I am trying to setup eksctl for eks but it throwing
"Error: unable to determine AMI to use: error getting AMI from SSM Parameter Store: AccessDeniedException: User: arn:aws:iam:::user/cnc is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1::parameter/aws/service/eks/optimized-ami/1.18/amazon-linux-2/recommended/image_id".
The IAM Permission Policy I am using is
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:::parameter/*"
}
]
I also tried using policy simulation for check the permissions , it is giving me "Implicitly Denied (No matching statement)"
I had the same issue. The way I resolved it was by adding the region to the ssm resource. And also added a ssm:GetParameter like this:
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action":[
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action":[
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:ca-central-1::parameter/*"
}
]
If you notice I've added the region ca-central-1 and you should change it to your current region.
For me, I was using --with-decryption for a SecureString. My Instance Profile also needed to have KMS rights to the alias/parameter-store-key
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter*"
],
"Resource": "arn:aws:ssm:us-west-2:111122223333:parameter/ITParameters/*"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
]
}
Mine was in the other direction. I had ssm:GetParameter, and the error message was AccessDeniedException: User is not authorized to perform: ssm:GetParameter on resource because no identity-based policy allows the ssm:GetParameter action, but implicitly the missing ssm:GetParameters was causing the request to be denied with a misleading error message.
I think you might need to authorize the "ssm:GetParameter" action as well.
I had the same error message as #plantbeard
but mine was related to capitalisation
I was using Serverless and taking the param name from the stage enviroment eg dev
but my parameter was called /Dev/param
renaming to /dev/param fixed it for me
For anyone else who still has issues, I was receiving the same error for my Lambda function:
"AccessDeniedException: User: arn:aws:sts::xxxxxx:assumed-role/[role-name]-role-xxxxxx/[lambda-function-name] is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:xxxxxx:parameter/[parameter_path1]/[parameter_pathx] because no identity-based policy allows the ssm:GetParameter action",
I found that on the policies page
https://us-east-1.console.aws.amazon.com/iamv2/home#/policies
I needed to add the rule to a "Customer managed" Type Policy Named
AWSLambdaBasicExecutionRole-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (I think someone else created this though and I just added on to it)
That looked like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:us-east-1:xxxxxxxxxx:parameter/[parameter_path1]/[parameter_pathx]"
}
]
}
Related
When I try to deploy terraform script using gitlab runner I am getting the following error
Error: Error finding Route 53 Hosted Zone: AccessDenied: User: arn:aws:sts::12345678:assumed-role/dev-runner/i-01b2f123f1e1a127c is not authorized to perform: route53:ListHostedZones because no identity-based policy allows the route53:ListHostedZones action
The IAM role that is attached to the runner has the following policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "*",
"Resource": [
"arn:aws:route53:::*",
"arn:aws:acm:us-east-1:12345678:certificate/*",
]
}
]
}
What I am missing here? All the actions are allowed on arn:aws:route53:::* resource.
Try to check role with AWS Policy Simulator
Here is
This action does not support resource-level permissions. Policies granting access must specify "*" in the resource element.
error is raising with your role.
Resource should be "Resource": * to be able run ListHostedZones. However, in this case the permissions will be totally insecure, so I recommend to separate the statements:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"route53:ListHostedZones",
... any other specific permissions for R53 ...
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "*",
"Resource": [
"arn:aws:acm:us-east-1:12345678:certificate/*"
]
}
]
}
And just a personal opinion: using wildcard * actions without specifying at least services (route53:*) is not looking like a good idea
I have tried setting up a permissions policy granting ssm:GetParameter and ssm:GetParameters to a role, but I get that error that "ssm:GetParameter is not allowed for this role". The only way I've found to eliminate the error is to grant ssm:* however I'd like to keep my permissions to a minimum. What am I missing here?
failing permission (account_id obscured):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:us-east-1:{redacted}:parameter/*"
}
]
}
working permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:*",
"Resource": "arn:aws:ssm:us-east-1:{redacted}:parameter/*"
}
]
}
Try using
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
]
If that does not help, allow "ssm:DescribeParameters".
I'm issuing an STS token for a user interface that includes the following statement for lambda permissions:
{
"Sid" : "AllowUserInvokeLambda",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:us-east-2:*:function:CreateThumbnail",
"arn:aws:lambda:us-east-2:*:function:ImageScanner"
]
},
When I try to invoke the function from the aws-sdk.js in the browser, I get back an error with the message:
"User: arn:aws:sts::123456789012:assumed-role/test_sts_role/user-12345 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-2:198765432109:function:ImageScanner"
Am I missing something in that policy?
I found the issue, your policy is missing the account number. so it should be,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserInvokeLambda",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:ap-southeast-2:012345678901:function:*"
]
}
]
}
Note: Also You should assign this policy to the role you are assuming, not to the user who is assuming. can you confirm that part.
Reference: https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/
I need to create policy that would allow user to create spot requests, but with specific subnet and security group only. This is what I did:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RequestSpotInstances",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:image/ami-*",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-af016c92",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-12a34d3c",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-f0e844cd",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-026ae728",
"arn:aws:ec2:us-east-1:123456789012:key-pair/*",
"arn:aws:ec2:us-east-1:123456789012:security-group/sg-b5dd94cd",
"arn:aws:ec2:us-east-1:123456789012:security-group/sg-3bda8c42"
]
}
]
}
But my spot request creation still fails:
botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the RequestSpotInstances operation: You are not authorized to perform this operation.
What is the minimum subset of permissions for RequestSpotInstances action?
Is there some possibility to debug this?
I know this is an old issue, but I just ran across the same issue in my environment. The solution for me was adding an IAM permission for "PassRole"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1479335761363",
"Action": [
"ec2:DescribeInstances",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "*"
}]
}
According to the EC2 docs (here), ec2:RequestSpotInstances is an action which falls into the category of "Unsupported Resource-Level Permissions." Unfortunately, you will have to set the resource tag to all resources, like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RequestSpotInstances",
"Resource": [ "*" ]
}
]
}
As far as debugging goes, don't forget about the IAM policy simulator, which can be accessed from the AWS Console => IAM => User page.
What I Want To Achieve
I am trying to grant an IAM user with a REST API token permission to described environment health on a specific elastic beanstalk application via the AWS CLI.
The Problem
When I run with the CLI command:
aws elasticbeanstalk describe-environment-health --environment-name my-env-name --attribute-names "Status" "Color" "Causes" "InstancesHealth" "HealthStatus" "RefreshedAt" --profile my-profile
I get the error: A client error (AccessDenied) occurred when calling the DescribeEnvironmentHealth operation: User: arn:aws:iam::myaccountid:user/myuser is not authorized to perform: elasticbeanstalk:DescribeEnvironmentHealth
with the --debug flag I can see a HTTP 403 response.
Extra Details
The IAM policy has the action "elasticbeanstalk:DescribeEnvironmentHealth" on the resource:
"arn:aws:elasticbeanstalk:eu-west-1:myaccountid:environment/my-app-name/my-env-name*"
I have double checked the account id, app and env name.
I can perform other actions just fine such as DescribeEnvironments when I add this action instead.
I have verified on the particular resource ARN with this policy using the IAM simulator when selecting the user and it says access is granted.
The version of the CLI is aws-cli/1.10.6 Python/2.7.11 Darwin/15.3.0 botocore/1.3.28
As a test I temporarily relaxed the policy to have the action elasticbeanstalk:* and it still doesn't work.
Questions
How can I further debug this issue?
Why does the IAM policy simulator say the policy does grant access but access is denied viu the CLI?
Full Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1455880772092",
"Action": [
"ec2:*",
"s3:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"rds:*",
"cloudformation:*",
"elasticbeanstalk:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:application/app-name",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1::solutionstack/*",
"arn:aws:s3:::elasticbeanstalk-eu-west-1-{accountId}*"
]
},
{
"Sid": "Stmt1455891876139",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:Get*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elasticbeanstalk-eu-west-1-{bucketId}*"
}
]
}
For some reason elasticbeanstalk:DescribeEnvironmentHealth worked for me only with "Resource": "*".
So I've separated write/read permissions, allowing "Resource": "*" only for read. Here is my full policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:UpdateEnvironment"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-central-1:[account-id]:application/[application-name]",
"arn:aws:elasticbeanstalk:*:*:environment/*/*",
"arn:aws:elasticbeanstalk:*:*:applicationversion/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:ListPlatformVersions",
"elasticbeanstalk:DescribeEnvironmentManagedActions",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Resource": "*"
}
]
}