IAM role is not authorized to perform ec2messages:GetMessages - amazon-web-services

I've created a role with an attached Policy "AmazonSSMManagedInstanceCore":
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
}
]
}
And Trust relationships:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I've then attached the IAM role to the instance. When I start the SSM agent in the instance I get the following error:
2022-03-16 23:14:49 ERROR [HandleAwsError # awserr.go.49] [ssm-agent-worker] [MessageService] [MDSInteractor] error when calling AWS APIs. error details - GetMessages Error: AccessDeniedException: User: arn:aws:sts::XXXX:assumed-role/SSMandCloudWatch/i-YYYYY is not authorized to perform: ec2messages:GetMessages on resource: arn:aws:ssm:eu-central-1:XXXX:* with an explicit deny in a service control policy
status code: 400, request id: zzzz
The call it's complaining about is explicitly allowed in the policy. I've tried restarting the agent but didn't make any difference.

AWS permission evaluation can be complex. I like this AWS diagram below, so it is a good one to follow to track down permissions issues.
So there are a few other things to check or be aware of that could still be limiting access.

Related

ACCESS DENIED error when trying to create a Glue job

I am trying to create a Glue job in an account that has full access to all resources
The script gets generated but when I try and save it I get the following error
[gluestudio-service.us-east-1.amazonaws.com] createJob: AccessDeniedException: Account XXXXX is denied access.
The role I am using has nothing fancy in it and has full access to glue and all S3 resources.
Its not an organisational account
Any insight would be greatly appreciated
I am using the managed AWSGlueServiceRole as well as the AmazonS3FullAccess roles
I have added the follwoing
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"glue:UseGlueStudio",
"iam:ListRoles",
"iam:ListUsers",
"iam:ListGroups",
"iam:ListRolePolicies",
"iam:GetRole",
"iam:GetRolePolicy",
"glue:SearchTables",
"glue:GetConnections",
"glue:GetJobs",
"glue:GetTables",
"glue:BatchStopJobRun",
"glue:GetSecurityConfigurations",
"glue:DeleteJob",
"glue:GetDatabases",
"glue:CreateConnection",
"glue:GetSchema",
"glue:GetTable",
"glue:GetMapping",
"glue:CreateJob",
"glue:DeleteConnection",
"glue:CreateScript",
"glue:UpdateConnection",
"glue:GetConnection",
"glue:StartJobRun",
"glue:GetJobRun",
"glue:UpdateJob",
"glue:GetPlan",
"glue:GetJobRuns",
"glue:GetTags",
"glue:GetJob"
],
"Resource": "*"
},
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/AWSGlueServiceRole*",
"Condition": {
"StringLike": {
"iam:PassedToService": [
"glue.amazonaws.com"
]
}
}
}
]
}```
Add Trusted Policy like the following in the Role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "glue.amazonaws.com",
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "sts:AssumeRole"
}
]
}

Step function unable to trigger ECS task on fargate cluster, permission issue

I am creating and running a task on my ECS fargate cluster.
Task definition (with role) and fargate cluster is already created.
When I use run task step in step function, I am getting following error,
{
"Error": "ECS.AccessDeniedException",
"Cause": "User: arn:aws:sts::xxxxxxxxxx:assumed-role/StepFunctions-my-state-machine-role-xxxxxxxxxx/xxxxxxxxxx is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxxxxxxxxx:role/my-app-dev-exec because no identity-based policy allows the iam:PassRole action (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException; Request ID: xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx; Proxy: null)"
}
The role attached to the step function has the following policies (as per the documentation provided by AWS https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": [
"arn:aws:ecs:eu-west-1:xxxxxxxxxx:task-definition/*:*"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:StopTask",
"ecs:DescribeTasks"
],
"Resource": [
"arn:aws:ecs:eu-west-1:xxxxxxxxxx:task/*"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:eu-west-1:xxxxxxxxxx:rule/StepFunctionsGetEventsForECSTaskRule"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeStateMachine",
"states:StartExecution",
"states:ListExecutions",
"states:UpdateStateMachine"
],
"Resource": [
"arn:aws:states:eu-west-1:xxxxxxxxxx:stateMachine:my-state-machine"
]
}
]
}
with following trusted entities
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Can someone help with what additional permission I need to give to resolve the above permission issue? From the error, I am not able to figure out what additional permission is required.
If I attach AmazonECS_FullAccess (aws managed) policy to the role, job works perfectly.
Because your task will use an IAM Role, you need to specify the additional permission 'PassRole'.
The best practice is to restrict which roles can be passed. So is recommended to add a condition limiting to only allow to pass roles to ECS tasks.
Try adding this statement to your policy:
{
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"iam:PassedToService": "ecs-tasks.amazonaws.com"
}
}
}

Cross Account SNS Subscribe to Lambda in second account

I have used the below policy for the SNS topic to subscribe this SNS in Lambda with account number as 222222222222. I have also given access to my lambda with a similar policy adding it to the execution role of Lambda.
Getting the error below:
An error occurred when creating the trigger: User:
arn:aws:sts::222222222222:assumed-role/TSI_Base_FullAccess/AXXXXXXXX
is not authorized to perform: SNS:Subscribe on resource:
arn:aws:sns:eu-west-1:111111111111:Story-5555 (Service: AmazonSNS;
Status Code: 403; Error Code: AuthorizationError; Request ID:
1321942c-25c4-52a1-bacb-c2e9bd641067)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1582008007178",
"Action": [
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTagsForResource",
"sns:ListTopics",
"sns:Publish",
"sns:Subscribe"
],
"Effect": "Allow",
"Resource": "arn:aws:sns:eu-west-1:111111111111:Story-5555",
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": "arn:aws:lambda:eu-west-1:222222222222:function:New_Cross_SNS"
}
}
}
]
}
According AWS Documentation you should specify principle additionally to the condition.
So your policy should resemble
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1582008007178",
"Action": [
"sns:GetSubscriptionAttributes",
"sns:GetTopicAttributes",
"sns:ListSubscriptions",
"sns:ListSubscriptionsByTopic",
"sns:ListTagsForResource",
"sns:ListTopics",
"sns:Publish",
"sns:Subscribe"
],
"Effect": "Allow",
"Resource": "arn:aws:sns:eu-west-1:111111111111:Story-5555",
"Principal": {
"AWS": ["222222222222"]
},
"Condition": {
"ArnEquals": {
"aws:PrincipalArn": [
"arn:aws:lambda:eu-west-1:222222222222:function:New_Cross_SNS",
"arn:aws:sts::222222222222:assumed-role:TSI_Base_FullAccess:AXXXXXXXX"
]
}
}
}
]
}
The way to be sure which ARN to specify in the condition section of the policy is to call (and print) get-caller-identity API from your function.

Security token service exception while restoring snapshot from S3 to AWS managed elasticsearch

I have an AWS managed Elasticsearch Service (say smallES) which has an properly working S3 bucket attached to containing day wise rolling indices of last 1 year. I've created another AWS managed ES cluster (say bigES) for some business reason. I want to restore last 1 year's data from bucket into bigES. It's guaranteed that smallES bigES and bucket all are in the same region and same VPC.
So, I created a policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::bucket/*"
]
}
]
}
And attached the policy with a role. Trust relationship of that role is
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Now, when I create a snapshot by http request within the same VPC, it can create a snapshot-repo for the bigES and I can query for that too
curl -XGET 'http://bigESid.region.es.amazonaws.com:80/_snapshot'
Output
{
"snapshot-repo": {
"type": "s3",
"settings": {
"bucket": "bucket",
"region": "region",
"role_arn": "role_arn"
}
}
}
But when I try to see the snapshots in this snapshot repo I get error (described below)
curl -XGET 'http://bigESid.region.es.amazonaws.com:80/_cat/snapshots/snapshot-repo'
I get the following error:
{
"error": {
"root_cause": [
{
"type": "a_w_s_security_token_service_exception",
"reason": "User: arn:aws:sts::acountid:assumed-role/cp-sts-grant-role/swift-region-prod-365021432299 is not authorized to perform: sts:AssumeRole on resource: role-arn (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: some-id)"
}
],
"type": "a_w_s_security_token_service_exception",
"reason": "User: arn:aws:sts::acountid:assumed-role/cp-sts-grant-role/swift-region-prod-365021432299 is not authorized to perform: sts:AssumeRole on resource: role-arn (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: some-id)"
},
"status": 500
}
I've given all access of s3 to my role, but no luck. I've posted all the http requests from a ec2 machine inside the VPC.
Also to mention, if I query like following, I see expected result
curl -XGET 'http://smallESid.region.es.amazonaws.com:80/_cat/snapshots/snapshot-repo'
IDK why I tried making a role which has trust relationship like following. Still no luck.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Thanks in advance for any kind of help/suggestions.
I had the same issue, and it was because I'd not allowed the Elasticsearch service to assume the role. I had to update my trust relationship policy document to include es.amazonaws.com.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"es.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
I solved this problem using the following policy
{
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
],
"Version": "2012-10-17"
}
Then I attached the policy to the role. I think "iam:PassRole"has done the work.

Can not add AWS Resource level permissions to an Particular EC2 Instance

Referring to this Doc
I have created IAM policy which allows accessing only one EC2 Instance.And I have created an IAM user with the policy with that policy. But when I logged in with that user into my AWS account I got the Error "An error occurred fetching instance data: You are not authorized to perform this operation."
Policy document:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/test": "test"
}
},
"Resource": [
"arn:aws:ec2:us-east-1:AccountNumber:instance/*
],
"Effect": "Allow"
}
]
}
You must add EC2 describe to describe all EC2 resources, then base on other statement to filter resource by tag.
But with this policy, other IAM account still viewable other EC2 instances without any permission.
Here is what you need.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1507182214000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/TAG_NAME": "TAG_VALUE"
}
},
"Resource": [
"arn:aws:ec2:AWS_REGION:AWS_ACCOUNT:instance/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeTags"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*"
}
]
}