I have a problem when creating a Role I am getting an error that says “Cannot attach a Service Role Policy to a Customer Role”
In fact, there is something called Customer Managed Role, which the above error seems to display as 'Customer Role'.
From AWS documentation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role)
A role that a service assumes to perform actions in your account on your behalf. When you set up some AWS service environments, you must define a role for the service to assume. This service role must include all the permissions required for the service to access the AWS resources that it needs.
Now if you create a role, which isn't a service role, and attach permissions yourself, it appears under what AWS shows as Customer Managed Role (Screenshot below). If you look carefully, the service roles in AWS show the AWS box icon and the Customer Managed ones don't.
Reason: I was facing the above error as well and the reason was that my Role had custom inlined policies attached. If a Role has custom attached policies (inlined), AWS doesn't let you attach the Service Roles to it. You can filter the roles and find out what's causing the issue.
I hope this is documented somewhere as I was scratching my head for quite some time on this.
Related
I'm working on an AWS account managed by another team which use it only for S3 storage. We have authorization to use sagemaker, and administartor said “AmazonSageMakerFullAccess” have been given to me.
I'm trying to access sagemaker studio, for that I'm ask to "Setup SageMaker Domain" by aws.
I then need a "Default execution role"
If I try to create one, I got error "User ... is not authorized to perform: iam:CreateRole on resource: ..."
There is an option to use a custom exiting one with the format
"arn:aws:iam::YourAccountID:role/yourRole"
but while I have an account Id, I don't know what role to use.
I don't have permission to create role, and the ones I see in IAM service doesn't seem to be related to sagemaker (also I don't have permission to see the details of those roles).
Should the sagemaker setup be done by the administrator who can create a new role ? Or is there a way for me to do it, and if so where can I find the role I need ?
If you don't attach any role to AWS SageMaker, and when you try to create SageMaker resource the very first time it will create a default execution role for the service. Either get the permission to create a role or ask your administrator to create a execution role for your SageMaker so that next time when you create one you can use the same role.
I'm deploying a service to amazon ecs through docker. I need to assign an IAM role to the cluster that allows it to communicate with secrets manager, as that's where some of the important configuration comes from. However, when trying to select the iam role, I get this error message:
Error message
So I tried following the amazon documentation and going to the account settings tab signed in as the root account, only to find that the settings were already enabled by default. So now I'm sort of stuck as to what to do at this point. Is there something I'm missing here?
resources already enabled
From your screenshot what I understand is that the IAM role you are using to deploy the container does not have "ecsInstanceRole" in your IAM roles. You could use the following steps to create it.
Open the IAM console at https://console.aws.amazon.com/iam/
In the navigation pane, choose Roles and then choose Create role.
Choose the AWS service role type, and then choose Elastic Container Service.
Choose the EC2 Role for Elastic Container Service use case and then Next: Permissions.
In the Attached permissions policy section, select AmazonEC2ContainerServiceforEC2Role and then choose Next: Review.
Important
The AmazonEC2ContainerServiceforEC2Role managed policy should be attached to the container instance IAM role, otherwise you will receive an error using the AWS Management Console to create clusters.
For Role name, type ecsInstanceRole and optionally you can enter a description.
Review your role information and then choose Create role to finish.
or you can follow the below document:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html
I cloned this solution azure-devops-on-aws and used dotnet lambda deploy-serverless ... to deploy the MyLizardApp to my personal AWS account.
During the learning curve, I created an S3 bucket my-lizard-test, IAM user group MyLizardGroup with user lizard-user and group policy MyLizardApp-Policy. Included in the policy are these services:
API Gateway (full access, all resources)
CloudFormation (full access, all resources)
Lambda (full access, all resources)
S3 (full access, all resources)
(Eventually) the deployment succeeded and I had a Lambda application serving the simple razor page showing the time.
I then copied the LambdaEntryPoint.cs, aws-lambda-tools-defaults.json and serverless.template files to my own dotnet core webapp (also a razor project) and attempted to deploy it to the same AWS account with the same command. The only changes made were the namespace of the LambdaEntryPoint class (reflected in the serverless.template file) and the .csproj file to include:
<AWSProjectType>Lambda</AWSProjectType>
and:
<PackageReference Include="Amazon.Lambda.AspNetCoreServer" Version="5.0.0" />
The dotnet lambda deploy-serverless ... command failed with the message:
User: arn:aws:iam::123456789120:user/lizard-user is not authorized to perform: iam:PassRole on resource: arn:aws:iam::123456789120:role/MyLizardAppServiceRole (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: 12345678-1234-1234-1234-123456789012; Proxy: null)
I got the command to succeed by adding the IAM service to the MyLizardApp-Policy with the PassRole (all resources).
Why was this necessary for my personal app and not the demo solution from github? If the answer is not clear, what should I be looking for as differences? My personal app is not significantly different from the demo solution and I don't think the functional differences (in C#) would matter.
Whenever an AWS Service assumes (uses) an IAM Role, the service must have iam:PassRole permission to grant permission to use the Role. This required to prevent users from gaining too much permission.
For example, imagine a normal (non-Admin) user who launches an Amazon EC2 instance. When launching the instance, they can nominate an IAM Role to be assigned to the instance. If this user was permitted to select any IAM Role, they could select an Admin role and assign it to the EC2 instance. They could then login to the instance and use the credentials to make API calls as an Admin. This is an unwanted "privilege escalation".
Similarly, when an AWS Lambda function executes, it uses an IAM Role to obtain permissions. The iam:PassRole permission is used to control which roles a user can assign to the Lambda function.
So, there is something in that project that is trying to use an IAM Role and needs appropriate permissions.
First of all, we need to know what PassRole is:
iam:PassRole is the permission that controls which users can delegate an IAM role to an AWS resource.
As I can see in the repo, there is a file for CodeDeploy which already have credentials so maybe you are using CodeDeploy.
But btw, you are using an instances to deploy a Lambda function, and you need to pass the role to that Lambda so that is what PassRole do
AWS Services cannot directly assume service-linked roles. The role must be passed to the service by a user with the iam::PassRole permission.
The role-passing needs to be done only once, when a resource (e.g. EC2 instance) is created. After that the resource can assume the role repeatedly.
EC2 Instance profile is implemented this way. When a user launches an instance, it passes a role to the instance to act as an instance profile (it in addition needs iam:AddRoleToInstanceProfile for this case).
Other service-linked roles are also passed in this way.
Do not confuse it with the iam::CreateRole permission. A user may freely create service-linked roles, but is unable to pass the role to a service when needed.
In the management console, and to some extent in the CLI commands, role-passing is implicit, so you may encounter it without clear error messages when using non-root accounts.
As for why sometimes you need this permission, ands sometimes you don't, that is because when you use the root user, it will have AdministratorAccess which basically allows all actions on all resources.
If you create a new IAM user or account with blank permissions then you will need to add this permission manually.
I'm trying to replicate this lab :https://github.com/aws-samples/ec2-spot-montecarlo-workshop, But keep getting an error The provided credentials do not have permission to create the service-linked role for EC2 Spot Instances. seems like when it tries to create instance it fails, does anyone have an idea why ? I made sure to give it all permission role but didn't work ...
Seems that credentials which you use (IAM user or role) do not have permissions to execute an action iam:CreateServiceLinkedRole. The action:
Grants permission to create an IAM role that allows an AWS service to perform actions on your behalf
Please double check the IAM user and credentials which you use.
When lodging a spot request – there is a service-linked role that needs to be created (if it does not exist) in IAM called AWSServiceRoleForEC2Spot.
Check that the IAM user has the permission:
iam:CreateServiceLinkedRole
More in the docs:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-requests.html#service-linked-roles-spot-instance-requests
What difference between policies under the paths "aws:policy/service-role" and "aws:policy/aws-service-role"?
Is there any the logic behind this design?
The AWS managed policies within the aws-service-role path are policies that be attached to a service-linked role only.
If you go to AWS Console -> IAM -> Policies, filter by AWS Managed Polices and start clicking on them, you'll notice the ones with the aws-servive-role path have a help label at the top that reads "This policy is linked to a service and used only with a service-linked role for that service. You cannot attach, detach, modify, or delete this policy.". There might be a way to filter down to the service-linked policies in the AWS Console or CLI when desribing policies other than inspecting the paths, but it alludes me right now.
You can see their usage described here
https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html.
Here also is the blog post that describes what a service-linked role is https://aws.amazon.com/blogs/security/introducing-an-easier-way-to-delegate-permissions-to-aws-services-service-linked-roles/. Basically these are roles that can only be assumed by a specific service type.
The AWS managed policies in the service-role path are policies that can be attached to any role including "normal/basic" roles. These types of roles can be assumed by users, EC2 instances, or anywhere else roles are assumed.
For example you could give someone permission to attach a linked-service role that has the policy arn:aws:iam::aws:policy/aws-service-role/AWSLambdaReplicator attached which is only attachable to a linked-role linked to the Lambda service. They would be able to use this role in the Lambda execution role, but they would not be able to use this role with another service like EC2 or an IAM user. This supports an admin allowing users to assign out permissions to new resources that users spins up (a new Lambda) that that the admin trusts the linked AWS service to use, but don't want to allow that user to access directly through their user account or give them to other custom applications running in AWS.