I'm trying to do CI/CD with aws CodeDeployand and GitHub Actions from , following this tutorial.
but the following error appears when trying to create the deploy:
An error occurred (AccessDeniedException) when calling the CreateDeployment operation: User: arn:aws:iam::***:user/church-managment-bff-s3 is not authorized to perform: codedeploy:CreateDeployment on resource: arn:aws:codedeploy:sa-east-1:***:deploymentgroup:church-managment-bff/church-managment-bff-deploy-group because no identity-based policy allows the codedeploy:CreateDeployment action
Error: Process completed with exit code 254.
I believe it's a permission problem, but I'm not able to solve it, can someone please help
You have to add codedeploy:CreateDeployment permissions for church-managment-bff-s3 user. You can do this as an inline policy for the user in aws console:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "codedeploy:CreateDeployment",
"Resource": "*"
}
]
}
Related
ACCESS_DENIED: Service role arn:aws:iam::749760571158:role/codebuild-hu-cb-crm-poc-service-role does not allow AWS CodeBuild to create Amazon CloudWatch Logs log streams for build arn:aws:codebuild:ap-south-1:749760571158:build/hu-moxie-crm-cb:7af26655-bea9-41b8-94c9-38b1c7a68d1e. Error message: User: arn:aws:sts::749760571158:assumed-role/codebuild-hu-cb-crm-poc-service-role/AWSCodeBuild-7af26655-bea9-41b8-94c9-38b1c7a68d1e is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:ap-south-1:749760571158:log-group:/aws/codebuild/hu-moxie-crm-cb:log-stream:7af26655-bea9-41b8-94c9-38b1c7a68d1e because no identity-based policy allows the logs:CreateLogStream action
I have set up my pipeline and everything is running, even the website is opening but I am still getting this build error
I gave all the required policy but it still isnt working
The error message tells you what to do.
You need to allow logs:CreateLogStream action on the codebuild-hu-cb-crm-poc-service-role role.
Attach this policy to the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"*"
]
}
]
}
I want to connect to the Amazon SP-API. It says in the documentation that I need to create an AWS account and add the necessary permissions so I can use it to connect the Amazon SP-API. Our developer profile is approved and we have registered our application. I have attempted to connect with these credentials using this python SP-API library .
However, I have an error which says:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::<account_id>:user/username is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<account_id>:user/username
I think the cause of my error is my permission policy. Is there something wrong with the following policies on how it was declared?
//STS-POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect" : "Allow",
"Action": "sts:*",
"Resource": "arn:aws:iam::<account_id>:user/<username>"
}
]
}
//EXECUTE-API-POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect" : "Allow",
"Action": "execute-api:*",
"Resource": "arn:aws:execute-api::<account_id>:*/*/*/*"
}
]
}
As you are tring to use AssumeRole with STS-Policy, Rosource should be role instead of user.
Change this line in STS-Policy
"Resource": "arn:aws:iam::<account_id>:user/<username>"
to like this.
Resource": "arn:aws:iam::<account_id>:role/<rolename>"
See the section "Example policy that grants permission to assume a role" of this aws doc.
Situation:
I am trying to deploy CloudFormation through codepipeline.
I have created 2 IAM roles (service role for cloudcommit and cloudformation role to deploy).
When I try to create and deploy, the creation works however deploy fails as error "Action execution failed AccessDenied. User doesn't have permission to call ssm:GetParameters (Service: AmazonCloudFormation; Status Code: 400; Error Code: ValidationError; "
Request help.
One of your roles (the one for cloudformation) is missing SSM permissions. You can add the following IAM policy to it:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ssm:GetParameters",
"Resource": "*"
}
]
}
I have a codestar project that calls a python lambda function. This function tries to put an item into the DynamoDB. I am getting the following error:
"errorMessage": "An error occurred (AccessDeniedException) when calling the PutItem operation: User: arn:aws:sts::13556632xxxx:assumed-role/CodeStar-split-lambda-Execution/awscodestar-split-lambda-lambda-CreateUser-RBA73BJH7NHY is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:1355663xxxx:table/split-users"
}
I included the AmazonDynamoDBFullAccess, AWSLambdaBasicExecutionRole, and AWSLambdaInvocation-DynamoDB policies on the CodeStar-split-lambda-Execution role, and I am still getting the error.
I also made my own policy and tried it too.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:13556632xxxx:table/split-users"
]
}
]
}
How can I get dynamoDB to have authorization to put an item?
Here is my registry policy for my user :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1494526914000",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": [
"*"
]
}
]
}
I have no MFA auth
but when i try :
bussiere#kusanagi:~/Workspace/*****$ aws ecr get-login
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::*******:user/bussiere is not authorized to perform: ecr:GetAuthorizationToken on resource: *
bussiere#kusanagi:~/Workspace/*****$
thanks a lot and regards
Maybe unhelpful considering you seem to have the right policy, but the permissions aren't correct somehow. Do you have the region set and are you using the keys for that user in the cli? Also as a test, does it work using the managed policy AmazonEC2ContainerRegistryPowerUser?
http://docs.aws.amazon.com/AmazonECR/latest/userguide/common-errors.html#error-unauthorized