I am following the instructions to get AWS SSO working: https://www.gitpod.io/guides/integrate-aws-cli-ecr
I'm not sure about what the AWS_ROLE_NAME gitpod variable should be. I feel like I'm getting this wrong, because signing in with:
aws sso login --no-browser
and then aws sts get-caller-identity
I get An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access
I've set it to an IAM role name which should have admin access.
resolved - AWS_ROLE_NAME needed to be set to AWSPowerUserAccess or other permission set name, which you can find in https://us-east-1.console.aws.amazon.com/iamv2/#/organization/permission-sets
also, don't forget to go to https://us-east-1.console.aws.amazon.com/iamv2/home#/organization/accounts click on an account and assign the SSO user to the account with an appropriate permission set.
Related
im trying to get eb cli working.
in my cmd i do
>eb init
which opens up a new terminal, which then soon asks for aws-access-id and aws-secret-key
You have not yet set up your credentials or your credentials are incorrect
You must provide your credentials.
(aws-access-id): xxxx
(aws-secret-key): xxxxxxxxxx
ERROR: NotAuthorizedError - Operation Denied. The security token included in the request is invalid.
im not 100% sure whether aws-access-id referes to my username, the email address that created it or user id....
same goes for the aws-secret-key , im assuming right now that its the password for the account not some 1 off secret key.
I have used the console login link to register the iam account and change the password.
I have set the permissions of this user group to be AdministratorAccess
##################################
what is aws-access-id:
my username?
the email address?
user id?
is there anything that looks wrong?
You need to use Access keys.
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
If you have access to IAM and have sufficient privileges you can generate such keys for yourself. If not you need to contact your AWS administrator.
Please take a look at Managing access keys for IAM users for more information.
So I've just been handed over to a project using AWS and gitlab. The pipeline was working before but then we moved the organization into another larger organization (Not sure if this is relevant or not).
But I'm getting the error
(UnrecognizedClientException) when calling the GetAuthorizationToken operation: The security token included in the request is invalid.
How do I get the ECR_AWS_ACCESS_KEY_ID and ECR_AWS_SECRET_ACCESS_KEY from a particular IAM User?
The error indicates that the credentials used by the pipeline are not valid.
How do I get the ECR_AWS_ACCESS_KEY_ID and ECR_AWS_SECRET_ACCESS_KEY from a particular IAM User?
There's no such thing. You should be using AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Setup an IAM user with programmatic access with the required permissions and then use the credentials associated with said user.
I have setup a RDS proxy for Aurora DB. I am able to connect to the RDS proxy endpoint but not able to perform any operations.
For e.g if I do show processlist; I get below error:
ERROR 1045 (28000): Database Access denied for user 'admin'#'ip-address' (using password: YES)
Note: I am able to access RDS endpoint and perform all the operations.
Thanks in advance!
I encountered this same issue. Turns out it was related to the auto-generated IAM role permissions.
The secrets manager had 2 user accounts added to it (with verified correct credentials), and both were added to the RDS proxy. However, only the first user account worked. The second user account would get a permission denied error.
Checking the CloudWatch logs, I saw a message similar to:
Credentials couldn't be retrieved. The IAM role "arn:aws:iam::ACCOUNT:role/service-role/rds-proxy-role-TIMESTAMP" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:REGION:ACCOUNT:secret:SECRET_NAME"
When I looked at the IAM policy for the rds-proxy-role-TIMESTAMP role, it had only been granted access to the secret for the first user. This appears to be an issue with the creation of the IAM role when the proxy is set up.
To resolve it, I modified the policy for the rds-proxy-role-TIMESTAMP role to give it access to the ARN for the second user's secret as well. After a few minutes, I was able to log in as the second user.
If you are getting a Database access denied error please check the user permissions in RDS first.
If you can connect to RDS directly with this credentials, check that credentials in Secret Manager are the same.
Then check if you RDS Proxy policy has permission to access all you Secret Manager records as I mention here https://stackoverflow.com/a/73649818/4642536
Stupidly enough, I did delete by mistake my default AWS IAM user!
I used it for example do aws s3 sync...
Now the error I get is:
$ aws s3 sync build/ s3://mybucket.mydomain.com
fatal error: An error occurred (InvalidAccessKeyId) when calling the ListObjects operation: The AWS Access Key Id you provided does not exist in our records.
Is there a way to recover?
I think I need instructions how to create a new user with the sufficient roles to enable my local aws cli to be able to do aws s3 sync ...
UPDATE: I did just create a new user on my AWS console, and added a policy (to start with) to list my bucket. The problem is I don't know how to attach my aws cli to that new user... :-(
If you are the only person using this AWS Account, then add the AdministratorAccess Policy to your IAM User. That will grant complete access.
Then, in the Security credentials tab of the IAM User click Create access key. Copy the Access Key and Secret Access Key.
On the command line, run aws configure and provide those keys to configure the user.
Test with: aws s3 ls
When I am trying to configure my s3cmd using s3cmd --configure command I am entering the Access Key, Secret Key and Encryption Password and for the rest of the fields I just hit enter to keep it to the default as said in most of the blogs.
But after supplying the credentials, I am getting the error:
ERROR: Test failed: 403 (AccessDenied): Access Denied
How possilbly can I configure with the right soltution.
There are several different things that could be going wrong:
You have an incorrect set of AWS credentials. If that is the case, then you will also not be able to use the official aws client. Try using that to verify that your credentials are correct. Use
aws s3 ls
in order to perform the ListBuckets operation that s3cmd is using to validate your credentials
You have AWS IAM credentials that do not have the correct permissions associated with them. S3cmd performs a s3:ListAllMyBuckets operation to validate your credentials. If your user does not have this permission associated with him, then s3cmd will fail to validate your credentials. If you have an IAM user, try temporarily attaching to it Full S3 Access or Administrator access in the IAM console.
You have a typo in the command.
It should be
s3cmd --configure
Check your IAM user of which your are using credentials for s3cmd have correct access to a S3.