CodeBuild Error: Trusted Principals Don't Belong to the Service - amazon-web-services

I am trying to edit an existing CodeBuild project's source. I have added an Actor ID in the filter group. When I try to save, I receive:
The trusted principals don't belong to the service.
I have tried other changes as well - I always receive the same error. I am an admin with full access to the project. What am I missing?

I was seeing the same error, in my case unchecking the checkbox:
"Allow AWS CodeBuild to modify this service role so it can be used with this build project"
under "Service role permissions" allowed me to complete the edit from within the management console.

I ended up using the CLI. The command I used was aws codebuild update-webhook. It worked fine, don't know why it didn't using the console.

Related

lambda:GetAlias warning in CloudFormation stack update triggered by CodeStar

I am exploring CodeStar using a basic project created with the Python 3.7 Lambda template following the Serverless Project Tutorial in the AWS CodeStar documentation:
https://docs.aws.amazon.com/codestar/latest/userguide/sam-tutorial.html
My build and deploy are successful. However a see a warning in my CloudFormation event log:
The IAM user doesn't allow CloudFormation to call lambda:GetAlias, this could result in formulating a appspec file with stale CurrentVersion for CodeDeploy deployment. Please fix it to avoid any possible CodeDeploy deployment failures.
I am just using the AWS resources created automatically by the CodeStar console.
What do I do to fix this warning?
Details
The CodeDeploy step in the CodePipeline deploys the lambda function by updating a CloudFormation stack named: awscodestar-<codestar project name>-lambda.
When I looked in the event log for this stack, I noticed the above warning for the resource named HelloWorldAliaslive
To fix this, add the lambda:GetAlias permission to the inline policy associated with the IAM role named CodeStarWorker-<project>-CloudFormation
Open the AWS Console for CodeStar
Click Project in the left navbar
Find the Project Resources section. One of the AWS IAM resources will have a name CodeStarWorker-<project>-CloudFormation. Click the link in the ARN column of the table to open the role in IAM.
Locate the inline policy named CodeStarWorkerCloudFormationRolePolicy and click the Edit button.
Add the "lambda:GetAlias" action to this policy.
This policy is created automatically by CodeStar. In my account, the policy included several Statements. I chose to add the "lambda:GetAlias" action to the statement which already had "lambda:CreateAlias" action.
After making this change, the warning no longer appeared in my CloudFormation event logs.

I am getting a "Unable to Load Content Error" when I am trying to use the "AWS Transfer to SFTP" service

I selected "aws transfer for sftp" service from aws console.
However, I get the error as follows:
Unable to load content
Something went wrong, you may not have permissions to access these resources. Refresh to try again.
I created the IAM Policies and Role as mentioned in the following guide, however I still get the error:
https://docs.aws.amazon.com/transfer/latest/userguide/sftp.ug.pdf
I am assuming that you are administering your account with an IAM user rather than root (which is good). If so, you are going to need to create your own IAM Policy for the creation and maintenance of the AWS Transfer servers.
WARNING: THIS IS FOR SERVER MANAGEMENT, NOT FOR THE SFTP USERS
Steps
Sign into AWS Console
Navigate to IAM Roles
In the left menu, click "Policies"
Click Create Policy
Service: choose Transfer
Actions: check "All Transfer Actions" (transfer:*)
Resources: All resources
Click Review Policy
Give it a name like: AWSTransferFullAccess
Click Create policy
Navigate to your IAM user (or group if you have those)
Click Add Permissions
Click Attach existing policies directly
Filter your policies by "Transfer" and then yours should appear
Review
Add Permissions
Log out of console
Log back in and navigate to: https://console.aws.amazon.com/transfer
You should now be able to make a server and manage users and roles.
You might need various transfer:* permissions in one of the IAM policies that applies to you.

AWS CodePipeline deploy failed

I am trying to set up a Continuous Integration pipeline for my simple AWS lambda function. To confess, the is my very first time using AWS code pipeline. I am having trouble with setting up the pipeline. The deploy stage in the pipeline is failing.
I created a CodeBuild
Then I created an application in CodeDeploy
Then I created a CodePipeline choosing the source as GitHub. The selected a repository and branch from the GitHub. Then linked the pipeline with the CodeDeploy application and CodeBuild I previously created.
After I save the pipeline and when the pipeline is built, I am getting this error.
When I check the error details, it says this
Unable to access the artifact with Amazon S3 object key 'the-goodyard-pipelin/BuildArtif/G12YurC' located in the Amazon S3 artifact bucket 'codepipeline-us-east-1-820116794245'. The provided role does not have sufficient permissions.
Basically, that Bucket does not exist as well. Isn't the Bucket created automatically? What went wrong with my set up?
The Bucket exist as well. It is just throwing error.
In the bucket, I can see the zip file as well.
Well, the error message looks self explanatory, the role you assigned to codebuild doesn't have enough access to go to s3.
Go to codebuild -> Build projects - > Choose your project -> Click on tab 'Build Details'.
You will see a 'Service Role' ARN, that if you click on it, it will send you to that IAM role (if you are not an admin for that account, you may not have enough permissions to see IAM, as it is a critical permission service, so check this with the admin.)
Check the policies for that role, and check if the policies have the action: s3:GetObject on resource: your bucket.
If it doesn't, then you need to add it. Use the visual editor, use S3 as service, add Get* as action, and your s3 bucket to it.

Error message "Not existing role" when creating activation on AWS

I'd like to install thhe AWS SSM agent to my server to be monitored by CloudWatch and found that I have to create a managed-instance activation first as this article, Create a Managed-Instance Activation for a Hybrid Environment.
It always shows an error message:
"Not existing role: arn:aws:iam::75....:role/service-role/AmazonEC2RunCommandRoleForManagedInstances".
It has the same error even I use my existing IAM role.
Anything I need to do before creating activation? Or do I have to create a special role for this?
It's because this role didn't add "ssm.amazonaws.com" in its "Trust Relationship". After adding ssm in trust relationship, it works. refer this
If you ran the command line example you can solve it by adding the IAM role parameter with "service-role" prepended, as following:
--iam-role "service-role/AmazonEC2RunCommandRoleForManagedInstances"

AWS Beanstalk - getting "Access denied while accessing Auto Scaling and ..." error

When I try to launch an Elastic Beanstalk environment from the command line, I get this error during the process:
Environment health has transitioned from Pending to Warning. Access
denied while accessing Auto Scaling and Elastic Load Balancing using
role "arn:aws:iam::XXXXXXXXXX:role/aws-elasticbeanstalk-service-role".
Verify the role policy.
When I launch it from the console, I do not get this warning. I have tried to replicate the same AWS console configuration from the CLI , but I still get this error.
Any clue what's going on?
If anyone is still getting a similar error and is still unsure how to solve it
Navigate to IAM in the AWS Console.
Navigate to the aws-elasticbeanstalk-service-role (under Access Management > Roles).
Attach the following policies:
AutoScalingFullAccess
ElasticLoadBalancingFullAccess
I then rebuilt the environment, no more errors!
The following article helped me understand this better: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles-service.html
You can go to your IAM console. You will see the "aws-elasticbeanstalk-service-role", Under the permission tab, you can grant the specific you want to give the policy on your behalf. Refresh and you should have "Ok". Make sure the permission you grant the role can manage this " Auto Scaling and Elastic Load Balancing using role"
Elastic Beanstalk now uses a Service Role to call other AWS services on your behalf. The IAM role is created in your account and you give permissions to launch
Service role is optional but recommended for new environments.
Especially for enhanced health monitoring (which is what your using based on the error message), service role is mandatory. A misconfigured service role can lead to this error message.
The console experience makes it very easy for you to create/use the role with the correct permissions. This is because you just need to select the correct role from the dropdown (if the role already exists) when using the create environment wizard.
When using the CLI you need to pass the service role option setting. (namespace: aws:elasticbeanstalk:environment, option_name: ServiceRole). You can find the required permissions for a role configured in this documentation.
There are some more details about service role in my previous stack overflow answer here.
If anyone can not solve the error whit the previous actions what I had to do is:
Add to aws-elasticbeanstalk-service-role the following policies AutoScalingFullAccess | ElasticLoadBalancingFullAccess
Not re-start but build the environment again
(after a while it kept launching the error)
Then I added:
AdministratorAccess-AWSElasticBeanstalk (again to aws-elasticbeanstalk-service-role)
Re-build the environment again
It is working at the moment.