We Keep Coding

How to fix error "Unable to upload artifact streamlitfunction:python3.8-v1 referenced by ImageUri parameter of StreamlitFunction resource

i am trying to deploy this lambda function into aws ecr registry using docker but im running into this problem. How do i fix it?
Note:A similar function worked for me a few days back with same settings and now when i try the same thing on that..this error persists (w)
sam deploy --guided
Configuring SAM deploy
======================
Looking for config file [samconfig.toml] : Found
Reading default arguments : Success
Setting default arguments for 'sam deploy'
=========================================
Stack Name [streamlit-openaiapp]:
AWS Region [us-east-1]:
#Shows you resources changes to be deployed and require a 'Y' to initiate deploy
Confirm changes before deploy [Y/n]: y
#SAM needs permission to be able to create roles to connect to the resources in your template
Allow SAM CLI IAM role creation [Y/n]: y
#Preserves the state of previously provisioned resources when an operation fails
Disable rollback [Y/n]: y
StreamlitFunction may not have authorization defined, Is this okay? [y/N]: y
Save arguments to configuration file [Y/n]: y
SAM configuration file [samconfig.toml]:
SAM configuration environment [default]:
Looking for resources needed for deployment:
Managed S3 bucket: aws-sam-cli-managed-default-samclisourcebucket-18mtvtv9a39lx
A different default S3 bucket can be set in samconfig.toml
Image repositories: Found (1 of 1) #Different image repositories can be set in samconfig.toml
StreamlitFunction: 377804275255.dkr.ecr.us-east-1.amazonaws.com/openaiqamodeld50b3bc0/helloworldfunction19d43fc4repo
Saved arguments to config file
Running 'sam deploy' for future deployments will use the parameters saved above.
The above parameters can be changed by modifying samconfig.toml
Learn more about samconfig.toml syntax at
https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-config.html
Error: Unable to upload artifact streamlitfunction:python3.8-v1 referenced by ImageUri parameter of StreamlitFunction resource.
500 Server Error: Internal Server Error ("Get "https://377804275255.dkr.ecr.us-east-1.amazonaws.com/v2/": net/http: TLS handshake timeout")

CDK v2 update resulting in deployment error with Circle CI CI/CD pipeline

I have updated my cdk from version 1 to version 2, when I tried to do this locally using npm run cdk -- deploy --context awsEnv=dev --all --profile=dev, this works flawlessly.
However when the Circle CI CI/CD pipeline tries to deploy in the same dev environment, it throws an error
User: arn:aws:sts::xxxxxxxx:assumed-role/*******************************************************/jatinmehrotra is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:**************:xxxxx:parameter/cdk-bootstrap/xxxxxxxxx/version because no identity-based policy allows the ssm:GetParameter action
SO basically Circle CI CI/CD pipeline for deployment assumes the roles and create temporary credentials using aws sts assume role command.
Note:- after updating to cdk v2 I can see a new role, which has the same name as the bootstrap ssm parameter. Does that have to do something with error?
As of now, I think the assume role credentials (even though it has sufficient permissions) are not able to access the bootstrap parameter.

After some troubleshooting and carefully reading the error logs, i manually updated the role's permission with full SSM parameters permission whose credentials are being used to deploy the resources.
This resolved the issue.

AWS CDK Running `cdk synth` for Another Account

When use AWS CDK to provision resources in an VPC, it requires me to specify AWS account and region through env environment variables.
I have CLI access to my dev account, but no access to prod account.
I would like to use cdk synth to generate cloudformation template for production account. To do that, I specifies the account ID in .env file.
But cdk synth command returns me following error.
[Error at /whitespace-app-fargate/whitespace-app-fargate/FargateStack] Could not assume role in target account using current credentials (which are for account xxxxxxxx) User: arn:aws:iam::xxxxxxxxx:user/myqinjie is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::yyyyyyyyy:role/cdk-hnb659fds-lookup-role-yyyyyyyy-ap-southeast-1 . Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI.
Is there a ways to run cdk synth to generate cloudformation template without validation?

It is not possible to run cdk synth against an account that you do not have access to.
You need use a role or user that has sufficient permissions to execute cdk synth against production account.
May I ask what is your usecase?
If you want to validate which resources will be created, you can run against your own account but use production stage and production region.
The only thing different when effectively deploying to production will be the account.

Insufficient access AWS whilst using AWS CLI

I've been trying to access a project in AWS devicefarm using AWS CLI.
Steps taken:
Downloaded the AWS CLI tool
Configured my credentials according to: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html using aws configure command
executed aws devicefarm list-uploads --arn myProjectArn
and what i get is this error:
An error occurred (AccessDeniedException) when calling the ListUploads operation:
User: arn:aws:iam::replacingANumber:user/myUserName is not authorized to perform: devicefarm:ListUploads
on resource:
arn:aws:devicefarm:us-west-2:replacingANumber:project:replacingALongString with an explicit deny
The docs:https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting_iam.html say i'm missing permissions, but devOps team in my company says i have all the permissions.
What am I missing?

Either misconfigured AWS CLI or insufficient permissions.
This can be 2 things:
Your AWS CLI is misconfigured. Make sure that when you run aws sts get-caller-identity, you get the same role as the one that the devops team claims to have the correct permission. Also, make sure that your default region is us-west-2.
If the above is correctly setup, then it comes from the permissions defined in the IAM policy. If you are able to view the policy associated with your user/role, you can check out the policy simulator to figure out which permission is missing.

Error in deploying SAM script from AWS Educate account Cloud9 console

I am new to using AWS and Serverless Application Model (SAM). While following the GitHub of one of the recent AWS Virtual Workshop, I am facing problem in SAM deployment.
In particular, while following the module 1, these are the steps they provide (All these steps are performed from Cloud9 terminal):
Find the Account Id.
accountId=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .accountId)
Name the S3 bucket appending the Account Id
s3_deploy_bucket="theme-park-sam-deploys-${accountId}"
Create the s3 bucket with that name.
aws s3 mb s3://$s3_deploy_bucket
Go to the appropriate directory with SAM YAML file.
Package
sam package --output-template-file packaged.yaml --s3-bucket $s3_deploy_bucket
Deploy
sam deploy --template-file packaged.yaml --stack-name theme-park-ride-times --capabilities CAPABILITY_IAM
All the steps work well until step 5. On executing step 6, after the successful creation of a few resources, I am facing an error on a particular creation and it fails. This results in a rollback and all created resources are also deleted.
ResourceStatus: CREATE_FAILED
ResourceType: AWS::Events::Rule
LogicalResourceId': UpdateRidesUpdateRidesEvent
ResourceStatusReason: User: arn:aws:sts::969009900039:assumed-role/vocstartsoft/user810955=ameya.181co205#nitk.edu.in is not authorized to perform: events:PutRule on resource:arn:aws:events:us-east-1:969009900039:rule/theme-park-ride-times-UpdateRidesUpdateRidesEvent-1C6BYBO984UL7 with an explicit deny (Service: AmazonCloudWatchEvents; Status Code: 400; Error Code: AccessDeniedException; Request ID: c6d8162d-a3f1-405f-b6e8-2fd5437c4392)
Please let me the solution to this problem. Thanks in Advance.

Since you are using AWS Educate Starter Account, you have a lot of limitations imposed on what you can and can't do in your sandbox account.
The general list of what is allowed is:
AWS Services Supported with AWS Educate Starter Account
Also note that this is not exhaustive list:
Some services may have additional restrictions as described in the table below.
The error message you got is an explicit deny. This means that you aren't allowed to do what you are attempting due to limitations of the starter account.
An alternative to using the start account, is using having your account (an option only for educators on AWS Educate). This way, if you are educator, AWS Educate could provide you credits towards your classes. But since you use your own account, you would have full control over it.
If the error you are facing is part of a classroom or tutorial they provide, you may contact their customer support. If this deny prohibits you from completing their own tutorials or classrooms, they should be able to fix that.