throught VPC endpoint)
I have configured bucket policy & role policy (that is passed in taskDefinition as taskRoleArn & executionRoleArn)
Locally when I'm fetching with aws cli and passing temporary credentials (that I logged in ECS with printenv command in entrypoint script) everything works fine. I can save files on my pc.
On ECS I have error:
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
Where can I find solution? Someone had similar problem?
Frist thing, If you are working inside AWS, It strongly recommended to use AWS ECS service role or ECS task role or EC2 role. you do need to fetch credentials from metadata.
But seems like the current role does have permission to s3 or the entrypoint not exporting properly the Environment variable.
If your container instance has already assing role then do not need to export Accesskey just call the aws s3 cp s3://BUCKET/file.txt /PATH/file.txt and it should work.
IAM Roles for Tasks
With IAM roles for Amazon ECS tasks, you can specify an IAM role that
can be used by the containers in a task. Applications must sign their
AWS API requests with AWS credentials, and this feature provides a
strategy for managing credentials for your applications to use,
similar to the way that Amazon EC2 instance profiles provide
credentials to EC2 instances. Instead of creating and distributing
your AWS credentials to the containers or using the EC2 instance’s
role, you can associate an IAM role with an ECS task definition or
RunTask API operation.
So the when you assign role to ECS task or ECS service your entrypoint will be that simple.
printenv
aws s3 cp s3://BUCKET/file.txt /PATH/file.txt
Also, your export will not work as you are expecting, the best way to pass ENV to container form task definition, export will not in this case.
I will suggest assigning role to ECS task and it should work as you are expecting.