I have written a CDK code for creating a connection but I am getting an error while creating:
User: arn:aws:iam::XXXXXXX:root is not authorized to perform: glue:CreateConnection on resource: arn:aws:glue:us-east-2:Connectionnew:catalog (Service: AWSGlue; Status Code: 400; Error Code: AccessDeniedException; Request ID: a8702efb-4467-4ffb-8fe0-18468f336299)
Below is my simple Code:
glue_connection = glue.CfnConnection(self, "Connectionnew",
catalog_id = "Connectionnew",
connection_input = {
"connectionType":"JDBC",
"Name":"JDBCConnection",
"connectionProperties": {
"JDBC_CONNECTION_URL": "jdbc:redshift://non-prod-royalties2.xxxxxxx.us-east-1.redshift.amazonaws.com:xxx/xxxxx",
"USERNAME":"xxxxxx",
"Password":"xxxxxxxx"
}
}
)
Please help me with this
Being that you are using the root account (which is not advisable), it's not an issue of your active AWS user having the incorrect permissions.
Likely, the connection details you are providing are incorrect. The username/password might be correct but the formatting of the JSON is questionable. I'd check to see if the JDBC keys are case-sensitive because that could be your issue.
I was able to get this issue resolved but putting the AWS accountnumber as below:
glue_connection = glue.CfnConnection(self, "Connectionnew", catalog_id = "AWSAccountNumber", connection_input = { "connectionType": "JDBC", "Name": "JDBCConnection", "connectionProperties": { "JDBC_CONNECTION_URL": "jdbcredshiftlink", "USERNAME": "xxxxxx", "PASSWORD": "xxxxxxxx" } } )
Related
I am trying to List all available savings plan in my account using
var savingsPlans = new AWS.SavingsPlans({endpoint: 'savingsplans.amazonaws.com', region: region});
const listResponse: AWS.SavingsPlans.DescribeSavingsPlansResponse = await savingsPlans.describeSavingsPlans().promise();
But getting following error in some scenarios. In some scenarios, it is working fine. What could be the issue? Please help.
"error": {
"message": "Credential should be scoped to a valid region, not 'us-west-2'. ",
"code": "InvalidSignatureException",
"time": "2022-03-04T09:47:56.535Z",
"statusCode": 403,
"retryable": false,
"retryDelay": 97.23145392059766
}
I am running above code for all regions in my account. Fore some regions, I am not getting any error. But for some regions I am getting error. For example: I am getting error for region ap-northeast-1 but I am not getting error for us-east-1 region.
When I run the same code with Go SDK, it is working for both regions. not sure what is wrong here.
This issue is solved when we use v3 aws-sdk version.
import { SavingsplansClient, DescribeSavingsPlansCommand } from "#aws-sdk/client-savingsplans";
const savingsPlans = new SavingsplansClient();
const command = new DescribeSavingsPlansCommand(})
const listResponse = await savingsPlans.send(command);
Seems there are some issues in v2 for savings plans.
I've been working on creating a VPN using AWS's CDK. I had to use Cloudformation lower level resources, as there doesn't seem to be any constructs yet. I believe I have the code set up correctly, as cdk diff doesn't show any errors. However, when running cdk deploy I get the following error:
CREATE_FAILED | AWS::EC2::ClientVpnEndpoint | ClientVpnEndpoint2
Mutual authentication is required but is missing in the request (Service: AmazonEC2; Status Code: 400; Error Code: MissingParameter; Request ID: 5
384a1d9-ff60-4ac4-a1bc-df3a4db9146b; Proxy: null)
Which is odd... because I wouldn't think I'd need mutual authentication in order to create a VPN that uses mutual authentication. And if that is the case, then how do I get the aws cdk stack to use mutual authentication on deployment? Here is the relevant code I have:
client_cert = certificate_manager.Certificate.from_certificate_arn(
self,
"ServerCertificate",
self.cert_arn,
)
server_cert = certificate_manager.Certificate.from_certificate_arn(
self,
"ClientCertificate",
self.client_arn,
)
log_group = logs.LogGroup(
self,
"ClientVpnLogGroup",
retention=logs.RetentionDays.ONE_MONTH
)
log_stream = log_group.add_stream("ClientVpnLogStream")
endpoint = ec2.CfnClientVpnEndpoint(
self,
"ClientVpnEndpoint2",
description="VPN",
authentication_options=[{
"type": "certificate-authentication",
"mutual_authentication": {
"client_root_certificate_chain_arn": client_cert.certificate_arn
}
}],
tag_specifications=[{
"resourceType": "client-vpn-endpoint",
"tags": [{
"key": "Name",
"value": "Swyp VPN CDK created"
}]
}],
client_cidr_block="10.27.0.0/20",
connection_log_options={
"enabled": True,
"cloudwatch_log_group": log_group.log_group_name,
"cloudwatch_log_stream": log_stream.log_stream_name,
},
server_certificate_arn=server_cert.certificate_arn,
split_tunnel=False,
vpc_id=vpc.vpc_id,
dns_servers=["8.8.8.8", "8.8.4.4"],
)
dependables = core.ConcreteDependable()
for i, subnet in enumerate(vpc.isolated_subnets):
network_asc = ec2.CfnClientVpnTargetNetworkAssociation(
self,
"ClientVpnNetworkAssociation-" + str(i),
client_vpn_endpoint_id=endpoint.ref,
subnet_id=subnet.subnet_id,
)
dependables.add(network_asc)
auth_rule = ec2.CfnClientVpnAuthorizationRule(
self,
"ClientVpnAuthRule",
client_vpn_endpoint_id=endpoint.ref,
target_network_cidr="0.0.0.0/0",
authorize_all_groups=True,
description="Allow all"
)
# add routes for subnets in order to surf internet (useful while splitTunnel is off)
for i, subnet in enumerate(vpc.isolated_subnets):
ec2.CfnClientVpnRoute(
self,
"CfnClientVpnRoute" + str(i),
client_vpn_endpoint_id=endpoint.ref,
destination_cidr_block="0.0.0.0/0",
description="Route to all",
target_vpc_subnet_id=subnet.subnet_id,
).node.add_dependency(dependables)
Maybe this is something simple like needing to update IAM policies? I'm fairly new to aws, aws cdk/cloudformation, and devops in general. So any insight would be much appreciated!
I'm trying to execute query on my table In amazone but i cant execute any query i had this error msg :
Before you run your first query, you need to set up a query result location in Amazon S3.
Your query has the following error(s):
No output location provided. An output location is required either through the Workgroup result configuration setting or as an API input. (Service: AmazonAthena; Status Code: 400; Error Code: InvalidRequestException; Request ID: b6b9aa41-20af-4f4d-91f6-db997e226936)
So i'm trying to add Workgroup but i have this problem
'Error: error creating Athena WorkGroup: InvalidRequestException: primary workGroup could not be created
{
RespMetadata: {
StatusCode: 400,
RequestID: "c20801a0-3c13-48ba-b969-4e28aa5cbf86"
},
AthenaErrorCode: "INVALID_INPUT",
Message_: "primary workGroup could not be created"
}
'
Mycode
resource "aws_s3_bucket" "tony" {
bucket = "tfouh"
}
resource "aws_athena_workgroup" "primary" {
name = "primary"
depends_on = [aws_s3_bucket.tony]
configuration {
enforce_workgroup_configuration = false
publish_cloudwatch_metrics_enabled = true
result_configuration {
output_location = "s3://${aws_s3_bucket.tony.bucket}/"
encryption_configuration {
encryption_option = "SSE_S3"
}
}
}
}
please if there are solution
This probably happens because you already have primary work group. Thus, you can't create new one of the same name. Just create a work group with different name if you want:
name = "primary2"
#Marcin suggested a valid approach, but what may be closer to what you are looking for would to to import existing workgroup into the state:
terraform import aws_athena_workgroup.primary primary
Once the state knows about the already existing resource it can do the plan and apply possible changes.
I have a lambda function which copies the RDS Snapshot from Eu-West-3 to Eu-Central-1 region.
Here is my code:
public class CopySnapshot implements RequestHandler<String, String> {
public String handleRequest(String input, Context context) {
AmazonRDS client = AmazonRDSClientBuilder.standard().build();
DescribeDBSnapshotsRequest request = new DescribeDBSnapshotsRequest()
.withDBInstanceIdentifier(System.getenv("DB_IDENTIFIER"))
.withSnapshotType(System.getenv("SNAPSHOT_TYPE"))
.withIncludeShared(true)
.withIncludePublic(false);
DescribeDBSnapshotsResult response = client.describeDBSnapshots(request);
System.out.println("Found the snapshot "+response);
// Get the latest snapshot
List<DBSnapshot> list = response.getDBSnapshots();
if(list.size() > 0)
{
DBSnapshot d = list.get(list.size()-1);
String snapshotArn=d.getDBSnapshotArn();
System.out.println(snapshotArn);
AmazonRDS client_dr_region = AmazonRDSClientBuilder
.standard()
.withRegion(Regions.EU_CENTRAL_1)
.build();
SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yy-MM-dd-HH-mm");
CopyDBSnapshotRequest copyDbSnapshotRequest = new CopyDBSnapshotRequest()
.withSourceDBSnapshotIdentifier(snapshotArn)
.withSourceRegion("eu-west-3")
.withKmsKeyId(System.getenv("OTHER_KMS_KEY_ID"))
.withTargetDBSnapshotIdentifier("dr-snapshot-copy"+"-"+simpleDateFormat.format(new Date()));
DBSnapshot response_snapshot_copy = client_dr_region
.copyDBSnapshot(copyDbSnapshotRequest)
.withKmsKeyId(System.getenv("OTHER_KMS_KEY_ID"))
.withSourceRegion("eu-west-3");
System.out.println("Snapshot request submitted successfully "+response_snapshot_copy);
return "Snapshot copy request successfully submitted";
}
else
return "No Snapshot found";
}
}
While executing the code it shows below error:
{
"errorMessage": "PreSignedUrl could not be authenticated. (Service: AmazonRDS; Status Code: 400; Error Code: InvalidParameterValue; Request ID: 7f794176-a21f-448e-acb6-8a5832925cab)",
"errorType": "com.amazonaws.services.rds.model.AmazonRDSException",
"stackTrace": [
"com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1726)",
"com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1381)",
"com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1127)",
"com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:784)",
"com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:745)",
"com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726)",
"com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)",
"com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)",
"com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)",
"com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)",
"com.amazonaws.services.rds.AmazonRDSClient.doInvoke(AmazonRDSClient.java:9286)",
"com.amazonaws.services.rds.AmazonRDSClient.invoke(AmazonRDSClient.java:9253)",
"com.amazonaws.services.rds.AmazonRDSClient.invoke(AmazonRDSClient.java:9242)",
"com.amazonaws.services.rds.AmazonRDSClient.executeCopyDBSnapshot(AmazonRDSClient.java:1262)",
"com.amazonaws.services.rds.AmazonRDSClient.copyDBSnapshot(AmazonRDSClient.java:1234)",
"fr.aws.rds.CopySnapshot.handleRequest(CopySnapshot.java:59)",
"fr.aws.rds.CopySnapshot.handleRequest(CopySnapshot.java:19)"
]
}
From env variable I am fetching the KMS ID of EU-Central-1 with is the destination region for copying snapshot.
The lambda has full permission (for trial purpose) on KMS but it does not work.
Added an inline policy to the specific lambda role, with describe, create grant using the key (full ARN mentioned) but still shows same error.
The key is enabled but not sure why such error.
Many thanks for your valuable feedback.
This I have resolved it using, one more attribute added to it - sourceregion.
CopyDBSnapshotRequest copyDbSnapshotRequest = new CopyDBSnapshotRequest()
.withSourceDBSnapshotIdentifier(snapshotArn)
.withSourceRegion(System.getenv("SOURCE_REGION"))
.withKmsKeyId(System.getenv("OTHER_KMS_KEY_ID"))
.withTargetDBSnapshotIdentifier("dr-snapshot-copy"+"-"+simpleDateFormat.format(new Date()));
DBSnapshot response_snapshot_copy = client_dr_region
.copyDBSnapshot(copyDbSnapshotRequest)
.withKmsKeyId(System.getenv("OTHER_KMS_KEY_ID"))
.withSourceRegion(System.getenv("SOURCE_REGION"));
and voila, it worked
i have followed the steps of the documentation but i received:
User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/CognitoRkUnauth_Role/CognitoIdentityCredentials is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxxxxxxxxx:role/CognitoRkUnauth_Role
The code fails en NotificationChannel. Without this i received the jobId correctly
var params = {
Video: {
S3Object: {
Bucket: 'mybucket',
Name: 'myvideoa1.mp4'
}
},
ClientRequestToken: 'LabelDetectionToken',
MinConfidence: 70,
NotificationChannel: {
SNSTopicArn: 'arn:aws:sns:us-east-1:xxxxxxxx:RekognitionVideo',
RoleArn: 'arn:aws:iam::xxxxxx:role/CognitoRkUnauth_Role'
},
JobTag: "DetectingLabels"
}
I set configuration to CognitoRkUnauth_Role instead of a iam user. Translation worked doing this.
In RoleArn I created another Role but it fails too.
I am not the root user.
I know I need to give more information but if someone can guide me, i will start again the configuration.
I am beginner in aws and i dont understand several things at all.
(english is not my first language)
Well, I had to create a new User. I think there is no reason for doing what i wanted to do :p