My application generates this error message:
arn:aws:sts::123456789012:assumed-role/my-service-role/aws-sdk-1111111111111 is not authorized to perform: secretsmanager:GetSecretValue
How can I see more information about which roles or permissions are attached to this assumed role?
I have tried querying for this with the AWS CLI using aws iam get-user / list-users / get-role / list-roles but neither exist. I looked at querying under STS but couldn't see an appropriate option.
I couldn't find this role in the AWS console.
How can I see more information about which roles or permissions are attached to this assumed role?
You can access this information a number of ways, if you know the name of the role you can use the IAM service, here is a boto3 example:
import boto3
iam = boto3.resource('iam')
role = iam.Role('AWSServiceRoleForRDS')
for pol in role.attached_policies.iterator():
print(pol)
For me this gives:
iam.Policy(arn='arn:aws:iam::aws:policy/aws-service-role/AmazonRDSServiceRolePolicy')
The sole policy I have attached to this role. Obviously, you'll need to substitute the role name you are interested in here in place of 'AWSServiceRoleForRDS'
In general this will print out all the policies attached to the role (to stdout).
In order to do make this query you need to be authenticated as a user or role that has permissions to access the IAM role (or user).
Update: How to find the name of the role from an ARN?
following the aws docs for IAM identifies you can identify the role name from the arn for sts assumed roles they follow this format:
arn:aws:sts::account:assumed-role/role-name/role-session-name
Based on what was posted:
arn:aws:sts::123456789012:assumed-role/my-service-role/aws-sdk-1111111111111 is not authorized to perform: secretsmanager:GetSecretValue
it looks like my-service-role is the name of the assumed role.
Related
I am using metricbeat to monitor metrics from a few AWS accounts. I have read through the doc: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-aws.html
it says to configure the credential as environment variables or in aws credential file. But I'd like to use cross account IAM policy to access different AWS account. That means metricbeat needs to assume a role when it tries to query metrics. How can I achieve this in metrcibeat? I can't find related doc in their document.
So you can specify the IAM Role like this
Metricbeat Configuration Params
metricbeat.modules:
- module: aws
period: 300s
metricsets:
- ec2
role_arn: arn:aws:iam::123456789012:role/test-mb
I would say there is nothing like Cross Account Policy.
Your role has permissions based on the policies you assign to it via IAM Policies.
When you wanna use Cross-Account IAM Roles, you still have to assign IAM Policies on the role you create in the destination account + an IAM Trust Policy as well so that you can assume the role from another account, In addition to that your source IAM Role must have permissions to assume the destination IAM Role
IAM Role Delegation
How to use trust policies with IAM roles
IAM Tutorial: Delegate access across AWS accounts using IAM roles
I logged into AWS console as DEV-OPS-ENGINEER and created ROLE-1 with aws managed policy attached. I attached this role to ECS tasks.
Now from my machine I logged into aws cli as DEVELOPER and ran aws ecs update-service command but i am getting below mentioned error:
"An error occurred (AccessDeniedException) when calling the UpdateService operation: User: arn:aws:sts:::assumed-role/DEVELOPER is not authorized to perform: iam:PassRole on resource: arn:aws:iam:::role/ROLE-1"
My idea was all logged in user (with different roles) should be able to use ROLE-1.
Any idea why it is throwing me this error and how can I resolve it ?
To pass a role (and its permissions) to an AWS service, a user must have permissions to pass the role to the service. This helps administrators ensure that only approved users can configure a service with a role that grants permissions. To allow a user to pass a role to an AWS service, you must grant the PassRole permission to the user's IAM user, role, or group.
Find out more, including examples, in the AWS User Guide: Granting a user permissions to pass a role to an AWS service
I am Able to train my modelusing Sagemaker TensorFlow container.
Below is the code:
model_dir = '/opt/ml/model'
train_instance_type = 'ml.c4.xlarge'
hyperparameters = {'epochs': 10, 'batch_size': 256, 'learning_rate': 0.001}
script_mode_estimator = TensorFlow(
entry_point='model.py',
train_instance_type=train_instance_type,
train_instance_count=1,
model_dir=model_dir,
hyperparameters=hyperparameters,
role=sagemaker.get_execution_role(),
base_job_name='tf-fashion-mnist',
framework_version='1.12.0',
py_version='py3',
output_path='s3://my_bucket/testing',
script_mode=True
)
Model Fitting:
script_mode_estimator.fit(inputs)
But when i ama trying to deploy model i ama getting this below error:
Deploy code is:
script_mode_d=script_mode_estimator.deploy(initial_instance_count=1,
instance_type="ml.m4.xlarge")
Error is:
UnexpectedStatusException: Error hosting endpoint tf-fashion-mnist-2020-09-23-09-05-25-791: Failed. Reason: The role 'xyz' does not have BatchGetImage permission for the image: '520713654638.dkr.ecr.us-east-1.amazonaws.com/sagemaker-tensorflow-serving:1.12-cpu'.
Please help me to resolve this issue.
Reason: The role 'xyz' does not have BatchGetImage permission for the image: '520713654638.dkr.ecr.us-east-1.amazonaws.com/sagemaker-tensorflow-serving:1.12-cpu'.
This error means that the IAM role "xyz" (you can find this in the IAM console) does not have permission to make the BatchGetImage API call in ECR (Elastic Container Registry, you can find this service in the ECS console).
You can find a number of example IAM policies you can use for the "xyz" role to grant it permission to perform the API call her: https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html
To add a policy go to the IAM console, look for the "xyz" role, and either add an (inline) policy, or edit one of its existing policies (if it already has a policy that grants similar permissions it would make sense to add this permission in that policy).
Instead of managing permissions by crafting a permission policy, you can use the AWS-managed AmazonSageMakerFullAccess permission policy, which allows for any actions you might want to perform in SageMaker (including BatchGetImage).
To do so:
Log onto the console -> IAM -> Roles -> Create Role
Create a service-linked role with sagemaker.amazonaws.com
Give the role AmazonSageMakerFullAccess
Give the role AmazonS3FullAccess
Suppose, I am AWS IAM user, is there any way so that I can check what resource permission has been given to me, using CLI or Console.
Unfortunately, there is no comprehensive tool for that. In IAM console you can only check your user's IAM profile or group permission you belong to.
But full set of privileges is a very complex thing to get. Apart from obvious IAM user or group permissions you can have:
IAM roles which you can assume,
resource policies which you are listed as a principle (e.g. bucket policy, kms key policy),
resource policies where a role you can assume is a principle,
cross-account permissions in IAM roles or resource policies,
AWS Organization level SCP permissions.
If the reason for asking this question is related to security, e.g., to check what resources were accessed by a compromised IAM user credentials, you suspend the credentials or delete the user. Also can inspect the CloudTrial history to check what resources a given IAM user accessed.
I'm trying to replicate this lab :https://github.com/aws-samples/ec2-spot-montecarlo-workshop, But keep getting an error The provided credentials do not have permission to create the service-linked role for EC2 Spot Instances. seems like when it tries to create instance it fails, does anyone have an idea why ? I made sure to give it all permission role but didn't work ...
Seems that credentials which you use (IAM user or role) do not have permissions to execute an action iam:CreateServiceLinkedRole. The action:
Grants permission to create an IAM role that allows an AWS service to perform actions on your behalf
Please double check the IAM user and credentials which you use.
When lodging a spot request – there is a service-linked role that needs to be created (if it does not exist) in IAM called AWSServiceRoleForEC2Spot.
Check that the IAM user has the permission:
iam:CreateServiceLinkedRole
More in the docs:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-requests.html#service-linked-roles-spot-instance-requests