Upload to S3 failed with the following error: Access Denied - CodeStarConnections - amazon-web-services

I am building a CI/CD pipeline using AWS Codepipeline, the repository source is on bitbucket and I used the AWS-Codestarconnections to create a connection between the bitbucket repository and the pipeline.
The pipeline details are below:
{
"pipeline": {
"name": "test_pipeline",
"roleArn": "arn:aws:iam::<AccountId>:role/PipelineServiceRole",
"artifactStore": {
"type": "S3",
"location": "tadadadada-artifact"
},
"stages": [
{
"name": "Source",
"actions": [
{
"name": "Source",
"actionTypeId": {
"category": "Source",
"owner": "AWS",
"provider": "CodeStarSourceConnection",
"version": "1"
},
"runOrder": 1,
"configuration": {
"BranchName": "dev",
"ConnectionArn": "arn:aws:codestar-connections:us-east-2:<AccountId>:connection/4ca7b1cf-2917-4fda-b681-c5239944eb33",
"FullRepositoryId": "<username>/repository_name",
"OutputArtifactFormat": "CODE_ZIP"
},
"outputArtifacts": [
{
"name": "SourceArtifact"
}
],
"inputArtifacts": [],
"region": "us-east-2",
"namespace": "SourceVariables"
}
]
},
{
"name": "Build",
"actions": [
{
....
}
]
}
],
"version": 1
},
"metadata": {
"pipelineArn": "arn:aws:codepipeline:us-east-2:<AccountId>:test_pipeline",
"created": 1611669087.267,
"updated": 1611669087.267
}
}
The PipelineServiceRole + that policy attached to it are:
Service Role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codepipeline.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IamPassRolePolicy",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"cloudformation.amazonaws.com",
"ec2.amazonaws.com",
"ecs-tasks.amazonaws.com"
]
}
}
},
{
"Sid": "CodeBuildPolicy",
"Effect": "Allow",
"Action": [
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": "*"
},
{
"Sid": "S3AccessPolicy",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "ECRAccessPolicy",
"Effect": "Allow",
"Action": [
"ecr:DescribeImages"
],
"Resource": "*"
},
{
"Sid": "CodeStarConnectionsAccessPolicy",
"Effect": "Allow",
"Action": [
"codestar-connections:UseConnection"
],
"Resource": "*"
}
]
}
The source stage fails with an error :
[Bitbucket] Upload to S3 failed with the following error: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 085999D90C19E650; S3 Extended Request ID: gJ6l08+cX3U6i2Vj0+fW7PiqA/UzM6ZGCfyECmWb+Jit4Knu+gi/L4y3F24uqkFWUfGy9tZo0VE=; Proxy: null) (Service: null; Status Code: 0; Error Code: null; Request ID: null; S3 Extended Request ID: null; Proxy: null) (Service: null; Status Code: 0; Error Code: null; Request ID: null; S3 Extended Request ID: null; Proxy: null)
The error message lacks details, I am not sure which service is trying to access s3, shouldn't it be code-pipeline (which in this case has PutObject permission)?

Resolved this by changing the OutputArtifactFormat from "OutputArtifactFormat": "CODE_ZIP" to "OutputArtifactFormat": "CODEBUILD_CLONE_REF".
CODEBUILD_CLONE_REF - from the console description is a Full clone, in which case
AWS CodePipeline passes metadata about the repository that allows subsequent actions to do a full git clone. Only supported for AWS CodeBuild actions.
The "CODE_ZIP" option does not include the git metadata about the repository

This issue appears to be related to a recent change in the CDK's default IAM Role for the BitBucketSourceAction.
I found that by adding the "s3:PutObjectAcl" action to the list I was able to successfully integrate the BitBucketSourecAction (for GitHub version 2 connection). Note: this did not require:
Changing the OutputArtifactFormat from "OutputArtifactFormat": "CODE_ZIP" to "OutputArtifactFormat": "CODEBUILD_CLONE_REF", or,
S3-full-access "s3:*"
As detailed in this CDK issue, I was using the BitBucketSourceAction to integrate with a GitHub repository. I got the following error when the CodePipeline first attempted the GitHub (Version2) action:
[GitHub] Upload to S3 failed with the following error: Access Denied
On a previous pipeline I released with the BitBucketSourceAction the "s3:PutObject*" wildcarded action was included in the synthesized template. On reviewing the IAM role generated during my latest cdk deployment (using version 1.91.0) the BitBucketSourceAction only had the "s3:PutObject" action (i.e. not wildcarded). This excludes the "s3:PutObjectAcl" action which seems to be required to upload the source repository from GitHub to S3 and free it up for use further along in the pipeline.

Adding the s3:PutObjectAcl action permission to the role policy associated with the Pipeline Bucket Store worked for me.
I had to add the following permissions:
s3:GetObject
s3:GetObjectVersion
s3:PutObject
s3:GetBucketVersioning
s3:PutObjectAcl

I had the same problem using GitHub.
[GitHub] Upload to S3 failed with the following error: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: foo; S3 Extended Request ID: bar; Proxy: null)
But in the artifact store S3 bucket, object was updated.
So I changed s3 service policy to full access.
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketVersioning",
↓
"s3:*",

Had this exact problem today and idk why this fixed it but the policy attached to the PipelineGithubRole had 2 s3 statements, one contained just List* action and the other contained all the Read & Put actions, so I just moved them into a single statement and it started working.

Related

Unable to copy Elasticache backup

I have followed those instructions step by step: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/backups-exporting.html
However I have the following error:
An error occurred (InvalidParameterValue) when calling the CopySnapshot operation: Elasticache was unable to validate the authenticated user has access on the S3 bucket ...
The bucket is in the same region of the backup
This is my bucket configuration:
{
"LocationConstraint": "eu-central-1"
}
{
"Version": "2012-10-17",
"Id": "xxxxxxxx",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eu-central-1.elasticache-snapshot.amazonaws.com"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::my-bucket-name/*",
"arn:aws:s3:::my-bucket-name"
]
}
]
}
This is the snapshot
{
"Snapshots": [
{
"SnapshotName": "my-snapshot-name",
"CacheClusterId": "xxxxxxxx-xxx",
"SnapshotStatus": "available",
"SnapshotSource": "manual",
"CacheNodeType": "cache.t2.micro",
"Engine": "redis",
"EngineVersion": "5.0.3",
"NumCacheNodes": 1,
"PreferredAvailabilityZone": "eu-central-1c",
"CacheClusterCreateTime": "xxxxxxx",
"PreferredMaintenanceWindow": "mon:02:30-mon:03:30",
"Port": 6379,
"CacheParameterGroupName": "default.redis5.0",
"CacheSubnetGroupName": "internal",
"VpcId": "xxxxx",
"AutoMinorVersionUpgrade": true,
"SnapshotRetentionLimit": 7,
"SnapshotWindow": "00:00-02:00",
"NodeSnapshots": [
{
"CacheNodeId": "0001",
"CacheSize": "33 MB",
"CacheNodeCreateTime": "xxxxxx",
"SnapshotCreateTime": "xxxxxx"
}
],
"ARN": "arn:aws:elasticache:eu-central-1:000000000:snapshot:my-snapshot-name",
"DataTiering": "disabled"
}
]
}
UPDATE
Apparently AWS updated their docs by adding a crucial piece of information regarding the ACL, look the accepted answer for more info.
Here very important step is to add ACL as mentioned in doc:
Add grantee Canonical Id 540804c33a284a299d2547575ce1010f2312ef3da9b3a053c8bc45bf233e4353 with the following options:
Objects: List, Write
Bucket ACL: Read, Write
I added this ACL permission and it started working like a charm.
After adding this ACL my configuration looks below.
Full Ref document link: https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/backups-exporting.html#backups-exporting-grant-access
Based on the article you linked, you also need additional S3 permission:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::*"
}]
}
Have you verified that your IAM user has these access?
When you create the S3 bucket, enable ACLs. Then you can continue with the Permissions section of the instructions.

Terraform-Cloudformation- aws instance provider: Provided Arn is not in correct format

I am creating a cloudformation stack to generate aws instance scheduler in aws gov cloud via TF. The goal is to start/stop ec2 based on tags. Many way to achieve it but I have to use terraform and cloudformation. Here is the repo --> https://github.com/Vinod1908/TestTerraform/blob/master/instanceScheduler.tf
Below is the part of the code where I think I am blocked:
"InstanceSchedulerEncryptionKey": {
"Type": "AWS::KMS::Key",
"Properties": {
"Description": "Key for SNS",
"Enabled": true,
"EnableKeyRotation": true,
"KeyPolicy": {
"Statement": [
{
"Sid": "default",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::Sub": "arn:$${AWS::Partition}:iam::$${AWS::AccountId}:root"
}
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allows use of key",
"Effect": "Allow",
"Principal": {
"AWS": {
"Fn::GetAtt": [
"SchedulerRole",
"Arn"
]
}
},
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
}
},
"Code": {
"S3Bucket": {
"Fn::Join": [
"-",
[
"solutions",
{
"Ref": "AWS::Region"
}
]
]
},
"S3Key": "aws-instance-scheduler/v1.3.1/instance-scheduler.zip"
The error :
Error: error waiting for CloudFormation Stack creation: failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE): ["The following resource(s) failed to create: [InstanceSchedulerEncryptionKey, SchedulerRule]. Rollback requested by user."
"Resource creation cancelled" "Parameter arn:aws:lambda:us-gov-west-1:###########..:function:Schedule-InstanceSchedulerMain is not valid. Reason: Provided Arn is not in correct format. (Service: AmazonCloudWatchEvents; Status Code: 400; Error Code: ValidationException; Request ID: 37adac0c-6758-4b4f-ac86-0d0140742c80; Proxy: null)"]
Not sure if it's doable in gov cloud but I am looking for potential solutions and found this https://github.com/awslabs/aws-instance-scheduler/issues/11. I am testing it but no success yet.. please help !!
Adding a new line:
Thank you all for the response. My issue was using the correct arn arn:aws-us-gov
I just apply the code and it's going through. Now I am getting this below and I am sure it's related to the policy/role on my s3. Please let me know what is wrong in my code below. Any thoughts?
the s3 code part:
"SchedulerPolicy": {
"Type": "AWS::IAM::Policy",
"Metadata": {
"cfn_nag": {
"rules_to_suppress": [
{
"id": "W12",
"reason": "All policies have been scoped to be as restrictive as possible. This solution needs to access ec2/rds resources across all regions."
}
]
}
},
"Properties": {
"PolicyName": "SchedulerPolicy",
"Roles": [
{
"Ref": "SchedulerRole"
}
],
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutRetentionPolicy"
],
"Resource": [
{
"Fn::Join": [
":",
[
"arn:aws-us-gov:logs",
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::AccountId"
},
"log-group",
{
"Ref": "SchedulerLogGroup"
},
"*"
]
]
},
{
"Fn::Join": [
":",
[
"arn:aws-us-gov:logs",
{
"Ref": "AWS::Region"
},
{
"Ref": "AWS::AccountId"
},
"log-group:/aws/lambda/*"
]
]
}
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:*"
],
"Resource": {
"Fn::Join": [
":",
[
"arn:aws-us-gov:s3:::instanceschedulertest",
"arn:aws-us-gov:s3:::instanceschedulertest/*"
]
]
}
},
{
"Effect": "Allow",
"Action": [
"rds:DeleteDBSnapshot",
"rds:DescribeDBSnapshots",
"rds:StopDBInstance"
],
"Resource": {
"Fn::Join": [
":",
[
"arn:aws-us-gov:rds:*",
{
"Ref": "AWS::AccountId"
},
"snapshot:*"
]
]
}
},
{
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:RemoveTagsFromResource",
"rds:DescribeDBSnapshots",
"rds:StartDBInstance",
"rds:StopDBInstance"
The error:
Error: error waiting for CloudFormation Stack creation: failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE): ["The following resource(s) failed to create: [Main]. Rollback requested by user." "Your access has been denied by S3, please make sure your request credentials have permission to GetObject for solutions-us-gov-west-1/aws-instance-scheduler/v1.3.1/instance-scheduler.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: 95db6874-d4ad-4499-95f7-f73777a6d4db; Proxy: null)"]
Thank you all for all the pointers I really appreciate your input.
The reason why it is failing is because you are forming the wrong ARN in your Terraform Code.
In your repo,
link
Replace these following lines with respect to Lambda: 1047, 1358, 1420 as "arn:aws-us-gov:lambda" instead of "arn:aws:lambda".
As per the documentation of aws: The ARN should be in this format arn:aws-us-gov:lambda:account-id:function:function-name.
The answer to your question is to update the above-mentioned line. But I am sure you will get errors with respect to other resources as all resources which you are creating are in the Us-Region. So please update all the necessary Joining Function Arn lines which your forming in your code. :)

Cannot set S3 trigger for Lambda function in AWS

I've been all over the internet looking for a solution to this. I have been trying to setup an AWS Lambda function to send a message to SNS every time a file is uploaded to a particular S3 bucket, according to this tutorial. At this point, I have the function setup and I can invoke it successfully. However, when I attempt to connect the function to S3, I get an error stating An error occurred (InvalidArgument) when calling the PutBucketNotification operation: Unable to validate the following destination configurations. According to this article, I should be able to add a permission that will let S3 invoke the Lambda function, like this:
aws lambda add-permission \
--function-name my-file-upload \
--principal s3.amazonaws.com \
--statement-id AcceptFromImport \
--action "lambda:InvokeFunction" \
--source-arn arn:aws:s3:::file-import \
--source-account my_account_id
I did this, and noticed that the policy associated with the Lambda function updated and appeared to be correct. However, the error persists. I've looked at a similar question, here, but none of the solutions here worked.
Execution Role ARN: arn:aws:iam::my_account_id:role/lambda-upload-stream
Execution Role (lambda-upload-stream) trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Execution Role policy (my-file-upload):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessObject",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::file-import/*"
},
{
"Sid": "SendUpdate",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:ap-northeast-1:my_account_id:comm-in"
}
]
}
Lambda function ARN: arn:aws:lambda:ap-northeast-1:my_account_id:function:my-file-upload
Lambda function role document
{
"roleName": "lambda-upload-stream",
"policies": [
{
"name": "my-file-upload",
"id": "AWS_ACCESS_KEY_ID",
"type": "managed",
"arn": "arn:aws:iam::my_account_id:policy/my-file-upload",
"document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessObject",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::file-import/*"
},
{
"Sid": "SendUpdate",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:ap-northeast-1:my_account_id:comm-in"
}
]
}
}
],
"resources": {
"s3": {
"service": {
"name": "Amazon S3",
"icon": "data:image/svg+xml;base64,very_long_base64_string1"
},
"statements": [
{
"resource": "arn:aws:s3:::file-import/*",
"service": "s3",
"effect": "Allow",
"action": "s3:GetObject",
"source": {
"index": "AccessObject",
"policyName": "my-file-upload",
"policyType": "managed"
}
}
]
},
"sns": {
"service": {
"name": "Amazon SNS",
"icon": "data:image/svg+xml;base64,very_long_base64_string2"
},
"statements": [
{
"resource": "arn:aws:sns:ap-northeast-1:my_account_id:comm-in",
"service": "sns",
"effect": "Allow",
"action": "sns:Publish",
"source": {
"index": "SendUpdate",
"policyName": "my-file-upload",
"policyType": "managed"
}
}
]
}
},
"trustedEntities": [
"lambda.amazonaws.com"
]
}
Lambda function resource policy:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:ap-northeast-1:my_account_id:function:my-file-upload",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "my_account_id"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::file-import"
}
}
}
]
}
My question is: what am I doing wrong here and how do I fix it?
The thing you need to create is called a "Resource-based policy", and is what should be created by aws lambda add-permission.
A Resource-based policy gives S3 permission to invoke your lambda. This is a property on your lambda itself, and is not part of your lambda's IAM role (Your lambda's IAM role controls what your lambda can do, a Resource-based policy controls who can do what to your lambda. You can view this resource in the UI on the aws console by going to your lambda, clicking "Permissions" and scrolling down to "Resource-based policy". The keyword you want to look out for is lambda:InvokeFunction, which is what gives other things permission to call your lambda, including other AWS accounts, and other AWS services on your account (like s3).
That being said, the command you ran should have created this policy. Did you make sure to replace my_account_id with your actual account id when you ran the command?
In addition, make sure you replace --source-arn arn:aws:s3:::file-import with the actual ARN of your bucket (I assume you had to create a bucket with a different name because s3 buckets must have globally unique names, and file-import is almost surely already taken)
I figured out what the problem was. My initial command was:
aws s3api put-bucket-notification --bucket azure-erp-import \
--notification-configuration "CloudFunctionConfiguration={Id=file-uploaded,Events=[],Event=s3:ObjectCreated:*,CloudFunction=arn:aws:lambda:ap-northeast-1:my_account_id:function:my-file-upload,InvocationRole=arn:aws:iam::my_account_id:role/lambda-upload-stream}"
This failed because the arn:aws:iam::my_account_id:role/lambda-upload-stream role doesn't have permissions to call lambda:InvokeFunction on the lambda function. Removing this value fixed the error.

Error Updating Stack to Add S3 Trigger

I successfully created a lambda function and S3 bucket using a cloudformation stack. I then ran an update to the stack to add a trigger to the S3 bucket to invoke a lambda function.
When I run the update it's giving the following error:
Unable to validate the following destination configurations (Service: Amazon S3; Status Code: 400; Error Code: InvalidArgument; Request ID: XXXXX; S3 Extended Request ID: XXXXX
This is the update JSON I'm using to add the trigger to the S3 bucket:
"MyBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketName": "my-bucket",
"NotificationConfiguration": {
"LambdaConfigurations": [
{
"Event": "s3:ObjectCreated:*",
"Function": "arn:aws:lambda:ap-southeast-2:my-lambda-arn"
}
]
}
I then added an IAM role to give access to the S3 bucket to invoke a lambda function:
"ResourceAccess": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
},
"Path": "/",
"Policies": [
{
"PolicyName": "giveaccesstodeltas3",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:ap-southeast-2:my-lambda-arn",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "123456"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::my-bucket"
}
}
}
]
}
}
]
}
It's giving an error saying:
Policy document should not specify a principal. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: XXXXXX)
In order to add this trigger, you must give your S3 bucket permission to invoke the lambda function. In addition, your lambda must have permission to invoke whatever services it affects. My guess is you are missing the first permissions to give:
permissions for your S3 bucket to invoke your lambda function.
You can create a policy similar to the following to give the appropriate permissions to your S3 bucket:
{
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "<optional>",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "<ArnToYourFunction>",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "<YourAccountId>"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:s3:::<YourBucketName>"
}
}
}
]
}
See this AWS documentation for more info.

Security token service exception while restoring snapshot from S3 to AWS managed elasticsearch

I have an AWS managed Elasticsearch Service (say smallES) which has an properly working S3 bucket attached to containing day wise rolling indices of last 1 year. I've created another AWS managed ES cluster (say bigES) for some business reason. I want to restore last 1 year's data from bucket into bigES. It's guaranteed that smallES bigES and bucket all are in the same region and same VPC.
So, I created a policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::bucket/*"
]
}
]
}
And attached the policy with a role. Trust relationship of that role is
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Now, when I create a snapshot by http request within the same VPC, it can create a snapshot-repo for the bigES and I can query for that too
curl -XGET 'http://bigESid.region.es.amazonaws.com:80/_snapshot'
Output
{
"snapshot-repo": {
"type": "s3",
"settings": {
"bucket": "bucket",
"region": "region",
"role_arn": "role_arn"
}
}
}
But when I try to see the snapshots in this snapshot repo I get error (described below)
curl -XGET 'http://bigESid.region.es.amazonaws.com:80/_cat/snapshots/snapshot-repo'
I get the following error:
{
"error": {
"root_cause": [
{
"type": "a_w_s_security_token_service_exception",
"reason": "User: arn:aws:sts::acountid:assumed-role/cp-sts-grant-role/swift-region-prod-365021432299 is not authorized to perform: sts:AssumeRole on resource: role-arn (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: some-id)"
}
],
"type": "a_w_s_security_token_service_exception",
"reason": "User: arn:aws:sts::acountid:assumed-role/cp-sts-grant-role/swift-region-prod-365021432299 is not authorized to perform: sts:AssumeRole on resource: role-arn (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: some-id)"
},
"status": 500
}
I've given all access of s3 to my role, but no luck. I've posted all the http requests from a ec2 machine inside the VPC.
Also to mention, if I query like following, I see expected result
curl -XGET 'http://smallESid.region.es.amazonaws.com:80/_cat/snapshots/snapshot-repo'
IDK why I tried making a role which has trust relationship like following. Still no luck.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Thanks in advance for any kind of help/suggestions.
I had the same issue, and it was because I'd not allowed the Elasticsearch service to assume the role. I had to update my trust relationship policy document to include es.amazonaws.com.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"es.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
I solved this problem using the following policy
{
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
],
"Version": "2012-10-17"
}
Then I attached the policy to the role. I think "iam:PassRole"has done the work.