I want to do automatic user provisioning for AWS SSO and G-Suite, for this, I am using SSOSync. here when I'm going to use AWS Serverless Application Repository but it is showing the following error.
You are not authorized to perform: serverlessrepo:GetApplication.
I gave full permissions to users but it seems like this application is not maintained longer. Do we have another alternative option for doing auto user provisioning?
Try this: https://github.com/slashdevops/idp-scim-sync . The app you are requesting no longer exists.
Related
previously I had been able to deploy my lambda functions without any problems on my own AWS account. Now, I need to deploy them on to a different AWS account where my IAM user has an AdministratorAccess permission.
I've set up a role/policies for invoking lambdas the same way I did for my account. Before I deployed my code with terraform, I checked the console page for AWS lambda , and this error pops up.
Any idea why I still don't have enough permissions to access lambda even with my AdministratorAccess policy attached to my user?. Do I still need to add more policies to my user in order to access Lambda?
I have faced the same issue. You need to contact AWS to unlock your access as your account has been locked due to potentially dangerous activity.
I recommend you to enable MFA and use an IAM user to log in to AWS console instead of root user.
AdministratorAccess is definitely enough to view the Lambda console.
Do you have CLI access setup for this user? You could try running the list-functions CLI command to confirm that you user is setup as expected, as this uses the same API call that the web console is performing for you.
I have faced the same issue, after checking this post I checked my mailbox. AWS asked my to verify my account by sending utility bills picture and address information. I did it and everything is back to normal now.
I am following this tutorial for creating a React app in AWS.
In step Initialize the Amplify app of section 3, I see the following error (i.e. Setting up Admin UI failed.) in the Backend environments tab:
I know that I have a limited account from our administration side, but I don't know what role is missing that I cannot create the backend for my app!
Does anyone have any idea that, how I can find out what role is missing that I am not allowed to create the Amplify Backend?
Also in the console tab no info is printed.
I had the same problem when I tried to deploy from the Admin UI sandbox app, as a ROOT user on my AWS account. I fixed it after I went to Billing and completed the payment info requirements.
Before that I couldn't even access DynamoDB tables (which are used by AWS Amplify and Admin UI).
If this doesn't work, you can try having Amplify and maybe DynamoDB related roles enabled in IAM for your user.
You can start with these roles:
AdministratorAccess-Amplify
AmazonDynamoDBFullAccess
Is there a way to grant admin access to a third party in AWS without manually creating IAM role etc, purely via OAuth flow or similar?
Context: making an app that simplifies AWS account management, and want to make the UX to "connect to my account" as simple as possible. Failed to find anything like that in AWS docs. Want the app to be able to provision and manage resources, run terraform etc.
Check this out: Identity Providers and Federation. You will still have to create pre-defined IAM roles to define what permission users will assume
Yes it's doable. You do need to create IAM roles, if you want to give your users access to everything just create an admin role with permissions of ':' on all resources.
Then you should set up some type of SAML server, active directory federation services comes with everything out of the box. You can look for some open source SAML servers.
Then you have to setup SAML federation between your user account and your SAML backend.
We are attempting to use GCR's container analysis api to send notifications via pub/sub when a image vulnerability has been found. We were able to get this working fine with a full admin account but have been unable to get a service account working.
We've confirmed the service account has full access to the Container Analysis API in the dashboard however any request we make gets denied. Our error occurs specifically when we call containerClient.GetOccurrence in the golang library.
Is there a special permission that needs to be granted at the project level for this to work?
Managed to answer my own question..
The service account in question was missing the roles/containeranalysis.occurrences.viewer role in IAM.
I've been looking in to getting the AWS (web) console hooked up to an AD or ADFS setup for managing users. It was reasonable easy to get working with a SAML Identity Provider in IAM and some existing ADFS infrastructure.
The problem is that users that authenticate that way, as opposed to normal AWS user accounts, don't have any way to have associated access keys so far as I can tell. Access keys are a key concept for authenticating stuff such as the AWS CLI, which needs to be tied to individual user accounts.
What are the workarounds to allow a user authenticated via a SAML identity provider to still be able to easily use the aws CLI? The only thing I've come up with to far is some hacky crap that would proxy the aws cli command, request temporary 1-hour credentials from the aws STS service, put them in the aws credentials file, and forward the command to the normal AWS cli. But, that makes me want to throw up a little bit; plus, I have no idea if it would work if a command took over an hour to complete (large s3 uploads, etc..)
Suggestions? I would try the official Directory Service AD connector, but my understanding is users still just assume IAM roles and would ultimately have the same problem.
https://github.com/Versent/saml2aws was created to address this, and has a vibrant open source community behind it.
I've had success with aws-adfs for AWS CLI via ADFS
The repo owner is currently adding support for DUO MFA as well.
It works by authenticating the user to the same page you'd use for console access then scraping the roles available. You choose a role and then aws-adfs sets the default user to the credential set needed for sts access.
After the default user is set you can cli like normal: aws s3 ls
https://github.com/venth/aws-adfs