I faced with a problem concerning of creation of Lambda function using Terraform. I tried to follow a standard documentation of Terraform to configure it, but in my case it doesn't work. When the Terraform try to create an IAM role for Lambda function I get an error:
"Error: failed creating IAM role ... AccessDenied: User: ... is not authorized to perform: iam:CreateRole on resource: ... because no identity-based policy allows iam:CretaeRole action ..."
Actually, If I correctly understood it requires additional policy for my account or a root privilege, I don't have both and I need to use already existed IAM role. Is there way to configure it in Terraform?
Yes, you can use IAM role with terraform as explaiend in TF docs:
Using AWS AssumeRole with the AWS Terraform Provider
Related
I am trying to create aws eks cluster with terraform. I want to use an existing iam role. I won't be creating a new role. I tried this.
module 'eks' {
...
iam_role_arn = "arn:aws:iam::11111111:role/cluster-role"
...
}
But I get 403 permission denied. How can I this? Thanks.
Edit: added error.
failed creating IAM Role (green-eks-node-group): AccessDenied: User: arn:aws:iam::*******:user/****** is not authorized to perform: iam:TagRole on resource: arn:aws:iam::*******:role/green-eks-node
First for good measure: Please do not post pictures here of either code or error messages. Just copy paste the stuff and format it.
That said: I think the error tells you exactly what is wrong (or at least what the first error is, because in my experience it takes a few iterations of this to get your IAM permissions straight).
The role that you use you execute terraform does not have the permission:
iam:TagRole
on the resource:
arn:aws:iam:xxxxxxxxxxx:role/eks-cluster
So you will need to add it to it's policy.
I followed the instructions here to set up and remove a python lambda function (and associated AWS resources).
When I try to clean up the function, role-policy and role, the instructions failed because the CLI does not manage to find the attached role policies. In particular, if I run:
aws iam list-role-policies --role-name myrolename
... I get an output of:
{
"PolicyNames": []
}
But when I look up the same role in the AWS console, I can see the policy is there.
So what is going on here? Is this an AWS bug (CLI version aws-cli/2.1.33 Python/3.9.2 Darwin/20.4.0 source/x86_64), or am I muddled up here somehow?
As i can see from the image, its a managed policy and unfortunately list-role-policies only Lists the names of the inline policies that are embedded in the specified IAM role.
Doc says
An IAM role can also have managed policies attached to it. To list the managed policies that are attached to a role, use ListAttachedRolePolicies
use this for example
aws iam list-attached-role-policies --role-name SecurityAuditRole
aws deploy register-on-premises-instance --instance-name XXXXX --iam-user-arn arn:aws:iam::XXXXXXXXXXXX:user/LightSailCodeDeployUser --region ap-south-1
An error occurred (AccessDeniedException) when calling the RegisterOnPremisesInstance operation: User: arn:aws:sts::XXXXXXXXXXX:assumed-role/AmazonLightsailInstanceRole/i-XXXXXXXXXXXXXX is not authorized to perform: codedeploy:RegisterOnPremisesInstance on resource: arn:aws:codedeploy:ap-south-1:XXXXXXXXXX:instance:XXXXXXXXXXXX
I didn't even create the role AmazonLightsailInstanceRole, then how did it come in the picture. My user have all permissions on codedeploy though. I am following this link to set up. https://aws.amazon.com/blogs/compute/using-aws-codedeploy-and-aws-codepipeline-to-deploy-applications-to-amazon-lightsail/
I made the same mistake and then realized that command is meant to be run on your local machine and not the instance!
AmazonLightsailInstanceRole is a service-linked role automatically created by aws:
Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.
The error you are getting is not about you not having the codedeploy:RegisterOnPremisesInstance permission.
The error is about the AmazonLightsailInstanceRole not having it. It does not matter if you (i.e. your IAM user) has all CodeDeploy permissions.
Normally you would add the missing permissions to the role. How to work with the AmazonLightsailInstanceRole is described in the following AWS documentaiton:
Using Service-Linked Roles for Amazon Lightsail
Editing a Service-Linked Role
However, I'm not sure if you can modify the AmazonLightsailInstanceRole and add the missing permissions. Some service-linked roles can be modified, some not.
The documentation is a bit confusing. Create a new user in IAM with admin role (full privileges) and use the credentials of that user to run the command in your local machine.
Can anyone help me with any solution to solve this error while creating an AWS Lambda application from IAM user account:
Error creating application: You are not authorized to perform: serverlessrepo:GetApplication.
My permissions are:
In IAM console, firstly go into Policy to create policy and choose the service name Serverless Application Repository. And config actions and resources for your requirement (by default, the selected option of Resources is a specific repository).
After created, go to User in IAM console and attach the new policy for this user.
Now you should be able to perform: serverlessrepo:GetApplication. If you found that refreshing page does not take effect, please log out and log in again to apply the policy.
As the exception says
You are not authorized to perform: serverlessrepo:GetApplication
This means that your IAM user, or the role assumed by the deployment process, does not have an Allow effect for the serverlessrepo:GetApplication action.
To resolve this add a policy with an Allow effect for serverlessrepo:GetApplication to your IAM user, or the role being assumed by the deployment function.
I need to provide IAM role creation permission to a user but with a condition that if he does it only from some AWS service.
For example, if a user running cloudformation stack and attempting to create an IAM role, he should be allowed. if he manually creating role it should be denied. or if a person creating a codepipeline he should have permission to create the role.
The concept you are looking for sounds like service-linked roles.
https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html
https://aws.amazon.com/blogs/security/introducing-an-easier-way-to-delegate-permissions-to-aws-services-service-linked-roles/
However, I don't think it is supported for CloudFormation or CodePipeline
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html