I want to get the order list. When I call via postman with below information I get error in reply.
AMAZON_MARKETPLACE=A33AVAJ2PDY3EV
Orders are not coming.
I get the error "Access to the requested resource is denied"
Steps I did:
I have created the IAM user, IAM role, and IAM policies.
I have created the seller account and developer account as well.
I am using the role ARN in my seller central app.
Related
I have setup a RDS proxy for Aurora DB. I am able to connect to the RDS proxy endpoint but not able to perform any operations.
For e.g if I do show processlist; I get below error:
ERROR 1045 (28000): Database Access denied for user 'admin'#'ip-address' (using password: YES)
Note: I am able to access RDS endpoint and perform all the operations.
Thanks in advance!
I encountered this same issue. Turns out it was related to the auto-generated IAM role permissions.
The secrets manager had 2 user accounts added to it (with verified correct credentials), and both were added to the RDS proxy. However, only the first user account worked. The second user account would get a permission denied error.
Checking the CloudWatch logs, I saw a message similar to:
Credentials couldn't be retrieved. The IAM role "arn:aws:iam::ACCOUNT:role/service-role/rds-proxy-role-TIMESTAMP" is not authorized to read the AWS Secrets Manager secret with the ARN "arn:aws:secretsmanager:REGION:ACCOUNT:secret:SECRET_NAME"
When I looked at the IAM policy for the rds-proxy-role-TIMESTAMP role, it had only been granted access to the secret for the first user. This appears to be an issue with the creation of the IAM role when the proxy is set up.
To resolve it, I modified the policy for the rds-proxy-role-TIMESTAMP role to give it access to the ARN for the second user's secret as well. After a few minutes, I was able to log in as the second user.
If you are getting a Database access denied error please check the user permissions in RDS first.
If you can connect to RDS directly with this credentials, check that credentials in Secret Manager are the same.
Then check if you RDS Proxy policy has permission to access all you Secret Manager records as I mention here https://stackoverflow.com/a/73649818/4642536
I'm trying to provide cross-account Glue access to Account B from Account A.
I'm first getting an error that says,
User {my_arn} is not authorized to perform: glue:GetDatabases on resource: {catalog}
I researched and found that I can grant Data Catalog permissions through Lake Formation. I selected "External accounts" and added the catalog resources along with table permissions. However, I get another error that says:
You don't have IAM permissions to make cross-account grants.
The required permissions are in the AWS managed policy AWSLakeFormationCrossAccountManager.
So I go to the IAM Management Console, find the policy specified in this error message, and attach it to the role I'm using (the one in the top right corner of the AWS Management Console).
But the same error message keeps popping up and this doesn't seem to have solved the issue.
What am I doing wrong here? How can I bypass this issue?
I am using service account credential to deploy cloud function to GCP. I got a permission error:
Error: googleapi: Error 403: Missing necessary permission iam.serviceAccounts.actAs for $MEMBER on the service account
I open the service account permission in GCP but I can't find where I can add the role to the account.
Below is the screenshot of the service account. There is GRANT ACCESS button but it is used to grant member access to this account. How can I add roles on the role list?
Recapping what John said:
You do not need to grant permissions to the Service Account.
You need to grant permission to user so that they can act as that Service Account.
TL;DR:
On the screen you provided, select Grant access, enter username and pick Service Account User role.
I logged into AWS console as DEV-OPS-ENGINEER and created ROLE-1 with aws managed policy attached. I attached this role to ECS tasks.
Now from my machine I logged into aws cli as DEVELOPER and ran aws ecs update-service command but i am getting below mentioned error:
"An error occurred (AccessDeniedException) when calling the UpdateService operation: User: arn:aws:sts:::assumed-role/DEVELOPER is not authorized to perform: iam:PassRole on resource: arn:aws:iam:::role/ROLE-1"
My idea was all logged in user (with different roles) should be able to use ROLE-1.
Any idea why it is throwing me this error and how can I resolve it ?
To pass a role (and its permissions) to an AWS service, a user must have permissions to pass the role to the service. This helps administrators ensure that only approved users can configure a service with a role that grants permissions. To allow a user to pass a role to an AWS service, you must grant the PassRole permission to the user's IAM user, role, or group.
Find out more, including examples, in the AWS User Guide: Granting a user permissions to pass a role to an AWS service
I am trying to apply the role binding below to grant the Storage Admin Role to a GCP roleset in Vault.
resource "//cloudresourcemanager.googleapis.com/projects/{project_id_number}" {
roles = [
"roles/storage.admin"
]
}
I want to grant access to the project level, not a specific bucket so that the GCP roleset can access and read/write to the Google Container Registry.
When I try to create this roleset in Vault, I get this error:
Error writing data to gcp/roleset/my-roleset: Error making API request.
URL: PUT http://127.0.0.1:8200/v1/gcp/roleset/my-roleset
Code: 400. Errors:
* unable to set policy: googleapi: Error 403: The caller does not have permission
My Vault cluster is running in a GKE cluster which has OAuth Scopes for all Cloud APIs, I am the project owner, and the service account Vault is using has the following permissions:
Cloud KMS CryptoKey Encrypter/Decrypter
Service Account Actor
Service Account Admin
Service Account Key Admin
Service Account Token Creator
Logs Writer
Storage Admin
Storage Object Admin
I have tried giving the service account both Editor and Owner roles, and I still get the same error.
Firstly, am I using the correct resource to create a roleset for the Storage Admin Role at the project level?
Secondly, if so, what could be causing this permission error?
I had previously recreated the cluster and skipped this step:
vault write gcp/config credentials=#credentials.json
Adding the key file fixed this.
There is also a chance that following the steps to create a custom role here and adding that custom role played a part.