Recently started with aws data pipeline. The main goal is to export my dynamodb table into an s3 bukkit. Im getting quite confused while i'm setting the data pipeline up because of the IAM roles. When editing in the architect i end up with these warns and errors:
Unable to create resource for #EmrClusterForBackup_2022-11-30T11:18:45 due to: User: arn:aws:sts::838788886576:assumed-role/DataPipelineRole-Test/EDPSession is not authorized to perform: iam:PassRole on resource: arn:aws:iam::838788886576:role/EC2InstanceRole-Pipeline-Test because no identity-based policy allows the iam:PassRole action (Service: AmazonElasticMapReduce; Status Code: 400; Error Code: AccessDeniedException; Request ID: 4c764cb9-57bb-4b0e-8b9c-5345ce67708b; Proxy: null)
I gave them power user acces both of the permissions but it doesn't seem to work.
This is The DatePipelineRole-Test :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"datapipeline.amazonaws.com",
"elasticmapreduce.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
And here is the EC2InstanceRole-Pipeline-Test:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Can someone help me out please !
Related
I am using the Parameter Store from AWS to store String parameter values.
I am using the following code while fetching the Params from the Lambda function:
const ssm = require('aws-sdk/clients/ssm');
const getConfig = (prefix) => {
return ssm.getParameter({ Name: `/${prefix}/config`}).promise()
.then(resp => JSON.parse(resp.Parameter.Value))
.catch(err => console.error(err));
};
But I am constantly getting the following error while running the Lambda from the AWS Console:
ERROR AccessDeniedException: User: arn:aws:sts::XXX:assumed-role/lambdaExecutionRole is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:XXX:parameter/get/getValue
I tried to add the Administrator access to the role: lambdaExecutionRole, but now getting this error:
ERROR SyntaxError: Unexpected token h in JSON at position 0
at JSON.parse (<anonymous>)
at /var/task/myFile.js:2:955529
at processTicksAndRejections (internal/process/task_queues.js:97:5)
at async Runtime.e.handler (/var/task/myFile.js:2:1065241)
I have even tried to add the ssm permissions following this doc:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "GetParam1",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "ssm:GetParameter",
"Resource": "*"
}
]
}
- An error occurred: AssumeRole policy may only specify STS AssumeRole actions.
- An error occurred: Has prohibited field Resource
Any Idea what I might be missing here? Thanks in advance.
ERROR SyntaxError: Unexpected token h in JSON at position 0
when you add Administrator permissions tells information you are getting from the parameter store and passing eventually to JSON.parse with resp.Parameter.Value is not proper.
Your policy as well is wrong, you are mixing IAM Policy with Trust Policy. They should be separately defined.
Roles terms and concepts
Trust Policy for your lambda IAM Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
IAM Policy for Lambda IAM Role* to allow access to SSM Parameter Store**
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GetParam1",
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "*"
}
]
}
That's the reason for these errors
An error occurred: AssumeRole policy may only specify STS AssumeRole actions.
An error occurred: Has prohibited field Resource
I am not able to fix a IAM issue. When I am trying to assume role from my Jenkins machine I keep getting this error.
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::1111111111:assumed-role/jenkins/i-0534a6823420911ae is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::22222222222:role/eks-controller
I created a Role1 (Jenkins) and attached it to the ec2machine in account 1111111111 now I wanted to assume Role2 (eks-controller)
Jenkins policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "assumeEKScontroller",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::22222222222:role/eks-controller"
}
]
}
Role eks-controller is in account 22222222222 with below-trusted policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111111111:root"
},
"Action": "sts:AssumeRole"
}
]
}
How does assumerole work? I read a lot of articles and tried but nothing is working.
This question is related to this:
Setup:
Account A (containing the SQS Queue)
Account B (contains the lambda function that will be triggered by SQS Queue in Account A)
This is the lambda resource policy in Account B
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-A:user/USER-ACCOUNT-A"
},
"Action": "lambda:*",
"Resource": "arn:aws:lambda:eu-north-1:ACCOUNT-B:function:FUNCTION-ACCOUNT-B"
},
{
"Effect": "Allow",
"Principal": {
"Service": "sqs.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:eu-north-1:ACCOUNT B:function:FUNCTION-ACCOUNT-B",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": ACCOUNT A
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-ACCOUNT A"
}
}
}
]
}
and this is the SQS permission policy in Account A
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-A:root"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
},
{
"Sid": "__receiver_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-B:root"
},
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage"
],
"Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
},
{
"Sid": "Permission to LambdaRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-B:role/LAMBDA-EXECUTION-ROLE-ACCOUNT-B"
},
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage",
"SQS:GetQueueAttributes"
],
"Resource": "arn:aws:sqs:eu-north-1:ACCOUNT-A:QUEUE-NAME-ACCOUNT-A"
}
]
}
When user in Account A tries to add lambda trigger from SQS, the following AccessDenied Error shows up:
Error code: AccessDeniedException. Error message: User: arn:aws:iam::xxxxxxxx:user/xxx is not authorized to perform: lambda:CreateEventSourceMapping on resource: *
I also tried to add the trigger from the lambda function (just for testing as this is not something I want), but I got the following error:
An error occurred when creating the trigger: The provided execution role does not have permissions to call GetQueueAttributes on SQS (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: xxx; Proxy: null)
My Lambda Role has "AmazonSQSFullAccess" permission. So I really don't know what's going on here.
Can someone help with this please?
UPDATE
I found a bug in the SQS permission policy and fixing this solved the second error:
An error occurred when creating the trigger: The provided execution role does not have permissions to call GetQueueAttributes on SQS (Service: AWSLambda; Status Code: 400; Error Code: InvalidParameterValueException; Request ID: xxx; Proxy: null)
However as mentioned earlier I would need that the user in Account A add a lambda trigger from SQS Queue (which is creating the first error I posted above) rather than the other way round. Is that possible at all?
Your IAM policy is probably limited to the lambda function type resource but it also needs the event-source-mapping resource.
"Resource": [
"arn:aws:lambda:*:<YOUR_ACCOUNT_ID>:function:*",
"arn:aws:lambda:*:<YOUR_ACCOUNT_ID>:event-source-mapping:*"
]
Or just say screw IAM and go with '*'.
The list of resources can be found here: Resources and conditions for Lambda actions
I'm trying to use kubectl to work on a EKS Cluster created from an other user.
I followed the different instructions from the documentation to create the kube config file with the command : aws eks --region eu-central-1 update-kubeconfig --name internal --role-arn arn:aws:iam::xxxxxxxxxx:role/eks_role_internal.
Then when i try to test the configuration (kubectl get svc), i'm getting the error :
could not get token: AccessDenied: User: arn:aws:iam::xxxxxxxxxxxx:user/me is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxxx:role/eks_role_internal
Here is the config for the Policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxxxxxxxxxx:role/eks_role_internal"
}
]
}
And the trust relationship of the role :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"eks.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
The first reason getting this error message is misconfigured Trusted relationship on a role that is going to be assumed.
I also was seeing this error when the attached condition in the trusted relationship of having MFA wasn't met:
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
AWS cli isn't smart enough to see this case and ask for the MFA code, it just throws that error message.
I'm new to aws. I want to generate temporary credentials for aws call. And for that I use example from Making Requests Using IAM User Temporary Credentials - AWS SDK for Java
Where I pass
String clientRegion = "<specific region>";
String roleARN = "<ARN from role>";
String roleSessionName = "Just random string"; //<-- maybe I should pass specific SessionName?
String bucketName = "<specific bucket name>";
And when trying assume role
stsClient.assumeRole(roleRequest);
get an error
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException:
User: arn:aws:iam:::user/ is not authorized to perform:
sts:AssumeRole on resource: arn:aws:iam::<ID>:role/<ROLE_NAME> (Service: AWSSecurityTokenService; Status Code: 403; Error Code:
AccessDenied; Request ID:)
I have a cognito role.
I think the problem in role Trust Relationship settings.
It looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<iam user ID>:user/<USER_NAME>",
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "<user pool ID>"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
and user policy (This user policy is attached to this Role also):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<sidId1>",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<path>*"
]
},
{
"Sid": "sidId2",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithWebIdentity"
],
"Resource": [
"arn:aws:iam::<ID>:role/<ROLE_NAME>"
]
}
]
}
User policy has two warnings:
What I'm doing wrong?
UPD
I changed role Trust relationship, just delete Condition:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com",
"AWS": "arn:aws:iam::<ID>:user/<USER>"
},
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithWebIdentity"
]
}
]
}
and now Access denied error occurred on another line of code:
// Verify that assuming the role worked and the permissions are set correctly
// by getting a set of object keys from the bucket.
ObjectListing objects = s3Client.listObjects(bucketName);
Received error response: com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: ), S3 Extended Request ID:
To be able to assume to an IAM Role, simply the IAM Role assume role policy or trust relation must explicitly allow the principal assuming role into it, which in this case it didn't. It permitted sts:AssumeRoleWithWebIdentity with some conditions which didn't apply to your case.
About the other error, as mentioned by the #user818510 your role doesn't have permission to s3:ListBucket action.