I have an oracle rds instance that I had an S3_integration iam role for, I removed it using terraform, but it was never deleted on the instance itself it seems.
Now I am unable to change, delete or add any s3_integration roles to the instance.
Attempting to use terraform or the UI to change the name, or delete it have been unsuccessful, has anyone had this happen? How can this be fixed? I cannot find any information about why the role is invalid, and attempting to upload a dump using rdsadmin_s3_tasks.upload_to_s3 command shows me this error "[ERROR] The DB instance doesn't have credentials to access the specified Amazon S3 bucket. To grant access, add the S3_INTEGRATION role to the DB instance."
I've rebooted the database but it has no effect.
Solved by removing the iam role using the aws cli, the UI didn't have the role but it could be found by describing the aws instances.
It was then removed using:
aws rds remove-role-from-db-instance \
--db-instance-identifier db_name \
--role-arn arn:aws:iam::xxxxxx:role/rds-s3-datadump-role \
--feature-name S3_INTEGRATION
Related
I hope someone could help me with this. I am experiencing a weird issue while using AWS cli for starting on-demand backup.
I already have some backup jobs running for EC2 instances. However, for some automation i wanted to have on-demand backups as well. For said reason, when i am trying to backup using cli i am getting error.
An error occurred (AccessDeniedException) when calling the StartBackupJob operation: Insufficient privileges to perform this action.
The command i am using is;
aws backup start-backup-job --backup-vault-name primary --resource-arn arn:aws:ec2:eu-west-1:123456789:volume/vol-0abcdef1234 --iam-role-arn arn:aws:iam::123456789:role/service-role/AWSBackupDefaultServiceRole --region eu-west-1
The user i am using here has administrator access to the account.
Can someone please help me? I am out of options here.
As you can assign AccessPolicy to the Backup Vault check if you have any policy assigned to the vault you are trying to access. Both should be allowing IAM Policy with your admin user as well as the Resource-Based Policy assigned to your Backup Vault
Setting Access Policies on Backup Vaults and Recovery Points
I did not have any policy assigned to the Backup Vault and was able to create the backup, Plus I also have Admin access like you.
$ aws backup start-backup-job --backup-vault-name primary \
--resource-arn arn:aws:ec2:us-east-1:1234567890:volume/vol-04a514599941274c3 \
--iam-role-arn arn:aws:iam::1234567890:role/service-role/AWSBackupDefaultServiceRole --region us-east-1
{
"BackupJobId": "5435950f-2be1-4177-92dc-7bsddsdd",
"CreationDate": "2021-02-04T16:25:03.370000+01:00"
}
How can I use the AWS CLI to create an AWS Backup plan or run an on-demand job?
Last but not least check your environment if the credentials you think should be used are actually getting used by using sts get-caller-identity
Goal: Retrieve secret from secretsmanager on an aws ec2 instance programmatically through command line.
I have created an IAM role with policies that grant full-access to AWSSecretsManager and AWSEC2instance also to assume the role and modify the role of any aws ec2 instance.
I created an aws instance and attached the IAM role to it and executed the following steps:
- aws secretsmanager list-secrets
An error occurred (UnrecognizedClientException) when calling the ListSecrets operation: The security token included in the request is invalid.
I get an error. I am able to retrieve the security credentials using the metadata of the instance.
- Am I missing something here? I basically want to retrieve the secret in an aws instance in a secure way.
- When I try to run the above command to list-secrets. The cli complains that it needs an region. My ec2-instance and secrets all are in us-east-2. So, I use the same region. And it still does not work.
Any suggestions/pointers would be highly appreciated. Thanks!
Here is How I would troubleshoot.
check whether the instance is aware of the IAM role attached to that.
aws sts get-caller-identity
try passing the region to the command
aws secretsmanager list-secrets --region us-east-2
I would check whether the AWS_REGION or AWS_DEFAULT_REGION, but even if these values are set, passing --region should override it.
Hope this help you get somewhere.
Have you run "aws configure" on the instance? Sounds like it might be using the token in there rather that the EC2 instance role. See references below for the sequence it checks but basically, the EC2 role is the last place it looks, if it gets credentials earlier, it will use them.
See here for the priority/sequence: https://docs.aws.amazon.com/amazonswf/latest/awsrbflowguide/set-up-creds.html
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html ("Using the Default Credential Provider Chain")
I'm trying to get manual snapshots setup for my AWS Elasticsearch cluster. I'm not sure how to setup the correct IAM permissions on the S3 bucket though because there is already a service-role created and I'm unable to add additional policies.
What am I supposed to do here?
Thanks!
I was able to resolve this by creating a second IAM role using the CLI (it doesn't seem to be an option through the GUI)
I would like to add an IAM Role to an existing EC2 instance in AWS. I tried using AWS CLI. However, I could not find a way to do that.
As of AWS CLI v1.11.46, which was released just yesterday (see the CHANGELOG file on GitHub), you can now attach an IAM role to an existing EC2 instance that was originally launched without an IAM role using the associate-iam-instance-profile command.
You can also replace the currently attached IAM role for a running instance using replace-iam-instance-profile-association.
For more details, see the following article on AWS Security Blog:
Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI.
UPDATE
As of Feb 22, 2017, you can attach/replace an IAM role to an existing EC2 instance from the EC2 console as well. See this blog post for more details.
if you are getting "The association is not the active association" error when trying to attach a role to a existing EC2 instance then you should:
1. detach the existing role from the existing EC2 instance.
2. attach a new role to the existing EC2 instance.
once you do that, you will be able to attach a role to an existing EC2 instance.
The Roles must be assigned when an instance is first launched.
It is not possible to assign the Role after the launched.
I would recommend launching a new instance via the Launch More Like This console command. Please note this will create a new boot disk based on the same AMI, so any data you've saved will not be copied across. If you wish to save the data, you will need to create an AMI from the instance and launch the new instance from that AMI.
Update Feb 2017: It is now possible to add an IAM Role to an existing instance. This can be done via the AWS Command-Line Interface (CLI). Use the replace-iam-instance-profile-association command.
Well that's the harsh truth as of now. You can't associate an IAM role to an existing instance. I came to know that when I was trying System Server Manager service which required your EC2 instance to coomunicate with ssm api.
I think we have to wait some more time.
This feature was added Feb 9 2017. Note: the thing you are looking for is called an "Instance Profile". The policy describes the rights. That policy then gets added to a role and/or instance profile. I don't see any notes about specifically how to do it so I'll add as an answer.
Source document here
Specific instructions are below to conform with StackOverflow guidelines regarding link rot.
1) Create role
aws iam create-role --role-name YourNewRole --assume-role-policy-document file://YourNewRole-Trust-Policy.json
2) Attach policy to role
aws iam attach-role-policy --role-name YourNewRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
3) Create instance profile (this is what a role is called when attached to an instance)
aws iam create-instance-profile --instance-profile-name YourNewRole-Instance-Profile
4) Add role to instance profile
aws iam add-role-to-instance-profile --role-name YourNewRole --instance-profile-name YourNewRole-Instance-Profile
5) Attach instance profile to ec2 instance
aws ec2 associate-iam-instance-profile --instance-id YourInstanceId --iam-instance-profile Name=YourNewRole-Instance-Profile
We use CloudFormation to deploy our platform. Is here a way to allow the application instance access to the DynamoDB tables without exposing API credentials?
I read about creating an IAM role that has the right permission and use instance profile. How do I achieve this? can someone please provide more details and explain what instance profile is?
As per AWS IAM documentation, Instance Profile is:
An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.
So, this is a feature provided by AWS so that IAM credentials don't have to be stored in EC2 instances to execute AWS APIs. Also, this feature aids in granting only the permission specified in the desired IAM role to the EC2 instance. Also, you can use the same Instance profile on multiple instances. This way, you don't have to update credentials on each EC2 instance whenever you change the credentials. So, while launching the EC2 instance, you can specify the instance profile. The instance profile is attached to an IAM role. The EC2 instance will get the IAM role and all the IAM credentials. You just need to set the AWS region before using the APIs.
How to do it:
1) Create an IAM role using: create-role
2) Create Instance Profile using: create-instance-profile. The output of this step will contain the Arn for the Instance Profile. This needs to be used in step 4.
3) Add role to Instance Profile using: add-role-to-instance-profile
4) Launch instance using run-instances. Specify the --iam-instance-profile option as below:
--iam-instance-profile Arn=instanceArn
The instanceArn is got from step 2.
The same can be achieved using AWS Console. The Screenshot below shows, how you can specify the role during launch of an EC2 instance:
For more details please see Using Instance Profiles and section 'Permissions Required for Using Roles with Amazon EC2' at page 190 of AWS IAM User Guide.