I am a AWS beginner and must use for university . I cannot perform an IAM actions such as create roles , users absolutely nothing
However , i keep getting is "xxx is not authorized to perform: iam:Createroeon resource: * because no identity-based policy allows the iam:Createrole action * . I keeping the same error .
Anyway i could fix this?
Related
I have external-secrets operator v0.5.1 installed and working with a SecretStore for retrieve AWS parameter store. Also tried updating to V0.5.8
This is working fine with IRSA but if I try to create a external-secret for AWS secrets, with a new SecretStore, the SecretStore' status is Valid but the ExternalSecret that references this SecretStore got the following error: SecretSyncedError
AccessDeniedException: User: arn:aws:sts::12345678:assumed-role/eks-backend-role-pre/external-secrets-provider-aws is not authorized to perform: secretsmanager:GetSecretValue on resource: /backend/pre/PRE_PRIVPGPKEY because no identity-based policy allows the secretsmanager:GetSecretValue action status code: 400,
Please, note the STS is trying to use eks-backend-role-pre/external-secrets-provider-aws which it doesn't exist. The role which exist is eks-backend-role-pre I'm not sure who is adding the suffix external-secrets-provider-aws which invalidate the role name.
Both SecretStore, the one dedicated to AWS Parameter Store and the other that is dedicated to gather from AWS Secrets has the same service account associated.
Why is working one External Secret and the other using the same service account don't?
There was a typo in the policy.
As documentation shows, this is the correct way to declare a principal:
arn:${Partition}:secretsmanager:${Region}:${Account}:secret:${SecretId}
I have incorrect declared the principal:
"arn:aws:secretsmanager:eu-west-1:1234567890:secret/backend/pre/*"
Correct:
"arn:aws:secretsmanager:eu-west-1:1234567890:secret:/backend/pre/*"
In contrast to SSM Parameter store that you declare your principal "arn:aws:ssm:eu-west-1:1234567890:parameter/backend/pre/*"
, with SecretsManager you need to add a colon after the service :secret:
My application generates this error message:
arn:aws:sts::123456789012:assumed-role/my-service-role/aws-sdk-1111111111111 is not authorized to perform: secretsmanager:GetSecretValue
How can I see more information about which roles or permissions are attached to this assumed role?
I have tried querying for this with the AWS CLI using aws iam get-user / list-users / get-role / list-roles but neither exist. I looked at querying under STS but couldn't see an appropriate option.
I couldn't find this role in the AWS console.
How can I see more information about which roles or permissions are attached to this assumed role?
You can access this information a number of ways, if you know the name of the role you can use the IAM service, here is a boto3 example:
import boto3
iam = boto3.resource('iam')
role = iam.Role('AWSServiceRoleForRDS')
for pol in role.attached_policies.iterator():
print(pol)
For me this gives:
iam.Policy(arn='arn:aws:iam::aws:policy/aws-service-role/AmazonRDSServiceRolePolicy')
The sole policy I have attached to this role. Obviously, you'll need to substitute the role name you are interested in here in place of 'AWSServiceRoleForRDS'
In general this will print out all the policies attached to the role (to stdout).
In order to do make this query you need to be authenticated as a user or role that has permissions to access the IAM role (or user).
Update: How to find the name of the role from an ARN?
following the aws docs for IAM identifies you can identify the role name from the arn for sts assumed roles they follow this format:
arn:aws:sts::account:assumed-role/role-name/role-session-name
Based on what was posted:
arn:aws:sts::123456789012:assumed-role/my-service-role/aws-sdk-1111111111111 is not authorized to perform: secretsmanager:GetSecretValue
it looks like my-service-role is the name of the assumed role.
botocore.exceptions.ClientError:
An error occurred (AccessDeniedException) when calling the CreateFunction operation: Lambda was unable to encrypt your environment variables because the KMS access was denied. Please check your KMS permissions.
KMS Exception: AccessDeniedException KMS Message:
User: arn:aws:iam::816087693535:user/pj#123.com is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:us-east-1:816087693535:key/22a02ce6-2afe-4184-bfbf-18d72d238bdd with an explicit deny in a service control policy.
Also we tried to read and write kms policies but it did not work out.
You need to allow the IAM user pj#123.com to perform kms:Encrypt on the resource arn:aws:kms:us-east-1:816087693535:key/22a02ce6-2afe-4184-bfbf-18d72d238bdd If you have already tried that but it still doesn't work my next question would be if you are using AWS Organizations. If you do, I would visit AWS Organizations on the Management Account and check for any Service Control Policies (SCPs) which explicitly deny this action. If you follow these steps the resolution of your issue should be straightforward. Kindly let me know if not.
I am getting this notice when trying to create an Aurora instance:
Error loading KMS Keys
User: arn:aws:iam::xxx:user/xxx is not authorized to perform: kms:ListAliases on resource: *
Does any one know which managed policy does kms:ListAliases belong? Can't seem to find it in the pre-made manage policies. Or maybe it doesn't exist in the managed policies?
AWSKeyManagementServicePowerUser includes Action kms:List* on all Resources.
I have an IAM group, and policy "AWSMarketplaceFullAccess" is attached to it.
I confirmed that an IAM user belonging to that group is allowed to perform AWS Marketplace.ViewSubscriptions, using IAM Policy Simulator,
but that user still cannot boot EC2 instances from Marketplace images.
Error message is User: arn:aws:iam::****:user/**** is not authorized to perform: aws-marketplace:ViewSubscriptions on resource: *.
What can I do?
According to this article I have added Full access to the following policies for my AWS group:
Marketplace
Marketplace Metering
In order to subscribe to AMI.