I updated a dashboard in one account (in dev account) and now I want to update the dashboard in my production account.
When I created the accounts I used the following article:
https://aws.amazon.com/blogs/big-data/migrate-amazon-quicksight-across-aws-accounts/
Now, when I want to update the template I get an error:
arn user is not authorized to perform: quicksight:UpdateTemplate on resource: arn:aws:quicksight:eu-west-1:599840029772:template/**
I guess that the problem is that in the update-template command I can't change the Principal to the Test-qs-admin-user IAM user so the system recognizes only my account and my account has no permissions to perform this.
How can I use the IAM user in update-template command?
Thanks!
Related
I'm trying to setup my aws cli. I downloaded it and everything worked.
Now I wanted to log in from my powershell script.
Set-AWSCredentials –AccessKey key-name –SecretKey key-name
Because I don't have any users at the moment I had to create one. I have given the user admin rights.
When creating the user aws throws this error:
User: arn:aws:sts::37197122623409:assumed-role/voclabs/user2135080=.... is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::371237422423709:user/.... because no identity-based policy allows the iam:CreateUser action
My first thought was that my education account is having a problem. But I didn't find anything about it. Thanks for your help in advance.
The "voclab" part of the error suggests you are not logged as the account root user but instead assuming a role in an account used for teaching purposes.
This role is probably designed to disallow IAM actions, in order to prevent privilege escalation.
Read
https://docs.aws.amazon.com/singlesignon/latest/userguide/howtogetcredentials.html to get role credentials for the role you're assuming
You can't make any IAM roles, policies or users as a student using voclabs account. AWS Academy does not allow to do that and its a hard limit which you nor your educator can change.
I'm working on an AWS account managed by another team which use it only for S3 storage. We have authorization to use sagemaker, and administartor said “AmazonSageMakerFullAccess” have been given to me.
I'm trying to access sagemaker studio, for that I'm ask to "Setup SageMaker Domain" by aws.
I then need a "Default execution role"
If I try to create one, I got error "User ... is not authorized to perform: iam:CreateRole on resource: ..."
There is an option to use a custom exiting one with the format
"arn:aws:iam::YourAccountID:role/yourRole"
but while I have an account Id, I don't know what role to use.
I don't have permission to create role, and the ones I see in IAM service doesn't seem to be related to sagemaker (also I don't have permission to see the details of those roles).
Should the sagemaker setup be done by the administrator who can create a new role ? Or is there a way for me to do it, and if so where can I find the role I need ?
If you don't attach any role to AWS SageMaker, and when you try to create SageMaker resource the very first time it will create a default execution role for the service. Either get the permission to create a role or ask your administrator to create a execution role for your SageMaker so that next time when you create one you can use the same role.
After setting up AWS Organizations, I created a member account with a custom IAM role name. I've now forgotten the role name used and I'm unable to assume role as root into that account. I need to create IAM users in the member account but without the ability to assume role using the custom OrganizationAccountAccessRole it seems I'm unable to.
I've tried getting access by
Using the member account root user but it doesn't have permissions to IAM
Signing in to member account using AWS SSO user with IAMFullAccess and AdministratorAccess policies attached to the policy set but user cannot access IAM.
Attempting to describe member account using the master account admin user but the role isn't there
At this point, I'm thinking the only way out is to recreate the member account. Please tell me there is a better way.
UPDATE:
- Found that 1 & 2 didn't work because of a restrictive Service Control Policy (SCP) on the account which didn't include IAM access permissions.
Based on the comments.
The solution was to inspect CloudTrial logs to find the API call used to create the role.
I am writing an application for AWS platform, which was planned to be launched from the root account, with root credentials. At this point I need to stop some of the machines started by the AWS organizations member accounts.
By default AWS organizations doesn't give access to root account to look or manage resources to other member's account. So I tried using temporary credentials and tried to assume a role created by the target account.
More on that here.
https://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempSessionTokenJava.html
On the other hand it doesn't allow root account to assume roles, and throws such exception.
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Roles may not be assumed by root accounts. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 7bee7537-48e0-11e9-bb1a-bb36134736e4)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1695) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1350) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1101) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:758) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:732) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:714) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:674) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:656) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:520) ~[aws-java-sdk-core-1.11.475.jar:na]
at...
Is there any way get around this problem? For example, somehow to give the root access to everything or let it assume roles?
Firstly, please don't use your Root account! Best practice is to remove access keys from the root account, add an MFA token and lock it away. We have a large AWS Organization structure and we don't use the root accounts for anything other than where it's absolutely required.
See the IAM Best Practices user guide, specifically the section: Lock Away Your AWS Account Root User Access Keys
For your described administrative purposes, use IAM Users
IAM Users can assume Roles. Recommended steps:
Create IAM Group and attach the required policy for admin permissions. The AdministratorAccess policy is an easy pre-built policy that gives full admin access within the current account, but to assume roles into sub-accounts, all you really need to allow is the sts:AssumeRole action.
Creating Your First IAM Admin User and Group
Granting a User Permissions to Switch Roles
Create an IAM User and assign it to the IAM Group.
Adding and Removing Users in an IAM Group
Create the target Role in your sub-accounts with a Policy to allow actions in that sub-account and with a Trust Relationship defined for your IAM user in the master Org account.
Creating a Role to Delegate Permissions to an IAM User
NOTE: Sounds like you may already have this, but check the trust relationship to make sure.
Authenticate your app via IAM user credentials, temp credentials, etc.
NOTE: The temp credentials doc that you linked is for IAM Users, I'd recommend trying it again once you have a proper IAM user setup.
There are many ways to authenticate to AWS services, as another example see: Assuming an IAM Role in the AWS CLI
Additional: Not sure what you're building, but if appropriate, Consider Using Service-linked Roles to directly provide the app the specific permissions it needs--rather than dealing with user credentials.
How would you switch to a user in the AWS console?
I've set up an IAM policy for a user and I'd like to test whether they're working or not.
I've tried switching roles http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html
using the account id from the User ARN (e.g.
arn:aws:iam::<account id>:user/<username>
in
https://signin.aws.amazon.com/switchrole
using:
Account: <account id>
Role: test_user
Display Name: Test User
then clicking Switch Role but I get:
Could not switch roles using the provided information. Please check your settings and try again. If you continue to have problems, contact your administrator.
Note: I am an Admin with full access.
You cannot use the Switch Role functionality to switch to a User.
You have two options:
Login as the User you wish to test, or
Create a Role with the same permissions, switch to the Role, then test
The easiest is to simply login as the user you wish to test. However, this can be a poor security practice because you are using another person's account and any actions you perform would be recorded against that user in Amazon CloudTrail (audit trail).
Alternatively, you could create a new IAM Role and assign exactly the same permissions to that Role. You would also need to assign a Trust Policy to the role to permit it to be used by you (your IAM User). You can then switch to that role in the console. This will work, unless you have any policies that specifically reference the User you wish to test (which will not recognise your Role permissions).
The best way to do this is fully log out of the AWS console. Or you can use a different browser so you can be logged into both at the same time.