I want to send emails from an tomcat beanstalk but I receive the following error message
User 'arn:aws:sts::123:assumed-role/aws-elasticbeanstalk-ec2-role/i-123' is not authorized to perform 'ses:SendEmail' on resource 'arn:aws:ses:eu-central-1:123:identity/example.com'
(Service: Ses, Status Code: 403, Request ID: 2a82693d-3344-4b53-8c8c-ef347c23cd29, Extended Request ID: null)
I have declared the following Identity Policy in SES Console on example.com
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "stmt1624645438239",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::123:assumed-role/aws-elasticbeanstalk-ec2-role/i-123"
},
"Action": "ses:SendEmail",
"Resource": "arn:aws:ses:eu-central-1:123:identity/example.com"
}
]
}
but still I got the the error message. Why?
I found the solution for this is to create an policy from Identity and Access Management (IAM)
Go to Identity and Access Management (IAM) dashboard > Customer managed policies
Create policy for SES service (in the resource I gave access to all my ARNs)
Attach ec2 role
Related
I am creating a simple API Gateway and trying to apply its auth. I created an IAM user (called postman-user) and created its credential (as AccessKeyId and SecretAccessKey).
My IAM User policy is like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:*",
"Resource": "*"
}
]
}
and in my api gateway I applied the resource policy as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<my account id>:root",
"arn:aws:iam::<my account id>:user/postman-user"
]
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:<my account id>:<my api g id>/*"
}
]
}
I applied the key id and secret key id in postman:
enter image description here
then the problem comes. no matter how I call the api endpoint using aws credential of this IAM user, I always got this error:
User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:******
I thought it was postman failed to sign this AWS sigV4, then I tried this in python:
url = 'https://<apig id>.execute-api.us-west-2.amazonaws.com/beta/query/'
auth = AWSRequestsAuth( aws_access_key='<my key id>',
aws_secret_access_key='<my secret key>',
aws_host='ec2.amazonaws.com',
aws_region='us-west-2',
aws_service='api')
response = requests.get(url, auth=auth)
This error is just forever for me
User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:******
Anyone can tell me what I missed ? I clicked on deployAPI in resource to stage beta 100 times ...
tried python, tried postman, nothing works
it sounds like there is something missing on the api plane. It may be the you havent configured IAM auth right on the http method you try to use. I may also be that the resource policy is not attached to the api gateway. Note if the policy is updated and reattached you need to redeploy the api gateway.
Link:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-create-attach.html
This is an API Gateway config issue:
Resources -> click on the method -> Method Request -> Authorization: it used to be None, changing to to AWS IAM made this work.
I have deployed elastic beanstalk which has a role MyEBSRole in Account A. I would like to give this role access to Event Bridge in other account (Account B) (cross account). In Account B Event Bridge, I have added the following resource based policy:
{
"Sid": "mysid",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account-A-ID>:role/MyEBSRole"
},
"Action": ["events:PutRule", "events:ListRules", "events:DeleteRule", "events:DescribeRule", "events:DisableRule", "events:EnableRule", "events:PutTargets", "events:RemoveTargets"],
"Resource": "arn:aws:events:<Region>:<Account-B-ID>:rule/*",
"Condition": {
"StringEqualsIfExists": {
"events:creatorAccount": "${aws:PrincipalAccount}"
}
}
}
But I am getting the following exception:
An error occurred (AccessDeniedException) when calling the ListRules operation: User: arn:aws:sts::<Account-A-ID>:assumed-role/MyEBSRole/i-0b68xxxxxxx is not authorized to perform: events:ListRules on resource: arn:aws:events:<Region>:<Account-B-ID>:rule/*
If I replace the principal in resource based policy to this:
"Principal": {
"AWS": "arn:aws:iam::<Account-A-ID>:root"
}
Then I am able to get result via cloud shell, but with Elastic beanstalk it is still not working.
I also tried with arn:aws:sts::<Account-A-ID>:assumed-role/MyEBSRole/i-0b68xxxxxxx in principal but it also does not work.
Could anyone please, indicate what is wrong or missing there? Thank you.
I am trying to connect my EC2 instance to my ES domain and keep getting the following error:
AuthorizationException(403, 'security_exception', 'no permissions for [indices:data/read/search] and User [name=arn:aws:iam::ACCOUNT_ID:role/my-role, backend_roles=[arn:aws:iam::ACCOUNT_ID:role/my-role], requestedTenant=null]')
Elasticsearch configuration:
public domain
fine-grained access control via IAM
access policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_ID:role/my-role"
},
"Action": "es:*",
"Resource": "arn:aws:es:REGION:ACCOUNT_ID:domain/test/*"
}
]
}
EC2 Configuration:
using IAM role my-role
with permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"es:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
All HTTP requests sent from EC2 to ES are being signed. I have already verified signing works: if I use the security credentials of the IAM user that I also set as the IAM ARN master user when setting up my ES domain the requests between EC2 and ES work as expected.
The issue might be with fine-grained access control in ES. Same issue is mentioned here
If you want to connect to same ES cluster with FGAC from EC2 instance then you need to map EC2 IAM role with backend kibana roles. First you need to login to kibana with master user and then follow steps from doc to map EC2 IAM role to kibana 'all_access' role
I've recently setup AWS SES and continue to run into the following error when sending email from a local application.
User `arn:aws:iam::REDACTED:user/mail_user' is not authorized to perform `ses:SendEmail' on resource `arn:aws:ses:us-east-1:REDACTED:identity/mail#REDACTED.COM'
I've setup the below policy for the email mail#REDACTED.COM
{
"Version": "2012-10-17",
"Id": "SampleAuthorizationPolicy",
"Statement": [
{
"Sid": "AuthorizeEmail",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REDACTED:user/mail_user"
},
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn:aws:ses:us-east-1:REDACTED:identity/mail#REDACTED.COM"
}
]
}
Any suggestions as to why I'm continuing to receive the unauthorized error?
To resolve this issue I created an inline policy for the user via IAM (the permissions tab under the User).
I granted the following permissions to resource arn:aws:ses:us-east-1:REDACTED:identity/mail#REDACTED.COM
SendEmail
SendRawEmail
I did not need to create an identity policy via the SES management panel.
{
"Version": "2012-10-17",
"Id": "Policy1612574490300",
"Statement": [
{
"Sid": "Stmt1612574488073",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:ec2:us-east-1:258977512672:instance/i-041123c1993c370ba"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my_bucket",
"arn:aws:s3:::my_bucket/*"
]
}
]
}
response is Invalid Principal. I dont see why it's invalid.
An EC2 instance isn't a valid principal. I think what you actually need to do here is use the ARN of the IAM role assigned to the EC2 instance.
You can specify following Principal in a policy
AWS account and root user
IAM users
Federated users (using web identity or SAML federation)
IAM roles
Assumed-role sessions
AWS services
Anonymous users (not recommended)
S3 Documentation Principal
AWS JSON policy elements: Principal
If you wanna give that instant access to the bucket then you can use Instance profiles