I am trying to create cross account deployment using codepipeline and terraform. My codecommit repo is account A and codepipeline is in account B. I want to create trigger so that whenever I merge the branch it should trigger codepipeline to start in Account B.
I tried using Event bridge but it only sends notification. I also need source artifacts for codebuild project. So I tried using couple of articles from Medium such as this. But I am getting this error. Currently it doesn't even get to build stage fails before that
The service role or action role doesn’t have the permissions required to access the Amazon S3 bucket named artifacts-bucket-dev. Update the IAM role permissions, and then try again. Error: Amazon S3:AccessDenied:Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: K86ED6QM; S3 Extended Request ID: BsVDy7vYRyL2mavM+XbZNrWxR+y8Do=; Proxy: null)
I tried updating the role and actually gave administrator permission as I just wanted it work.
Related
I encountered the following error when launching an AWS VPC from the command line interface following a quickstart guide here.
Commands used:
git clone https://github.com/aws-quickstart/quickstart-aws-biotech-blueprint-cdk.git
cd quickstart-aws-biotech-blueprint-cdk
npm install
npm run build
cdk bootstrap
npm run build && cdk deploy
Error message:
AwsBiotechBlueprint: creating CloudFormation changeset...
11:38:13 AM | CREATE_FAILED | AWS::IAM::Role
| ConfigEnabledPr
omi...corderRoleFC6F886B
Policy arn:aws:iam::aws:policy/service-role/AWSConfigRole does not exist or is not
attachable. (Service
: AmazonIdentityManagement; Status Code: 404; Error Code: NoSuchEntity; Request ID:
f03b794e-7aa5-4f24-
899e-2aefaa6e8fb3; Proxy: null)
I am using an IAM user (not Root) and the error appears to indicate that "AWSConfigRole" policy is not associated with my user. To correct this error I added the "AWSConfigRole" permissions through the IAM management console via my web browser.
Unfortunately when I rerun the steps in the quickstart I still encounter the exact same error.
How can I ensure the updated permissions from the IAM management console are being properly communicated to the command line interface?
I still encounter the exact same error.
Because this policy should be setup for IAM role for Config service to assume, not your IAM user. Also AWSConfigRole policy has been long depricated. Now you should be using AWS_ConfigRole instead explaining why it can't be used anymore.
It seems that the template you are deploying is old and not up to date. Its better to make an issue about this to the devs of the template, as they should update it.
I am fairly new to AWS. I am trying to learn it by doing. I have a root user and an IAM user with admin rights and many other rights.
I deployed a example simple stack by CDK. I followed some online tutorials. The Deployment was successful by cdk.
I log in to the AWS console by the browser. I navigate to CloudFormation and clicked Stacks. I got this error:-
Your account is not a member of an organization. (Service: AWSOrganizationsV20161128; Status Code: 400; Error Code: AWSOrganizationsNotInUseException; Request ID: 129910c4-b89c-4318-b56f-7f753e76d475; Proxy: null)
I got the same error for both the root user and IAM user. How do I fix it?
Note that I don't have any AWS organization. I just signup for a fresh AWS account. Just to make sure, I checked the AWS organization, I don't have any organization exist.
After the cdk redeploy:-
StackSets are only available for AWS Organizations. They allow users to deploy CloudFormation stacks across multiple accounts in an organization. If you try to access StackSets in the AWS Console and you're not a member of an organization, you will get this error, which is expected.
Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html
We have a druid cluster setup and now i am trying to write the indexing-logs and data into S3 deep storage.
Following are the details
druid.storage.type=s3
druid.storage.bucket=bucket-name
druid.storage.baseKey=druid/segments
# For S3:
druid.indexer.logs.type=s3
druid.indexer.logs.s3Bucket=your-bucket
druid.indexer.logs.s3Prefix=druid/indexing-logs
After running ingestion task i am getting below error
*Caused by: com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: HCAFAZBA85QW14Q0; S3 Extended Request ID: 2ICzpVAyFcy/PLrnsUWZBJwEo7dFl/S2lwDTMn+v83uTp71jlEe59Q4/vFhwJU5/WGMYramdSIs=; Proxy: null*)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1862) ~[aws-java-sdk-core-1.12.37.jar:?]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1415) ~[aws-java-sdk-core-1.12.37.jar:?]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1384) ~[aws-java-sdk-core-1.12.37.jar:?]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1154) ~[aws-java-sdk-core-1.12.37.jar:?]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:811) ~[aws-java-sdk-core-1.12.37.jar:?]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:779) ~[aws-java-sdk-core-1.12.37.jar:?]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:753) ~[aws-java-sdk-core-1.12.37.jar:?]
I tried to add the IAM role instance to the bucket level and same Role is running EC2 where Druid services are running.
Cam someone please guide what are the steps i am missing here.
I got it done!
I have created a new IAM role and created a policy where i have given permission to S3 bucket and subfolder
NOTE: Permission to S3 bucket is must
Example: If bucket name is "Bucket_1" and subfolder where Deep storage is configured is "deep_storage"
then make sure we should give permisson like:
**"arn:aws:s3:::Bucket_1"
"arn:aws:s3:::Bucket_1/*"**
I was missing with not giving to Bucket level permission and directly trying to give permission to sub folder level.
Also remove or comment out the below parameter from common.runtime.properties file from each servers of your Druid cluster
**druid.s3.accessKey=
druid.s3.secretKey=**
After this config I can see the data is getting successfully to S3 deep storage with IAM role and not with Secret & Access Key.
We have a CodePipeline process set up, and all stages work except the CodeDeploy stage.
Our pipeline stage is as follows:
GenerateChangeSet for CloudFormation
ExecuteChangeSet for CloudFormation
Deploy for CodeDeploy
These stages were set up and configured by CodeStar.
Our GenerateChangeSet stage tries to access s3 to get our BuildArtifact, but fails with the following error:
Action execution failed
Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 40P7HSHQGWXSRA72; S3 Extended Request ID: I6hiCC7xx+YmnQMLfUnMzZziLDz/5b8uJWzOqWNZwSiVRCS14Q6UyVfss6q80teO5MAGuR9Xft4=; Proxy: null)
This suggests that CloudFormation cannot access s3, but I've checked and rechecked the policy that it uses and it definitely has the correct permissions for accessing s3.
I'm not quite sure why this error is happening, given that the role policy does indeed have access to s3. I even went with the nuclear option of granting this role full control over s3 (with a view to reverting once I solved the issue), but to no avail, the error still occurs.
Has anyone encountered this before? Anyone know why it might be happening?
I discovered the issue. The CloudFormation template file (template.yml and template-configuration.yml) was reading the one from the repo, but that had been removed at some point prior, so I was getting access denied errors from that resource.
I wish the error message was more explicit, it would have saved hours.
I've been trying to set up a pipeline in CodePipeline which deploys services from one account to another. But I just keep getting this error:
Cross-account pass role is not allowed (Service: AmazonCloudFormation; Status Code: 403; Error Code: AccessDenied;
Here I have 2 accounts:
Deployment account: Here I have the CodeCommit repo with the template I want to deploy. This is the source of CodePipeline which is in the same account. From the deployment account I want to deploy a stack into the test account though CloudFormation.
Test account: Here I want to deploy the stack. Here I have a cross-account role which gives CloudFormation the permission to use all services I want to use. This role also has a trust relationship with the deployment account.
So I want the pipeline in the deploy account to deploy a stack in the test account.
Pipeline settings:
For CodePipeline I've set up a role which has the assume (test account)role statement.
For CloudFormation I've used the cross-account role which is created in the test account.
When i test the pipeline it keeps getting the error I've stated above.
Anyone has an idea what I'm doing wrong?