We Keep Coding

Pipleline wont build and shows access_denied error even after changing policies

ACCESS_DENIED: Service role arn:aws:iam::749760571158:role/codebuild-hu-cb-crm-poc-service-role does not allow AWS CodeBuild to create Amazon CloudWatch Logs log streams for build arn:aws:codebuild:ap-south-1:749760571158:build/hu-moxie-crm-cb:7af26655-bea9-41b8-94c9-38b1c7a68d1e. Error message: User: arn:aws:sts::749760571158:assumed-role/codebuild-hu-cb-crm-poc-service-role/AWSCodeBuild-7af26655-bea9-41b8-94c9-38b1c7a68d1e is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:ap-south-1:749760571158:log-group:/aws/codebuild/hu-moxie-crm-cb:log-stream:7af26655-bea9-41b8-94c9-38b1c7a68d1e because no identity-based policy allows the logs:CreateLogStream action
I have set up my pipeline and everything is running, even the website is opening but I am still getting this build error
I gave all the required policy but it still isnt working

The error message tells you what to do.
You need to allow logs:CreateLogStream action on the codebuild-hu-cb-crm-poc-service-role role.
Attach this policy to the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Resource": [
"*"
]
}
]
}

ClientError: (AccessDenied) when calling the sts:AssumeRole operation for the AWS account used to connect Amazon SP-API

I want to connect to the Amazon SP-API. It says in the documentation that I need to create an AWS account and add the necessary permissions so I can use it to connect the Amazon SP-API. Our developer profile is approved and we have registered our application. I have attempted to connect with these credentials using this python SP-API library .
However, I have an error which says:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::<account_id>:user/username is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<account_id>:user/username
I think the cause of my error is my permission policy. Is there something wrong with the following policies on how it was declared?
//STS-POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect" : "Allow",
"Action": "sts:*",
"Resource": "arn:aws:iam::<account_id>:user/<username>"
}
]
}
//EXECUTE-API-POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect" : "Allow",
"Action": "execute-api:*",
"Resource": "arn:aws:execute-api::<account_id>:*/*/*/*"
}
]
}

As you are tring to use AssumeRole with STS-Policy, Rosource should be role instead of user.
Change this line in STS-Policy
"Resource": "arn:aws:iam::<account_id>:user/<username>"
to like this.
Resource": "arn:aws:iam::<account_id>:role/<rolename>"
See the section "Example policy that grants permission to assume a role" of this aws doc.

Action execution failed AccessDenied. User doesn't have permission to call ssm:GetParameters

Situation:
I am trying to deploy CloudFormation through codepipeline.
I have created 2 IAM roles (service role for cloudcommit and cloudformation role to deploy).
When I try to create and deploy, the creation works however deploy fails as error "Action execution failed AccessDenied. User doesn't have permission to call ssm:GetParameters (Service: AmazonCloudFormation; Status Code: 400; Error Code: ValidationError; "
Request help.

One of your roles (the one for cloudformation) is missing SSM permissions. You can add the following IAM policy to it:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ssm:GetParameters",
"Resource": "*"
}
]
}

AWS Codestar - DynamoDB Not Authorized

I have a codestar project that calls a python lambda function. This function tries to put an item into the DynamoDB. I am getting the following error:
"errorMessage": "An error occurred (AccessDeniedException) when calling the PutItem operation: User: arn:aws:sts::13556632xxxx:assumed-role/CodeStar-split-lambda-Execution/awscodestar-split-lambda-lambda-CreateUser-RBA73BJH7NHY is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:1355663xxxx:table/split-users"
}
I included the AmazonDynamoDBFullAccess, AWSLambdaBasicExecutionRole, and AWSLambdaInvocation-DynamoDB policies on the CodeStar-split-lambda-Execution role, and I am still getting the error.
I also made my own policy and tried it too.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:13556632xxxx:table/split-users"
]
}
]
}
How can I get dynamoDB to have authorization to put an item?

ecr token error for amazon aws docker registry

Here is my registry policy for my user :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1494526914000",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": [
"*"
]
}
]
}
I have no MFA auth
but when i try :
bussiere#kusanagi:~/Workspace/*****$ aws ecr get-login
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::*******:user/bussiere is not authorized to perform: ecr:GetAuthorizationToken on resource: *
bussiere#kusanagi:~/Workspace/*****$
thanks a lot and regards

Maybe unhelpful considering you seem to have the right policy, but the permissions aren't correct somehow. Do you have the region set and are you using the keys for that user in the cli? Also as a test, does it work using the managed policy AmazonEC2ContainerRegistryPowerUser?
http://docs.aws.amazon.com/AmazonECR/latest/userguide/common-errors.html#error-unauthorized