I am trying to use the AWS SageMaker Studio > Get Started > Quick Start, as an IAM user with the AmazonSageMakerFullAccess policy attached, but I am getting the following error:
User: arn:aws:iam::<user-id>:user/<username> is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker:us-west-1:<user-id>:domain/d-<domain-id>
I looked up some documentation on the CreateDomain command, and it looks like it involves EFS storage and VPC configuration, so I have also added the FullAccess policies for these services to my IAM user, but am still getting the same error.
I also tried adding a custom policy as shown here: https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html#sagemaker-roles-createdomain-perms which also seemed to have no effect.
What am I doing wrong here?
AmazonSageMakerFullAccess policy gives the user access to perform actions such as start training jobs, deploy endpoints, along with limited access on other services such as ECR, Glue etc. This is generally attached to a SageMaker notebook instance or Studio.
The user creating the SageMaker domain needs sagemaker:CreateDomain permission, i.e., to your IAM user, add:
{
"Sid": "AllowCreateDomain",
"Effect": "Allow",
"Action": "sagemaker:CreateDomain",
"Resource": "*"
}
I work at AWS and my opinions are my own.
Related
I want creat a connector for Debezium. I am unable to create a kafka connector using the AWSServiceRoleForKafkaConnect role. Here is the error I get when clicking Create Connector on the last page in the form:
Error creating connector There was a problem creating a connector. If the problem persists, contact AWS Support. API response Invalid parameter serviceExecutionRoleArn: A service linked role ARN cannot be provided as service execution role ARN.
Here is the document which I am following:
https://aws.amazon.com/tr/blogs/aws/introducing-amazon-msk-connect-stream-data-to-and-from-your-apache-kafka-clusters-using-managed-connectors/
How Can I fix this problem ? Thanks!
I'm having the same issue in the last few days. I have created Kafka connectors in early Jan and December with no issues using the provided AWSServiceRoleForKafkaConnect role.
I tried creating the new connectors with the same config on the same cluster using the same role that worked before and now I'm also getting the same error:
Invalid parameter serviceExecutionRoleArn: A service linked role ARN cannot be provided as service execution role ARN.
I think this may be due to an update on the AWS side.
Update from AWS****
Hi there, there were some recent changes made to the use of Service Linked Roles (SLR) as an execution role for Amazon MSK Connect Connectors. SLRs are no longer allowed to be used as the execution role. This may not affect Connectors which do not interact with Amazon MSK clusters or other resources using IAM authentication, but will affect any interaction with IAM controlled resources. It is recommend that all connector execution roles use customer managed roles with Trust Relationships including kafkaconnect.amazonaws.com. See the documentation on Service Execution Roles (1) for more details.
Currently the console allows the selection of an SLR (AWSServiceRoleForKafkaConnect) as the execution role, this will be removed in future updates and should not be used when creating connectors.
(1) https://docs.aws.amazon.com/msk/latest/developerguide/msk-connect-service-execution-role.html
I had a similar problem while creating MSK Connector to S3 bucket. You can solve it using instructions from this tutorial:
https://docs.aws.amazon.com/msk/latest/developerguide/mkc-tutorial-setup.html
You have to create new IAM Role and edit Trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "kafkaconnect.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
We have just built a new Things Enterprise server hosted at AWS on an EC2 instance and created an application to use AWS IOT. We are getting the following error
“message”: “User: arn:aws:sts::446971925991:assumed-role/Things-Enterprise-Stack-Srv-StackIAMRole-DBHBSMSY05AQ/i-095895d605fab3fa4 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::446971925991:role/Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93”
I have been told
What is the execution role of the TTES instance that is trying to assume the role? The role TTES needs to be able to assume that role. That will give the right permissions.
But I'm not sure what that means, i'm presuming i need to add / alter some permissions within an IAM role. Can someone point me in the right direction Pls.
From the error message it seems that your IAM role for Amazon EC2 has no permissions to assume a role Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93.
To add such permissions manually you can do the following:
Go to IAM Console->Roles.
In the Roles window, you can use Search bar to locate Things-Enterprise-Stack-Srv-StackIAMRole-DBHBSMSY05AQ role.
Once you find the role, you click on Add inline policy.
Once Create policy window shows, you can go to JSON tab and add the following JSON policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::446971925991:role/Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93"
}
]
}
Then click Review Policy, name the policy (e.g. PolicyToAssumeRole) and Create policy
However, based on your policy names (e.g. Stack-Srv-StackIAMRole) it is possible that they have been create by CloudFormation. If this is the case, then manually changing the roles as described above is a bad practice and will lead to drift. Any changes to resources created by CloudFormation should be done using CloudFormation. Sadly, your question does not provide any details about CloudFormation templates used, therefore its difficult to comment on that more.
I am going to Update existing Api gateway through aws cli commands (https://docs.aws.amazon.com/cli/latest/reference/apigateway/put-rest-api.html) from AWS CodePipeline and meet problem that CodeBuild has
An error occurred (AccessDeniedException) when calling the GetRestApis operation: User: arn:aws:sts:<skipped_text> is not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-west-2::/restapis
Is it possible to update Api gateway through code using CodePipeline and aws cli?
Or What do you use as a tool for updating apigateway?
Make sure to add following policy to the IAM user in order to allow admin access (CREATE, READ, UPDATE, DELETE) to API gateway,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": "arn:aws:apigateway:*::/*"
}
]
}
which also exists under amazon managed policies, AmazonAPIGatewayAdministrator,
1) Please check your credential working properly or not ,It appears that the credentials used in your AWS SDK do not have valid permissions on the API Gateway API.
You will need to define a policy for the user/role similar to below.
http://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html
2) When using CloudFormation with CodePipeline, need to create a role that can be assumed by CloudFormation,CodePipeline moves releases through a pipeline using the role you specify for a pipeline. CloudFormation needs permission to assume a separate role that you create for the CloudFormation action (it's not enough to create a role with permission to access other resources).
References
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-basic-walkthrough.html
https://s3.amazonaws.com/cloudformation-examples/user-guide/continuous-deployment/basic-pipeline.yml
aws forums
I am attempting to run a boto3 python script inside a docker container using AWS ECS. My script need access to SQS ( get & delete messages ) and Lambda ( permission to search and run ).
In order to get the docker container running on my local machine I was able to pass my aws credentials into the docker container using the following docker run command.
docker run -v ~/.aws:/root/.aws
Recently ECS has announced:
Amazon ECS now supports IAM roles for tasks. When you specify an IAM role for a task, its containers can then use the latest versions of the AWS CLI or SDKs to make API requests to authorized AWS services. Learn More
I attach a task IAM role to the task but upon running the task I get the following error:
Unable to run task
ECS was unable to assume the role that was provided for this task. Please verify that the role being passed has the proper trust relationship and permissions and that your IAM user has permissions to pass this role.
Any ideas would be appreciated.
It looks like IAM Task Roles are now supported in Boto, but regardless, that would be an issue when the Boto client was trying to make a request, not when trying to launch a task.
The issue here is defined in the error message. Either:
1) Your user does not have the iam:PassRole permission defined for the task role. This can be added by editing your user's policy to have a statement similar to the following:
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<account>:role/<role name>"
}
2) The Task role you are trying to assign to the task does not have the proper trust relationship. Add the following trust policy to the ECS task role to make sure that it can be assumed by the task.
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Boto3 uses the botocore library for its API functions, and it allows a range of botocore versions for each Boto3 version, so even if you have the latest Boto3 version, you may not have the latest botocore.
Botocore supports ECS IAM roles for tasks as of version 1.4.37, so if you update the underlying botocore in your environment to at least that version, you should be able to use the ECS IAM roles for tasks feature.
I am exploring IAM. I want to give access to a single ec2 instance to a user. I have created a policy for this as:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1392113879000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"arn:aws:ec2:us-east-1:account:instance/instance_id"
]
}
]
}
But I am getting this error:
I have referred to this link
Any lead is appriciated.
The Resource-Level Permissions for EC2 and RDS Resources you are referring to are not yet available for all API actions, but AWS in gradually adding more, see this note from Amazon Resource Names for Amazon EC2:
Important Currently, not all API actions support individual ARNs; we'll add support for additional API actions and ARNs for additional
Amazon EC2 resources later. For information about which ARNs you can
use with which Amazon EC2 API actions, as well as supported condition
keys for each ARN, see Supported Resources and Conditions for Amazon
EC2 API Actions.
You will find that all ec2:Describe* actions are indeed absent still from Supported Resources and Conditions for Amazon EC2 API Actions at the time of this writing, and these are the ones required for listing resources e.g. in the AWS Management Console and triggering the errors you are seeing in turn ("You are not authorized to describe ...").
See also Granting IAM Users Required Permissions for Amazon EC2 Resources for a concise summary of the above and details on the ARNs and Amazon EC2 condition keys that you can use in an IAM policy statement to grant users permission to create or modify particular Amazon EC2 resources - this page also mentions that AWS will add support for additional actions, ARNs, and condition keys in 2014.