I am having great difficulties in getting OpenSearch to publish alerts to Amazon SNS. I have set up the SNS topic and permissions properly, and set up the role for the SNS destination in OpenSearch per this link which I called “test-OpenSearch-Role”, but when the trigger activates and tries to send an alert I get the following error in the alert:
“Error: Failed running action: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/cp-sts-grant-role/swift-us-west-2-prod-xxxxxxxxxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxx:role/Test-OpenSearch-Role (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 78e679a3-7373-4fe8-b1c1-a9b5d0d9dcda; Proxy: null)”
I’m not sure what this “User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/cp-sts-grant-role/swift-us-west-2-prod-xxxxxxxxxxxx” is and I haven’t been able to get it to obtain the permissions in the “test-OpenSearch-Role” to publish to SNS. I’m not very experienced when it comes to AWS inline policies for roles but here is the JSON of the test-OpenSearch-Role:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “sts:AssumeRole”,
“Resource”: “*"
},
{
“Effect”: “Allow”,
“Action”: “sns:Publish”,
“Resource”: "*”
}
]
}
What am I doing wrong? Any help or suggestions would be greatly appreciated.
I had the same error message when trying to send alerts from OpenSearch (and Elastic Search). As suggested above, I think the issue in your case may be the lack of a trust relationship.
I got it to work by setting the role used for alerts on OpenSearch / ElasticSearch (naviation: Kibana / Dashboard => alerting => destinations => edit) up with permissions (AWS => IAM => roles => find role => permissions) using this policy for publishing to SNS:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "*"
}
]
}
(for resources on the sns:publish policy, you can be more specific by putting the SNS ARN instead of "*": e.g. arn:aws:sns:<region>:<accountnumber>:<name>)
I also had to add this policy to the same role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "*"
}
]
}
Then I needed "trust relationships" (next tab from permissions in IAM) like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "es.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Furthermore, make sure you copy the correct ARN from the role created into the OpenSearch (Elastic Search) alert settings: I wasted much time by mistakenly putting the "Instance profile ARN" from the top-right of the role summary instead of the "ARN" (in the middle). I.e. use arn:aws:iam::<accountnumber>:role/<rolename> and not arn:aws:iam::<accountnumber>:instance-profile/<rolename>.
My error message was something like this:
User: arn:aws:sts::444444143907:assumed-role/cp-sts-grant-role/swift-eu-central-1-prod-005555733555
is not authorized to perform: sts:AssumeRole on resource:
arn:aws:iam::005555733555:role/<myrolename>
(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied;
Request ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx; Proxy: null)"
...where 005555733555 is approximately my account number and 444444143907 some other account number. I didn't need to do anything particular with the other account number (such as explicitly allowing access from it)
Related
I have 2 AWS accounts, source and destination. AWS OIDC federation is configured so that I can use the token from Github Action to login to AWS using the official action:
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials#v1
with:
role-to-assume: arn:aws:iam::<source account id>:role/role-A
aws-region: us-east-1
Now, I want to use Terraform to manage resources on both accounts, source and destination. I followed a guide to allow role-A to assume role-B in the destination account.
I am getting a weird error:
Error: 022-08-31T09:28:04.246] [ERROR] default -
Error: error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::<destination account id>:role/role-B) cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 7227d0e8-e955-45ac-8f08-fc48699564e3, api error AccessDenied: User: arn:aws:sts::<source account id>:assumed-role/role-A/GitHubActions is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<destination account id>:role/role-B
with provider["registry.terraform.io/hashicorp/aws"].security,
on cdk.tf.json line 4125, in provider.aws[1]:
4125: }
I can't figure out what the problem is. Role A has the following IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<destination account id>:role/role-B"
}
]
}
I'll appreciate help figuring out why the request is failing... It seems like everything is configured correctly...
Edit:
Added the trust policy for Role B:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<source account id>:role/role-A"
},
"Action": "sts:AssumeRole"
}
]
}
I want to send emails from an tomcat beanstalk but I receive the following error message
User 'arn:aws:sts::123:assumed-role/aws-elasticbeanstalk-ec2-role/i-123' is not authorized to perform 'ses:SendEmail' on resource 'arn:aws:ses:eu-central-1:123:identity/example.com'
(Service: Ses, Status Code: 403, Request ID: 2a82693d-3344-4b53-8c8c-ef347c23cd29, Extended Request ID: null)
I have declared the following Identity Policy in SES Console on example.com
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "stmt1624645438239",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::123:assumed-role/aws-elasticbeanstalk-ec2-role/i-123"
},
"Action": "ses:SendEmail",
"Resource": "arn:aws:ses:eu-central-1:123:identity/example.com"
}
]
}
but still I got the the error message. Why?
I found the solution for this is to create an policy from Identity and Access Management (IAM)
Go to Identity and Access Management (IAM) dashboard > Customer managed policies
Create policy for SES service (in the resource I gave access to all my ARNs)
Attach ec2 role
I am trying to enable SMS message delivery logs in AWS SNS. But no matter what I do I get this error:
Couldn't set text messaging attributes. Error code: AuthorizationError
- Error message: You are not authorized to perform actions for the provided bucket
I have tried numerous IAM roles (including admin access role) and I am logged in as the root account owner.
What might I be missing? What can I try?
Thank you!
I found this specific documentation that solved it for me: https://docs.aws.amazon.com/sns/latest/dg/sms_stats_usage.html#example_bucket_policy
The key is that the bucket policy needs to list sns.amazonaws.com as the principal, and really only needs to allow these 3 actions to finish configuring SMS:
s3:GetBucketLocation
s3:ListBucket
s3:PutObject
{
"Version": "2012-10-17",
"Id": "Policy1653549854620",
"Statement": [
{
"Sid": "Stmt1653549853470",
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::BUCKETNAME"
}
]
}
My IAM user has the below two policies attached to it.
I created the below IAM policy that prevents lambda from being created if it does not have the Project tag.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "lambda:*",
"Resource": "*",
"Condition": {
"Null": {
"aws:RequestTag/Project": "true"
}
}
}
]
}
I also need to attach/create a new execution role when creating lambda so I added below
Iam policy to my IAM user.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
]
}
I logged into aws console using that IAM user's credentials and tried to create the lambda function without the tag, but it did'nt block the resource creation.I was able to create the lambda function without the required tag but with the following errors.
You are not authorized to perform: cloudformation:DescribeStackResources.
You are not authorized to perform: lambda:GetFunctionEventInvokeConfig.
User: arn:aws:iam::****:user/testuser is not authorized to perform: lambda:ListEventSourceMappings on resource: * with an explicit deny (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: 199433ed*****)
How can I completely block the resource creation?
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_example-scps.html#example-require-tag-on-create
Eventually I want to try aws:RequestTag/{TageKey} for all supported aws resources.
Not all AWS services/resources support aws:RequestTag as a condition key.
For lambda it is not allowed. Currently the supported condition keys on lambda:CreateFuncion Action are:
lambda:Layer
lambda:VpcIds
lambda:SubnetIds
lambda:SecurityGroupIds
lambda:CodeSigningConfigArn
As specified on table "Actions defined by AWS Lambda" on column "Condition keys".
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html#awslambda-actions-as-permissions
You can check that link and review any other service and validate if a specific Action support the Condition that you need.
For example, for EC2:RunInstances https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html supported conditions are:
aws:RequestTag/${TagKey}
aws:TagKeys
ec2:AvailabilityZone
ec2:EbsOptimized
ec2:InstanceMarketType
ec2:InstanceProfile
ec2:InstanceType
ec2:IsLaunchTemplateResource
ec2:LaunchTemplate
ec2:MetadataHttpEndpoint
ec2:MetadataHttpPutResponseHopLimit
ec2:MetadataHttpTokens
ec2:PlacementGroup
ec2:Region
ec2:RootDeviceType
ec2:Tenancy
So in that case you can restrict creation on new EC2 instances based on the presence of Tags but for Lambda it is not supported (for now).
I am attempting to put a cloudwatch event rule using code:
await cloudwatchevents.putRule({
Name: 'xxx-ec2-start',
EventPattern: '{"source":["aws.ec2"],"detail-type":["EC2 Instance State-change Notification"],"detail":{"state":["running"]}}',
State: 'ENABLED',
RoleArn: `arn:aws:iam::${account.Id}:role/skynet-cloudwatch-eventbus`,
}).promise()
However, I am getting:
(node:29939) UnhandledPromiseRejectionWarning: ValidationException: Provided role 'arn:aws:iam::00000000000:role/xxx-cloudwatch-eventbus' cannot be assumed by principal 'events.amazonaws.com'.
The role already has the assume policy doc to allow events.amazonaws.com. Why does it still fail?
The reason you are getting this error is "events.amazonaws.com" is not listed as a Trusted Entity for role theRole.(in your case skynet-cloudwatch-eventbus)
One way to fix this is by going to https://console.aws.amazon.com/iam/home?region=us-east-1#roles/theRole (adapt this link to your region + real role name) > Trust Relationships tab > Edit Trust Relationships button > paste in "events.amazonaws.com" under services as in the example given below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com",
"apigateway.amazonaws.com",
"events.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
You've probably already found your answer by now, but you might be able to figure out what's wrong by looking for AssumeRole events in CloudTrail that have errors.
In my case, I set up the assume role policy correctly, but was receiving the same message you've specified. The CloudTrail AssumeRole event provided more meaningful details:
errorCode: RegionDisabledException
errorMessage: STS is not activated in this region for account:xyz. Your account administrator can activate STS in this region using the IAM Console.
Enabling STS in this region resolved the issue in this case.