A developer on our team is trying to view AWS CloudFront caching stats (https://console.aws.amazon.com/cloudfront/v3/home?#/popular_urls and https://console.aws.amazon.com/cloudfront/v3/home?#/cache) and is getting IAM permissions errors saying that he doesn't have cloudfront:GetPopularURLs and cloudfront:ListCacheStatsDataPointSeries permissions. I'm trying to give him access, but these IAM permissions don't exist in the IAM UI (see screenshots below). How can that be?
please give a try to this below into your policy file.
"cloudfront:Get*",
"cloudfront:List*",
Related
I am trying to upload a new AWS GameLift Linux server using the AWS CLI but I get the following error:
An error occurred (AccessDeniedException) when calling the CreateBuild operation: User: arn:aws:iam::------:user/----- is not authorized to perform: gamelift:CreateBuild because no identity-based policy allows the gamelift:CreateBuild action
I added the arn:aws:iam::aws:policy/GameLiftGameServerGroupPolicy to my group permissions. I can see in the policy json that there isn't a CreateBuild action. It either needs to be added or you can't do it this way.
The AWS documentation is useless and on this page: https://docs.aws.amazon.com/gamelift/latest/developerguide/security_iam_troubleshoot.html#security_iam_troubleshoot-no-permissions
it helpfully advises: ... asks his administrator to update his policies
My user is the main root user for my AWS account but I have no idea how to resolve this. Any ideas?
I worked out how to create a new Policy and add the service permissions. You click on 'create policy' and then choose the 'GameLift' service. I added all the available actions. Seemed to do the trick.
Why did AWS miss this out of the documentation?
I am trying to sync two S3 buckets in different accounts. I have successfully configured the locations and created a task. However, when I run the task I get a Unable to connect to S3 endpoint error. Can anyone help?
This could have been related to the datasync's IAM role's policy (datasync IAM role) not having permission to the target S3 bucket
verify your policy and trust relationship using the below documentation
https://docs.aws.amazon.com/datasync/latest/userguide/using-identity-based-policies.html
Also turn on cloudwatch logs (like shown in the image) and view detailed log in cloudwatch. If it is permission related, add the missing policy in the Datasync role.
I'm trying to provide cross-account Glue access to Account B from Account A.
I'm first getting an error that says,
User {my_arn} is not authorized to perform: glue:GetDatabases on resource: {catalog}
I researched and found that I can grant Data Catalog permissions through Lake Formation. I selected "External accounts" and added the catalog resources along with table permissions. However, I get another error that says:
You don't have IAM permissions to make cross-account grants.
The required permissions are in the AWS managed policy AWSLakeFormationCrossAccountManager.
So I go to the IAM Management Console, find the policy specified in this error message, and attach it to the role I'm using (the one in the top right corner of the AWS Management Console).
But the same error message keeps popping up and this doesn't seem to have solved the issue.
What am I doing wrong here? How can I bypass this issue?
I am trying to work with AWS Elemental MediaPackage and AWS Elemental MediaLive. I'm have a good amount of experience with AWS and IAM Roles. I've attached a Full Access policy for both services but somehow I still do not have access. I'm trying to figure out what I am missing.
The error is not about your IAM user permissions which you've posted in the question. The error is about some IAM role which does not have necessary permissions.
Since you removed the name of the role from the first screenshot, I can't comment which role is it exactly. So you have to go to the role in IAM console, and add the permissions missing which are also listed in the error message.
I want to give the AWS DeepRacer competition a try but It's not properly setting up my "Account resources" and I have no idea why.
This is what it's telling me:
These are the red errors:
Error in IAM role creation
Please try again after deleting the following roles: AWSDeepRacerServiceRole, AWSDeepRacerSageMakerAccessRole, AWSDeepRacerRoboMakerAccessRole, AWSDeepRacerLambdaAccessRole, AWSDeepRacerCloudFormationAccessRole.
There is an issue with your IAM roles
Unable to create all IAM roles
I have tried resetting the resources as it's telling me to do so.
But it still doesn't work afterwards. When I go to my IAM roles theres none of the described above. I have checked my account and everything else seems to be working fine. I checked and I can also manually create S3 buckets and IAM roles.
It's not giving me clear instructions on whats wrong or what I should do besides the ones on the image above so I'm not sure how to proceed!
Go to IAM -> Roles and delete following roles:
AWSDeepRacerServiceRole
AWSDeepRacerSageMakerAccessRole
AWSDeepRacerRoboMakerAccessRole
AWSDeepRacerLambdaAccessRole
AWSDeepRacerCloudFormationAccessRole
Then try resetting Account Resources again