Error:-
State transition reason: Server.InternalError
Client.InternalError: Client error on launch
When using the launch template to launch the instance it is working fine but if i use ASG with launch template getting above error on ec2 instance.
Kms Key policy used for the ebs
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxx:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxx:role/core-CloudformationStackAdmin",
"arn:aws:iam::xxxxxxx:root",
"arn:aws:iam::xxxxxxx:role/core-ServiceCatalogLaunchAdmin",
"arn:aws:iam::xxxxxxx:role/core-AccountAdmin=fGLB#000"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxx:role/core-CloudformationStackAdmin",
"arn:aws:iam::xxxxxxx:root",
"arn:aws:iam::xxxxxxx:role/core-ServiceCatalogLaunchAdmin",
"arn:aws:iam::xxxxxxx:role/core-AccountAdmin=fGLB#I+000"
]
},
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxxxxx:role/core-CloudformationStackAdmin",
"arn:aws:iam::xxxxxxx:root",
"arn:aws:iam::xxxxxxx:role/core-ServiceCatalogLaunchAdmin",
"arn:aws:iam::xxxxxxx:role/core-AccountAdmin=fGLB#000"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
},
{
"Sid": "Allow use of the key for Cloudwatch Log Groups Encryption",
"Effect": "Allow",
"Principal": {
"Service": "logs.eu-west-1.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:eu-west-1:xxxxxxxx:log-group:*"
}
}
}
]
}
output of the instance :-
{
"Reservations": [
{
"Instances": [
{
"Monitoring": {
"State": "pending"
},
"PublicDnsName": "",
"StateReason": {
"Message": "Client.InternalError: Client error on launch",
"Code": "Client.InternalError"
},
"State": {
"Code": 48,
"Name": "terminated"
},
"EbsOptimized": true,
"LaunchTime": "2021-11-08T11:38:29.000Z",
"ProductCodes": [],
"CpuOptions": {
"CoreCount": 8,
"ThreadsPerCore": 2
},
"StateTransitionReason": "Server.InternalError",
"InstanceId": "i-0a266c694eb414f70",
"EnaSupport": true,
"ImageId": "ami-0ed588d6f749dcf28",
"PrivateDnsName": "",
"SecurityGroups": [],
"ClientToken": "2c45f3fd-5ea9-acd3-d703-c39a55955c94",
"InstanceType": "m5.4xlarge",
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"NetworkInterfaces": [],
"Placement": {
"Tenancy": "default",
"GroupName": "",
"AvailabilityZone": "eu-west-1a"
},
"Hypervisor": "xen",
"BlockDeviceMappings": [],
"Architecture": "x86_64",
"RootDeviceType": "ebs",
"RootDeviceName": "/dev/sda1",
"VirtualizationType": "hvm",
"Tags": [
{
"Value": "False",
"Key": "AutoShutdown"
},
{
"Value": "False",
"Key": "AutoStart"
},
{
"Value": "AutoScalingGroup",
"Key": "aws:cloudformation:logical-id"
},
{
"Value": "lt-0014c04827c2647b7",
"Key": "aws:ec2launchtemplate:id"
},
{
"Value": "True",
"Key": "RunAtWeekends"
},
{
"Value": "arn:aws:cloudformation:eu-west-1:9887878787:stack/ppe-devops-ecs-06/d5763820-4087-11ec-933b-02d79c55316d",
"Key": "aws:cloudformation:stack-id"
},
{
"Value": "1",
"Key": "aws:ec2launchtemplate:version"
},
{
"Value": "True",
"Key": "KeepMe"
},
{
"Value": "True",
"Key": "SaveIfOrphaned"
},
{
"Value": "ppe-devops-ecs-06-asg",
"Key": "aws:autoscaling:groupName"
},
{
"Value": "ppe-devops-ecs-06",
"Key": "aws:cloudformation:stack-name"
}
],
"HibernationOptions": {
"Configured": false
},
"AmiLaunchIndex": 0
}
],
"ReservationId": "r-014c8f943e5ca3655",
"RequesterId": "178953610797",
"Groups": [],
"OwnerId": "9887878787"
}
]
}
KMS key access was the issue. Granting the permission has resolved the issue.
When there are extra encrypted volume is attached then this can come as error
Hi I have same error message Client.InternalError: Client error on launch
I tried to add permissions to KMS key for EBS but with same result.
Here is one of my many configurations:
KmsKeyEbs:
Type: "AWS::KMS::Key"
Properties:
Description: "KMS Key to enctypt and decrypt EBS volumes."
KeyPolicy:
Version: '2012-10-17'
Statement:
- Sid: "Allow administration of the key"
Effect: Allow
Principal:
AWS:
- !Sub 'arn:aws:iam::${AWS::AccountId}:root'
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling'
Action:
- 'kms:*'
Resource: '*'
- Sid: "Allow usage of the key"
Effect: Allow
Principal:
AWS: '*'
Action:
- 'kms:Encrypt'
- 'kms:Decrypt'
- 'kms:ReEncrypt*'
- 'kms:GenerateDataKey*'
- 'kms:CreateGrant'
- 'kms:RevokeGrant'
- 'kms:List*'
- 'kms:Describe*'
- 'kms:Get*'
Resource: '*'
EDIT:
In case this solution doesn't work, please check your AMI's if there was change. In my case AMI was encrypted after some time without any notice from AMI provider.
Related
I am trying to deploy a template through CloudFormation. AWS Config with a S3 bucket but I am getting an incorrect policy, unable to write to bucket error.
does anyone know the proper template and code for this action I am trying to complete?
Please help
Here is my code. I am getting incorrect bucket policy can't write to bucket error.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Template for a startup company looking to move their services to the cloud",
"Resources": {
"ResumeConfigRecorder": {
"Type": "AWS::Config::ConfigurationRecorder",
"Properties": {
"Name": "ResumeConfigRecorder",
"RecordingGroup": {
"AllSupported": true
},
"RoleARN": "arn:aws:iam::451750859333:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig"
}
},
"ResumeConfigDeliveryChannel": {
"Type": "AWS::Config::DeliveryChannel",
"Properties": {
"ConfigSnapshotDeliveryProperties": {
"DeliveryFrequency": "Three_Hours"
},
"Name": "ResumeConfigDeliveryChannel",
"S3BucketName": "config-resumematch",
"S3KmsKeyArn": {
"Fn::GetAtt": [
"ConfigKey",
"Arn"
]
}
}
},
"ConfigBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "Private",
"BucketName": "config-resumematch",
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"BucketKeyEnabled": true,
"ServerSideEncryptionByDefault": {
"KMSMasterKeyID": {
"Ref": "ConfigKey"
},
"SSEAlgorithm": "aws:kms"
}
}
]
},
"Tags": [
{
"Key": "Name",
"Value": "ConfigBucket"
}
]
}
},
"ConfigBucketPolicy": {
"Type": "AWS::S3::BucketPolicy",
"Properties": {
"Bucket": {
"Ref": "ConfigBucket"
},
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSConfigBucketPermissionsCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::config-resumematch",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "451750859333"
}
}
},
{
"Sid": "AWSConfigBucketExistenceCheck",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::config-resumematch",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "451750859333"
}
}
},
{
"Sid": "AWSConfigBucketDelivery",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": [
"s3:PutObject*"
],
"Resource": "arn:aws:s3:::config-resumematch/AWSLogs/451750859333/Config/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"AWS:SourceAccount": "451750859333"
}
}
}
]
}
}
},
"ConfigKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Description": "Key to encrypt config records in S3",
"Enabled": true,
"KeyPolicy": {
"Version": "2012-10-17",
"Id": "config-key-1",
"Statement": [
{
"Sid": "Enable IAM Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::451750859333:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow administration of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::451750859333:user/ecargle"
},
"Action": [
"kms:Put*",
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Get*",
"kms:Delete*"
],
"Resource": "*"
},
{
"Sid": "Allow config to use KMS key",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*"
],
"Resource": "*"
}
]
},
"KeySpec": "SYMMETRIC_DEFAULT",
"KeyUsage": "ENCRYPT_DECRYPT",
"Tags": [
{
"Key": "Name",
"Value": "ConfigKey"
}
]
}
},
"ConfigKeyAlias": {
"Type": "AWS::KMS::Alias",
"Properties": {
"AliasName": "alias/configKey",
"TargetKeyId": {
"Ref": "ConfigKey"
}
}
},
"ResumeConfigRuleEC2": {
"DependsOn" : "ResumeConfigRecorder",
"Type": "AWS::Config::ConfigRule",
"Properties": {
"ConfigRuleName": "ResumeMatchConfigRuleEC2",
"Description": "rule to monitor the configuration of AWS resources",
"Scope": {
"ComplianceResourceTypes": [
"AWS::EC2::Volume"
]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "EC2_EBS_ENCRYPTION_BY_DEFAULT"
}
}
},
"ResumeConfigRuleS3": {
"DependsOn" : "ResumeConfigRecorder",
"Type": "AWS::Config::ConfigRule",
"Properties": {
"ConfigRuleName": "ResumeMatchConfigRuleS3",
"Description": "rule to monitor the configuration of AWS resources",
"Scope": {
"ComplianceResourceTypes": [
"AWS::S3::Bucket"
]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "ELB_LOGGING_ENABLED"
}
}
},
"ResumeConfigRuleELB": {
"DependsOn" : "ResumeConfigRecorder",
"Type": "AWS::Config::ConfigRule",
"Properties": {
"ConfigRuleName": "ResumeMatchConfigRuleELB",
"Description": "rule to monitor the configuration of AWS resources",
"Scope": {
"ComplianceResourceTypes": [
"AWS::ElasticLoadBalancingV2::LoadBalancer"
]
},
"Source": {
"Owner": "AWS",
"SourceIdentifier": "ELB_LOGGING_ENABLED"
}
}
}
}
}
I am trying to create an AWS CodePipeline that deploys code stored in a CodeCommit repository stored in Account B = HUB Account into Account A = production Account. CodePipeline is available on Account A.
What has been done:
KMS key - Account A:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_A:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT_A:role/Admin",
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT_A:role/service-role/code-build-glue-accountA-role",
"arn:aws:iam::ACCOUNT_A:role/service-role/codepipeline-accountA-service-role",
"arn:aws:iam::ACCOUNT_A:role/cloud-formation-role-accountA-role",
"arn:aws:iam::ACCOUNT_A:role/service-role/code-build-glue-accountA-role",
"arn:aws:iam::ACCOUNT_B:root",
"arn:aws:iam::ACCOUNT_B:role/cloud-formation-accountB-role"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT_A:role/service-role/code-build-glue-accountA-role",
"arn:aws:iam::ACCOUNT_A:role/service-role/codepipeline-accountA-service-role",
"arn:aws:iam::ACCOUNT_A:role/cloud-formation-role-accountA-role",
"arn:aws:iam::ACCOUNT_A:role/service-role/code-build-glue-accountA-role",
"arn:aws:iam::ACCOUNT_B:root",
"arn:aws:iam::ACCOUNT_B:role/cloud-formation-accountB-role"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]}
S3 Bucket policy - Account A
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT_A:role/codepipeline-service-role",
"arn:aws:iam::ACCOUNT_B:role/cloud-formation-role",
"arn:aws:iam::ACCOUNT_B:role/cross-account-role"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::codepipeline",
"arn:aws:s3:::codepipeline*"
]
}
]}
CodePipeline ServiceRole - policy to assume Account B in Account A:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::ACCOUNT_B:role/cross-account-role"
]
}
}
Cross Account Role - trusted relationship - Account B
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_A:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Cross Account policy - Account B
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codecommit:*",
"codedeploy:*",
"cloudformation:*",
"codebuild:*",
"s3:*",
"iam:PassRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
Pipeline.json file - Account A:
Info: the pipeline has for build and deploy stages two actions: build lambda, build glue and corresponding deploy lambda, deploy glue.
{
"pipeline": {
"name": "cross-account-deployment-code-pipeline",
"roleArn": "arn:aws:iam::ACCOUNT_A:role/service-role/codepipeline-service-role",
"artifactStore": {
"type": "S3",
"location": "codepipeline-eu-west-2",
"encryptionKey": {
"id": "arn:aws:kms:eu-west-2:ACCOUNT_A:key/keyid",
"type": "KMS"
}
},
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeCommit",
"version": "1"
},
"runOrder": 1,
"roleArn": "arn:aws:iam::ACCOUNT_B:role/CrossAccountRole",
"configuration": {
"BranchName": "main",
"OutputArtifactFormat": "CODE_ZIP",
"PollForSourceChanges": "false",
"RepositoryName": "repository-AccountB"
},
"outputArtifacts": [
{
"name": "SourceArtifact"
}
],
"inputArtifacts": [],
"region": "eu-west-2",
"namespace": "SourceVariables"
}
]
},
{
"name": "Archive",
"actions": [
{
"name": "Archive",
"actionTypeId": {
"category": "Deploy",
"owner": "AWS",
"provider": "S3",
"version": "1"
},
"runOrder": 1,
"configuration": {
"BucketName": "assets-codecommit",
"Extract": "true"
},
"outputArtifacts": [],
"inputArtifacts": [
{
"name": "SourceArtifact"
}
],
"region": "eu-west-2"
}
]
},
{
"name": "Build",
"actions": [
{
"name": "Build-Glue-Jobs",
"actionTypeId": {
"category": "Build",
"owner": "AWS",
"provider": "CodeBuild",
"version": "1"
},
"runOrder": 1,
"configuration": {
"ProjectName": "code-build-glue-project"
},
"outputArtifacts": [
{
"name": "BuildArtifact"
}
],
"inputArtifacts": [
{
"name": "SourceArtifact"
}
],
"region": "eu-west-2",
"namespace": "BuildVariables"
},
{
"name": "Build-Lambda",
"actionTypeId": {
"category": "Build",
"owner": "AWS",
"provider": "CodeBuild",
"version": "1"
},
"runOrder": 1,
"configuration": {
"ProjectName": "code-build-lambda-project"
},
"outputArtifacts": [
{
"name": "BuildLambdaArtifact"
}
],
"inputArtifacts": [
{
"name": "SourceArtifact"
}
],
"region": "eu-west-2",
"namespace": "BuildLambdaVariables"
}
]
},
{
"name": "Deploy",
"actions": [
{
"name": "Deploy-Glue-Jobs",
"actionTypeId": {
"category": "Deploy",
"owner": "AWS",
"provider": "CloudFormation",
"version": "1"
},
"runOrder": 1,
"configuration": {
"ActionMode": "REPLACE_ON_FAILURE",
"Capabilities": "CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND",
"OutputFileName": "create-glue-stack-output.json",
"ParameterOverrides": "{\"Environments\":\"PROD\"}",
"RoleArn": "arn:aws:iam::ACCOUNT_B:role/cloudformation-accountB-role",
"StackName": "glue-stack",
"TemplatePath": "BuildArtifact::output-glue-deploy.yaml"
},
"roleArn": "arn:aws:iam::ACCOUNT_B:role/CrossAccountRole",
"outputArtifacts": [],
"inputArtifacts": [
{
"name": "BuildArtifact"
}
],
"region": "eu-west-2",
"namespace": "DeployVariables"
},
{
"name": "Deploy-Lambda-Functions",
"actionTypeId": {
"category": "Deploy",
"owner": "AWS",
"provider": "CloudFormation",
"version": "1"
},
"runOrder": 1,
"configuration": {
"ActionMode": "REPLACE_ON_FAILURE",
"Capabilities": "CAPABILITY_IAM,CAPABILITY_AUTO_EXPAND",
"OutputFileName": "create-lambda-stack-output.json",
"ParameterOverrides": "{\"Environments\":\"PROD\"}",
"RoleArn": "arn:aws:iam::ACCOUNT_B:role/cloudformation-accountB-role",
"StackName": "lambda-stack",
"TemplatePath": "BuildLambdaArtifact::output-lambda-deploy.yaml"
},
"roleArn": "arn:aws:iam::ACCOUNT_B:role/CrossAccountRole",
"outputArtifacts": [],
"inputArtifacts": [
{
"name": "BuildLambdaArtifact"
}
],
"region": "eu-west-2",
"namespace": "DeployLambdaVariables"
}
]
}
],
"version": 62
}
}
When I release the changes in the pipeline - I get error below:
Due to the fact that Cross-account pass role is not allowed.
What I am doing wrong?
I have checked multiple resources and I can not find what I am missing.
While launching on-demand instance from AWS I'm getting the following error:
An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation.
With some Encoded authorization failure message.
But I'm unable to replicate the actual issue from the response as the decoded JSON message has an empty failure object although I'm able to launch spot-instance from the same IAM Policy.
"allowed": false,
"explicitDeny": false,
"matchedStatements": {
"items": []
},
"failures": {
"items": []
},
"context": {
"principal": {
"id": "XXXXXXXXXXXXXXXXXXXX",
"name": "user_name",
"arn": "arn:aws:iam::account_id:user/user_name"
},
"action": "ec2:RunInstances",
"resource": "arn:aws:ec2:us-east-1:account_id:instance/*",
"conditions": {
"items": [
{
"key": "ec2:InstanceMarketType",
"values": {
"items": [
{
"value": "on-demand"
}
]
}
},
{
"key": "aws:Resource",
"values": {
"items": [
{
"value": "instance/*"
}
]
}
},
{
"key": "aws:Account",
"values": {
"items": [
{
"value": "account_id"
}
]
}
},
{
"key": "ec2:AvailabilityZone",
"values": {
"items": [
{
"value": "us-east-1a"
}
]
}
},
{
"key": "ec2:ebsOptimized",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "ec2:IsLaunchTemplateResource",
"values": {
"items": [
{
"value": "false"
}
]
}
},
{
"key": "ec2:InstanceType",
"values": {
"items": [
{
"value": "m1.medium"
}
]
}
},
{
"key": "ec2:RootDeviceType",
"values": {
"items": [
{
"value": "ebs"
}
]
}
},
{
"key": "aws:Region",
"values": {
"items": [
{
"value": "us-east-1"
}
]
}
},
{
"key": "aws:Service",
"values": {
"items": [
{
"value": "ec2"
}
]
}
},
{
"key": "ec2:InstanceID",
"values": {
"items": [
{
"value": "*"
}
]
}
},
{
"key": "aws:Type",
"values": {
"items": [
{
"value": "instance"
}
]
}
},
{
"key": "ec2:Tenancy",
"values": {
"items": [
{
"value": "default"
}
]
}
},
{
"key": "ec2:Region",
"values": {
"items": [
{
"value": "us-east-1"
}
]
}
},
{
"key": "aws:ARN",
"values": {
"items": [
{
"value": "arn:aws:ec2:us-east-1:account_id:instance/*"
}
]
}
}
]
}
}
}```
**Below is my IAM Policy**
```{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:us-east-1:account_id:instance/m*,t*",
"Condition": {
"StringLike": {
"ec2:InstanceType": [
"m*",
"t*"
]
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/ami-*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:us-east-1:account_id:instance/m*,t*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition": {
"StringLike": {
"ec2:InstanceType": [
"m*",
"t*"
]
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "arn:aws:ec2:us-east-1:account_id:instance/*",
"Condition": {
"StringLike": {
"ec2:InstanceType": [
"m*",
"t*"
]
}
}
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:PurchaseReservedInstancesOffering",
"ec2:DescribeAvailabilityZones",
"ec2:EnableEbsEncryptionByDefault",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeReservedInstances",
"ec2:ModifyReservedInstances"
],
"Resource": "*"
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": [
"ec2:ModifyVolumeAttribute",
"ec2:DescribeInstances",
"ec2:GetEbsEncryptionByDefault",
"ec2:ExportClientVpnClientConfiguration",
"ec2:GetHostReservationPurchasePreview",
"ec2:DeleteVolume",
"ec2:GetLaunchTemplateData",
"ec2:SearchTransitGatewayRoutes",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:GetTransitGatewayAttachmentPropagations",
"ec2:GetReservedInstancesExchangeQuote",
"ec2:DescribeVolumeAttribute",
"ec2:CreateVolume",
"ec2:GetPasswordData",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:AttachVolume",
"ec2:PurchaseReservedInstancesOffering",
"ec2:RequestSpotInstances",
"ec2:GetCapacityReservationUsage",
"ec2:ExportClientVpnClientCertificateRevocationList",
"ec2:CreateSecurityGroup",
"ec2:GetTransitGatewayRouteTableAssociations",
"ec2:DescribeInstanceStatus",
"ec2:DescribeTags",
"ec2:ImportSnapshot",
"sts:*",
"ec2:Describe*",
"ec2:GetConsole*",
],
"Resource": "*"
},
{
"Sid": "VisualEditor5",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*"
},
{
"Sid": "VisualEditor6",
"Effect": "Allow",
"Action": [
"ec2:DeleteTags",
"ec2:CreateTags",
"ec2:GetConsoleScreenshot"
],
"Resource": "*"
}
]
}```
along with IAM all readonly permissions
Here is a policy that grants permission to launch an instance in the M or T family:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "InstanceType",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StartInstances",
"ec2:RunInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringLike": {
"ec2:InstanceType": [
"t*",
"m*"
]
}
}
},
{
"Sid": "Any",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*::image/*"
]
}
]
}
It is based on the example from Example Policies for Working in the Amazon EC2 Console - Amazon Elastic Compute Cloud.
After a bit of playing around, it seems that the ec2:InstanceType parameter is only relevant for the instance/* resource type.
Here's a sample CLI command that I used to test it:
aws ec2 run-instances --image-id ami-abcd1234 --security-group-id sg-abcd1234 --instance-type t2.nano
Please note that it does not grant permission to add tags or pass an IAM Role in the RunInstances command.
I am trying to deploy an image from ECR of one account (AccountA) to ECS Cluster of another (AccountB) using CodePipeline. I am getting a permissions related error in the deploy phase.
Here is my pipeline role in AccountA:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<bucketname>/*"
],
"Effect": "Allow"
},
{
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:InvalidateProjectCache",
"codebuild:StartBuild",
"codebuild:StopBuild",
"codebuild:UpdateProject",
"codebuild:UpdateWebhook"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::<AccountB>:role/taskexecutionrole",
"Effect": "Allow"
}
]
}
The arn:aws:iam::<AccountB>:role/taskexecutionrole role exists in AccountB and trusts AccountA. Here is the role in AccountB:
{
"Effect": "Allow",
"Action": "ecs:*",
"Resource": [
"*"
]
}
The pipeline has a ECR source, build stage generates an imagedefinitions.json file. And finally the deployment stage does ECS deploy.
The error I am getting is:
Invalid action configuration
Identifier is for AccountB. Your accountId is AccountA
This answer helps only for manual CLI deployment and I have tried the solution from this answer.
Any pointers what I'm missing?
Lets assume:
Account_A => CodePipeline & Source
Account_B => ECS
Here is what is required:
Account_A:
* AWSCodePipelineServiceRole
* Artifact_Store_S3_Bucket
* KMS_Key_for_Pipeline_Artifact (Customer Managed Key)
* Bucket Policy on Artifact_Store_S3_Bucket to Allow Account_B access
* Key Policy on KMS_Key_for_Pipeline_Artifact to Allow Access to Cross_Account_Role (from Account_B)
Account_B
* Cross_Account_Role (Trust relationship with Account_A and Full_ECS permissions)
* ECS with a running that is to be replaced with deployment
imagedefinitions.json (must be part of your source code)
[
{
"name": "container_name",
"imageUri": "nginx:latest"
}
]
Bucket_Policy on Artifact_Store_S3_Bucket
{
"Version": "2012-10-17",
"Id": "SSEAndSSLPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::Artifact_Store_S3_Bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "DenyInsecureConnections",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::Artifact_Store_S3_Bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account_B:root"
},
"Action": [
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::Artifact_Store_S3_Bucket/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account_B:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::Artifact_Store_S3_Bucket"
}
]
}
pipeline.json:
{
"pipeline": {
"name": "test",
"roleArn": "arn:aws:iam::Account_A:role/service-role/AWSCodePipelineServiceRole",
"artifactStore": {
"type": "S3",
"location": "Artifact_Store_S3_Bucket",
"encryptionKey": {
"id": "arn:aws:kms:us-east-1:Account_A:key/KMS_Key_for_Pipeline_Artifact",
"type": "KMS"
}
},
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeCommit",
"version": "1"
},
"runOrder": 1,
"configuration": {
"BranchName": "master",
"PollForSourceChanges": "false",
"RepositoryName": "code"
},
"outputArtifacts": [
{
"name": "SourceArtifact"
}
],
"inputArtifacts": [],
"region": "us-east-1"
}
]
},
{
"name": "Deploy",
"actions": [
{
"name": "Deploy",
"actionTypeId": {
"category": "Deploy",
"owner": "AWS",
"provider": "ECS",
"version": "1"
},
"runOrder": 1,
"roleArn": "arn:aws:iam::Account_B:role/CrossAccount_Role",
"configuration": {
"ClusterName": "<Cluster>",
"ServiceName": "<Service>"
},
"outputArtifacts": [],
"inputArtifacts": [
{
"name": "SourceArtifact"
}
],
"region": "us-east-1"
}
]
}
],
"version": 1
}
}
To Update the Pipeline:
$ aws codepipeline update-pipeline --region us-east-1 --cli-input-json file://pipeline.json
I am trying to automate the creation of a lambda function and cloudwatch rule for it. However it seems that the cloudwatchevent_rule ansible task requires a version id to attach itself to my lambda function. This is causing an error:
No target to arn:aws:lambda:us-east-
1:MYACCOUNTID:function:MYFUNCTIONNAME could be found on the rule
MYFUNCTIONNAME.
How can I change this so that the cloudwatch rule will always attach itself to the latest version of my lambda function:
- name: create cloudwatch rule
cloudwatchevent_rule:
name: 'name_for_rule'
region: "{{region}}"
description: 'trigger on new instance creation'
state: present
event_pattern: |-
{
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventSource": [
"ec2.amazonaws.com"
],
"eventName": [
"RunInstances"
]
}
}
targets:
- id: "{{ lambda.configuration.version }}"
arn: "{{ lambda.configuration.function_arn }}"
I've configured a Lambda Function with CloudWatch rule triggering it. The following SAM Template also contains permission, policy and roles I require. Please ignore those if not required.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Transform": "AWS::Serverless-2016-10-31",
"Description": "AWS SAM template configuring lambda functions written in test package.",
"Resources": {
"OrchestratorTestLambdaFunction": {
"DependsOn": [
"LambdaPolicy"
],
"Type": "AWS::Lambda::Function",
"Properties": {
"Handler": "com.test.TestClass::orchestrateTestLambda",
"FunctionName": "OrchestratorTestLambda",
"Runtime": "java8",
"MemorySize": 256,
"Timeout": 60,
"Code": {
"S3Bucket": "BATS::SAM::CodeS3Bucket",
"S3Key": "BATS::SAM::CodeS3Key"
},
"Role": {
"Fn::GetAtt": [
"LambdaRole",
"Arn"
]
},
"Description": "Lambda reads from SQS provided in the cloud watch."
}
},
"LambdaRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"RoleName": "LambdaRole",
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
}
},
"LambdaPolicy": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "lambda_policy",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage"
],
"Resource": [
{
"Fn::Sub": "arn:aws:sqs:eu-west-1:${AWS::AccountId}:TestUpdates"
}
]
},
{
"Sid": "",
"Action": [
"lambda:InvokeAsync"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
},
"Roles": [
{
"Ref": "LambdaRole"
}
]
}
},
"PermissionForEventsToInvokeLambda": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"FunctionName": {
"Ref": "OrchestratorTestLambdaFunction"
},
"Action": "lambda:InvokeFunction",
"Principal": "events.amazonaws.com",
"SourceArn": {
"Fn::GetAtt": [
"TestRule",
"Arn"
]
}
}
},
"TestRule": {
"Type": "AWS::Events::Rule",
"Properties": {
"Name": "TestRule",
"Description": "Rule to Trigger OrchestratorTestLambdaFunction",
"ScheduleExpression": "rate(1 minute)",
"State": "ENABLED",
"Targets": [
{
"Arn": {
"Fn::GetAtt": [
"OrchestratorTestLambdaFunction",
"Arn"
]
},
"Id": "TestRuleV1",
"Input": {
"Fn::Sub": "{\"queueUrl\":\"https://sqs.eu-west-1.amazonaws.com/${AWS::AccountId}/TestUpdates\"}"
}
}
]
}
}
},
"Outputs": {
"StackArn": {
"Value": {
"Ref": "AWS::StackId"
},
"Description": "Use this as the stack_arn in your cloud_formation_deployment_stack override."
}
}
}
I've noticied that function_arn registered from lambda ansible module output is not consistent.
Some times is
"function_arn": "arn:aws:lambda:zone:account:function:name"
other time is:
"function_arn": "arn:aws:lambda:zone:account:function:name:version"
So I've construct the arn appending always the $LATEST version:
- cloudwatchevent_rule:
profile: "{{ aws_profile }}"
name: StartStop
schedule_expression: cron(* * * * ? *)
description: trigger my lambda
targets:
- id: StartStop
arn: "arn:aws:lambda:{{aws_zone}}:{{aws_account_id}}:function:{{lambdadeploy.configuration.function_name}}:$LATEST"