I am attempting to publish one of my AWS VPC Subnets flowlogs to CloudWatch.. however it states some permission issue..
I've checked and rechecked... it says to setup an IAM Role (Which I have) with permissions as follows
Here's the trust policy on the IAM Role
As well as its permissions setup
Citations :
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
https://docs.aws.amazon.com/vpc/latest/userguide/working-with-flow-logs.html
Okay, so the answer was... while I had set the permissions for the IAM Role properly within my AWS Organization... the org itself did NOT have ANY permissions enabled to push flow logs.. so I had to go to my root account, edit the organizations permissions... and wipe out and redeploy the flow log.. I can now confirm everything is working fine.
TLDR: If you're using AWS Orgs.. don't forget your global permissions!
Related
I have a problem when creating a Role I am getting an error that says “Cannot attach a Service Role Policy to a Customer Role”
In fact, there is something called Customer Managed Role, which the above error seems to display as 'Customer Role'.
From AWS documentation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role)
A role that a service assumes to perform actions in your account on your behalf. When you set up some AWS service environments, you must define a role for the service to assume. This service role must include all the permissions required for the service to access the AWS resources that it needs.
Now if you create a role, which isn't a service role, and attach permissions yourself, it appears under what AWS shows as Customer Managed Role (Screenshot below). If you look carefully, the service roles in AWS show the AWS box icon and the Customer Managed ones don't.
Reason: I was facing the above error as well and the reason was that my Role had custom inlined policies attached. If a Role has custom attached policies (inlined), AWS doesn't let you attach the Service Roles to it. You can filter the roles and find out what's causing the issue.
I hope this is documented somewhere as I was scratching my head for quite some time on this.
I'm deploying a service to amazon ecs through docker. I need to assign an IAM role to the cluster that allows it to communicate with secrets manager, as that's where some of the important configuration comes from. However, when trying to select the iam role, I get this error message:
Error message
So I tried following the amazon documentation and going to the account settings tab signed in as the root account, only to find that the settings were already enabled by default. So now I'm sort of stuck as to what to do at this point. Is there something I'm missing here?
resources already enabled
From your screenshot what I understand is that the IAM role you are using to deploy the container does not have "ecsInstanceRole" in your IAM roles. You could use the following steps to create it.
Open the IAM console at https://console.aws.amazon.com/iam/
In the navigation pane, choose Roles and then choose Create role.
Choose the AWS service role type, and then choose Elastic Container Service.
Choose the EC2 Role for Elastic Container Service use case and then Next: Permissions.
In the Attached permissions policy section, select AmazonEC2ContainerServiceforEC2Role and then choose Next: Review.
Important
The AmazonEC2ContainerServiceforEC2Role managed policy should be attached to the container instance IAM role, otherwise you will receive an error using the AWS Management Console to create clusters.
For Role name, type ecsInstanceRole and optionally you can enter a description.
Review your role information and then choose Create role to finish.
or you can follow the below document:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html
I am trying to work with AWS Elemental MediaPackage and AWS Elemental MediaLive. I'm have a good amount of experience with AWS and IAM Roles. I've attached a Full Access policy for both services but somehow I still do not have access. I'm trying to figure out what I am missing.
The error is not about your IAM user permissions which you've posted in the question. The error is about some IAM role which does not have necessary permissions.
Since you removed the name of the role from the first screenshot, I can't comment which role is it exactly. So you have to go to the role in IAM console, and add the permissions missing which are also listed in the error message.
What difference between policies under the paths "aws:policy/service-role" and "aws:policy/aws-service-role"?
Is there any the logic behind this design?
The AWS managed policies within the aws-service-role path are policies that be attached to a service-linked role only.
If you go to AWS Console -> IAM -> Policies, filter by AWS Managed Polices and start clicking on them, you'll notice the ones with the aws-servive-role path have a help label at the top that reads "This policy is linked to a service and used only with a service-linked role for that service. You cannot attach, detach, modify, or delete this policy.". There might be a way to filter down to the service-linked policies in the AWS Console or CLI when desribing policies other than inspecting the paths, but it alludes me right now.
You can see their usage described here
https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html.
Here also is the blog post that describes what a service-linked role is https://aws.amazon.com/blogs/security/introducing-an-easier-way-to-delegate-permissions-to-aws-services-service-linked-roles/. Basically these are roles that can only be assumed by a specific service type.
The AWS managed policies in the service-role path are policies that can be attached to any role including "normal/basic" roles. These types of roles can be assumed by users, EC2 instances, or anywhere else roles are assumed.
For example you could give someone permission to attach a linked-service role that has the policy arn:aws:iam::aws:policy/aws-service-role/AWSLambdaReplicator attached which is only attachable to a linked-role linked to the Lambda service. They would be able to use this role in the Lambda execution role, but they would not be able to use this role with another service like EC2 or an IAM user. This supports an admin allowing users to assign out permissions to new resources that users spins up (a new Lambda) that that the admin trusts the linked AWS service to use, but don't want to allow that user to access directly through their user account or give them to other custom applications running in AWS.
I have created a few environments before so I know how the Amazon EBS works however lately I have been having the following issue while creating an environment:
The instance profile aws-elasticbeanstalk-ec2-role associated with the environment has no role. Please attach a role to the instance profile.
I follow the steps to create a new environment. When it gets to the Permissions page, I create a new role as there are no existing ones. Then I follow the rest of the steps and eventually it starts to launch. After a couple minutes, I get the error above. Any help towards this will be helpful.
To solve this issue, I created a new role from the IAM Manager console. I selected Amazon EC2 as my Service Role Type. I attached the AWSElasticBeanstalkFullAccess policy. Then when creating a new environment, I chose the new role I created.
Though I am bit late in answering this issue, posting here if someone faces this error now.
In case your user has all the required permission to create role and BS has already created the "The instance profile aws-elasticbeanstalk-ec2-role".
The reason of this error is due to roles only and when we try to launch EC2 from aws BS, it creates a role naming "aws-elasticbeanstalk-ec2-role" with required permissions.
But, if there is already a role with Trusted entities "AWS service: ec2" so BS will check permission in that already existing older role.
So go to Roles > Search ec2 related roles and select the role which is active.
And just add AWSElasticBeanstalkFullAccess permission to that ec2 role, and this issue will be resolved.