I am creating an IAM user using cloud formation but getting below mentioned error:
"API: iam:CreateUser User: arn:aws:sts::11111111111:assumed-role/MyCloudFormationRole/AWSCloudFormation is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::11111111111:user/username1 with an explicit deny"
I have created MyCloudFormationRole and have given it full iam access (iam:*) and i am running cloudformation command using this role.
create stack command:
aws cloudformation create-stack --stack-name my-users --template-body file://C:/template.yml --parameters file://C:/parameters.json --role-arn arn:aws:iam::11111111111:role/MyCloudFormationRole --capabilities CAPABILITY_NAMED_IAM
Is there anything missing here ?
When you are not allowed to do something it is either because you lack permissions or someone explicitly forbids it. In your case the "explicit deny" suggests the latter is the case. The policies can be in various locations:
identity policy
resource policy
session policy
permission boundary
SCP
You would simply need to check which one denies the request.
See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
Related
I am following the aws tutorial on how to create thumbnails using lambda. I run this command to create a function:
aws lambda create-function --function-name CreateThumbnailDev --zip-file fileb://lambda-dev.zip --handler index.handler --runtime nodejs12.x --timeout 10 --memory-size 1024 --role arn:aws:iam::XXXXXXXXXXXXX:role/<MY_ROLE>
MY_ROLE is a role a created for executing lambda. The above command returns this error:
An error occurred (AccessDeniedException) when calling the CreateFunction operation: User: arn:aws:iam::XXXXXXXXXXXXX:user/MY_USER is not authorized to perform: lambda:CreateFunction .....
the problem is that XXXXXXXXXXXXX is my account id (as the tutorial says to use if) but user/MY_USER is the user I configured my AWS CLI locally, it exists but it doesn't have the necessary policy attached.
How should I configure the client to execute this command?
Here we have two different principals:
Role associated to the lambda function: permissions that the lambda function itself will have
Policies associated to your IAM user: what you can do
Looks like your IAM user named MY_USER, the one you're using for creating the lambda, is missing permissions for that. You'll need to grant them, either attaching a policy directly to the user or adding the user to a group that has the policies
You can check the official documentation for that
I faced with a problem concerning of creation of Lambda function using Terraform. I tried to follow a standard documentation of Terraform to configure it, but in my case it doesn't work. When the Terraform try to create an IAM role for Lambda function I get an error:
"Error: failed creating IAM role ... AccessDenied: User: ... is not authorized to perform: iam:CreateRole on resource: ... because no identity-based policy allows iam:CretaeRole action ..."
Actually, If I correctly understood it requires additional policy for my account or a root privilege, I don't have both and I need to use already existed IAM role. Is there way to configure it in Terraform?
Yes, you can use IAM role with terraform as explaiend in TF docs:
Using AWS AssumeRole with the AWS Terraform Provider
enter image description here
in aws cloudformation why do we have to edit iam roles in template only then why is the option given in console,when trying to update iam role it says nothing to update
The role in question is used to grant the Cloudformation the permissions to deploy specific resources as part of the stack. By default if you don't specify what role the stack should use, it will use the permissions assigned to a user that's creating the CFN stack. So for example in case you don't have permissions to deploy an IAM resources and you try to deploy a CFN stack containing an IAM Role it will fail due to lack of permissions. This is where the Cloudformation IAM Roles come in handy. You can have a Cloudformation role deployed that has more permissions that the role you're using to deploy the stack itself and by assigning it to the CFN stack you're now able to privision those resources.
To update the IAM Role that the stack uses without making any changes to the stack resources you can got to Update -> Use current template -> Change IAM role (in Permissions) pick the role you want the stack to use and click Update stack. Once completed you can check the Stack info and in Overview the new IAM Role arn should be listed.
When deploying the resources from the pipeline or aws cli you can also specify the role you want your stack to use to provision the resources.
aws cloudformation deploy \
--template-file package.yaml \
--stack-name YOUR-STACK-NAME \
--role-arn arn:aws:iam::123456789012:role/YOUR-IAM-ROLE
Your screenshot shows AWS CloudFormation (CFN) service role. This is totally different role from those in your templates. Namely, CFN will use that role to create/update your stack. By default CFN uses your own IAM user permissions, but you can tell CFN to use the given CFN service role instead.
aws deploy register-on-premises-instance --instance-name XXXXX --iam-user-arn arn:aws:iam::XXXXXXXXXXXX:user/LightSailCodeDeployUser --region ap-south-1
An error occurred (AccessDeniedException) when calling the RegisterOnPremisesInstance operation: User: arn:aws:sts::XXXXXXXXXXX:assumed-role/AmazonLightsailInstanceRole/i-XXXXXXXXXXXXXX is not authorized to perform: codedeploy:RegisterOnPremisesInstance on resource: arn:aws:codedeploy:ap-south-1:XXXXXXXXXX:instance:XXXXXXXXXXXX
I didn't even create the role AmazonLightsailInstanceRole, then how did it come in the picture. My user have all permissions on codedeploy though. I am following this link to set up. https://aws.amazon.com/blogs/compute/using-aws-codedeploy-and-aws-codepipeline-to-deploy-applications-to-amazon-lightsail/
I made the same mistake and then realized that command is meant to be run on your local machine and not the instance!
AmazonLightsailInstanceRole is a service-linked role automatically created by aws:
Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.
The error you are getting is not about you not having the codedeploy:RegisterOnPremisesInstance permission.
The error is about the AmazonLightsailInstanceRole not having it. It does not matter if you (i.e. your IAM user) has all CodeDeploy permissions.
Normally you would add the missing permissions to the role. How to work with the AmazonLightsailInstanceRole is described in the following AWS documentaiton:
Using Service-Linked Roles for Amazon Lightsail
Editing a Service-Linked Role
However, I'm not sure if you can modify the AmazonLightsailInstanceRole and add the missing permissions. Some service-linked roles can be modified, some not.
The documentation is a bit confusing. Create a new user in IAM with admin role (full privileges) and use the credentials of that user to run the command in your local machine.
The SFProSetup stack was deleted by mistake. This deleted an IAM role needed for serverless deploy
So I redeployed the template under a new name but the following error message still occurs when deploying my service.
Error: {"errorMessage":"Your AWS credential for deployment profile default is configured to use the IAM role arn:aws:iam::730609332320:role/SFProRole, but access to that role was denied by IAM. - Please contact support and provide this identifier to reference this issue - NVB2DG9Q46SQ"}
I have one aws profile and have been deploying successfully before this.
I redeployed the template with the following command
aws cloudformation deploy --template-file ~/Desktop/serverless_setup.yml --stack-name SFProSetup --region us-east-1 --profile default --parameter-overrides OrgId=xyz123 ProfileName=default --capabilities CAPABILITY_NAMED_IAM
A series of steps led me to find that the stack must be deployed in us-east-1 because that's the only region the Reporter component can talk to. --capabilities CAPABILITY_NAMED_IAM was necessary because the template creates an AWS role with a capability. And finally, I noticed a parameter for OrgId was used in the original stack creation, so I added it to the paramter overrides in the command. I'm guessing this is my id in serverless OrgId=xyz123