Is there any chance to automate DMS tasks in AWS DMS I am trying below command to automate?
aws dms start-replication-task <arn> --start-replication-task-type start-replication
But its not allowing and facing below error while running above command.
user is not authorized to perform: dms:StartReplicationTask on resource:<arn> because no identity-based policy allows the dms:StartReplicationTask action
Please let me know which permission are required to AWS user
You user needs an IAM role assigned to it with appropriate permissions. The permissions required for DMS are listed on AWS website at the below link.
https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html#CHAP_Security.IAMPermissions
Have a read through, it should solve your problem.
regards,
Naveed.
Related
I am trying to upload a new AWS GameLift Linux server using the AWS CLI but I get the following error:
An error occurred (AccessDeniedException) when calling the CreateBuild operation: User: arn:aws:iam::------:user/----- is not authorized to perform: gamelift:CreateBuild because no identity-based policy allows the gamelift:CreateBuild action
I added the arn:aws:iam::aws:policy/GameLiftGameServerGroupPolicy to my group permissions. I can see in the policy json that there isn't a CreateBuild action. It either needs to be added or you can't do it this way.
The AWS documentation is useless and on this page: https://docs.aws.amazon.com/gamelift/latest/developerguide/security_iam_troubleshoot.html#security_iam_troubleshoot-no-permissions
it helpfully advises: ... asks his administrator to update his policies
My user is the main root user for my AWS account but I have no idea how to resolve this. Any ideas?
I worked out how to create a new Policy and add the service permissions. You click on 'create policy' and then choose the 'GameLift' service. I added all the available actions. Seemed to do the trick.
Why did AWS miss this out of the documentation?
I've been trying to access a project in AWS devicefarm using AWS CLI.
Steps taken:
Downloaded the AWS CLI tool
Configured my credentials according to: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html using aws configure command
executed aws devicefarm list-uploads --arn myProjectArn
and what i get is this error:
An error occurred (AccessDeniedException) when calling the ListUploads operation:
User: arn:aws:iam::replacingANumber:user/myUserName is not authorized to perform: devicefarm:ListUploads
on resource:
arn:aws:devicefarm:us-west-2:replacingANumber:project:replacingALongString with an explicit deny
The docs:https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting_iam.html say i'm missing permissions, but devOps team in my company says i have all the permissions.
What am I missing?
Either misconfigured AWS CLI or insufficient permissions.
This can be 2 things:
Your AWS CLI is misconfigured. Make sure that when you run aws sts get-caller-identity, you get the same role as the one that the devops team claims to have the correct permission. Also, make sure that your default region is us-west-2.
If the above is correctly setup, then it comes from the permissions defined in the IAM policy. If you are able to view the policy associated with your user/role, you can check out the policy simulator to figure out which permission is missing.
aws deploy register-on-premises-instance --instance-name XXXXX --iam-user-arn arn:aws:iam::XXXXXXXXXXXX:user/LightSailCodeDeployUser --region ap-south-1
An error occurred (AccessDeniedException) when calling the RegisterOnPremisesInstance operation: User: arn:aws:sts::XXXXXXXXXXX:assumed-role/AmazonLightsailInstanceRole/i-XXXXXXXXXXXXXX is not authorized to perform: codedeploy:RegisterOnPremisesInstance on resource: arn:aws:codedeploy:ap-south-1:XXXXXXXXXX:instance:XXXXXXXXXXXX
I didn't even create the role AmazonLightsailInstanceRole, then how did it come in the picture. My user have all permissions on codedeploy though. I am following this link to set up. https://aws.amazon.com/blogs/compute/using-aws-codedeploy-and-aws-codepipeline-to-deploy-applications-to-amazon-lightsail/
I made the same mistake and then realized that command is meant to be run on your local machine and not the instance!
AmazonLightsailInstanceRole is a service-linked role automatically created by aws:
Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.
The error you are getting is not about you not having the codedeploy:RegisterOnPremisesInstance permission.
The error is about the AmazonLightsailInstanceRole not having it. It does not matter if you (i.e. your IAM user) has all CodeDeploy permissions.
Normally you would add the missing permissions to the role. How to work with the AmazonLightsailInstanceRole is described in the following AWS documentaiton:
Using Service-Linked Roles for Amazon Lightsail
Editing a Service-Linked Role
However, I'm not sure if you can modify the AmazonLightsailInstanceRole and add the missing permissions. Some service-linked roles can be modified, some not.
The documentation is a bit confusing. Create a new user in IAM with admin role (full privileges) and use the credentials of that user to run the command in your local machine.
I started to work with AWS SageMaker. I have an AWS Starter Account. I have been trying to deploy a built-in algorithm for 2 days but I always get AccessDeniedException despite the fact that I created IAM role according to https://aws.amazon.com/tr/getting-started/tutorials/build-train-deploy-machine-learning-model-sagemaker/
ClientError: An error occurred (AccessDeniedException) when calling the CreateTrainingJob operation: User: arn:aws:sts::161745376217:assumed-role/AmazonSageMaker-ExecutionRole-20200203T194557/SageMaker is not authorized to perform: sagemaker:CreateTrainingJob on resource: arn:aws:sagemaker:us-east-1:161745376217:training-job/blazingtext-2020-02-03-18-12-14-017 with an explicit deny
Could you help me to solve this problem ?
Thank you so much
You have created a role for SageMaker to access S3 bucket, but it seems your IAM user doesn't have access to SageMaker service. Please make sure your IAM user has permission to SageMaker.
This error usually occurs, if you have an AWS Educate account. It restricts you to take full control of the Sagemaker service. In this case, I'd recommend you to access AWS using regular AWS account.
I'm setting a new skill with ASK CLI V2 in Alexa. I would like to specify a specific role when deploying the new skill instead of letting the command create a new one.
Some background: I created a new skill using the new command and used the hello world template. Then, I ran the deploy command. I am using a corporate account and I don't have permissions to create a new role. I have to use an existing one.
AccessDenied: User: [...] is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::845692260290:role/ask-lambda-skill-sample-nodejs-hello-world
I am afraid that you need to ask your organization to give some permissions to your user to create Lambda Execution Roles, as per the documentation here
AWS permissions
When ASK CLI creates a new Lambda function, it associates the AWSLambdaBasicExecutionRole with the function. For more information, see Manage Permissions: Using an IAM Role (Execution Role) in the AWS Lambda documentation. Make sure the AWS credentials that you configured for use with ASK CLI have permission to create IAM roles and associate permissions.
I hope this helps.