I am struggling trying to create my first React app. I have connected the app to the CodeCommit repository but the build on the Amplify console fails with this message:
2020-12-14T09:25:04.155Z [ERROR]: !!! Unable to assume specified IAM Role. Please ensure the selected IAM Role has sufficient permissions and the Trust Relationship is configured correctly.
The provision phase works perfectly:
I have created the service role AmplifyConsoleServiceRole-AmplifyRole as suggested on this guide and I am logged in as a user with AdministratorAccess authorization. Git commits to the repository from my PC console works perfectly.
It is not clear to me what IAM role the AWS Amplify Console is unable to assume. The AmplifyConsoleServiceRole-AmplifyRole which I have selected as Service role during the App creation I think. The permissions of this role are AdministratorAccess, as well. How can I check if the Trust Relationship is configured correctly?
I've contacted Amazon support. They answered that something is not working on their side using eu-south-1.
I've just tried on eu-central-1 and the build process worked as expected. So no there were no permissions problems but simply a bug. They told me that it will be addressed soon.
Edit: Amazon support team found the problem in the trust relationship to be used with the eu-south-1 region. It must be defined in the following way:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["amplify.eu-south-1.amazonaws.com","amplify.amazonaws.com"]
},
"Action": "sts:AssumeRole"
}
]
}
Related
I'm trying to update one lambda to the AWS Cloud, but suddenly this error started to appear:
Error attempting to fix the trust policy for IAM Role...
Checking the "Trust Relationoships" tab on AWS Web Console, like demanded by the error message, averything looks like ok:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Some idea about how to fix it?
How I use more then one account, some time I change this credentials (I know that is possible to configure profiles).
You can define multiple profiles within the credentials files that live in the .aws folder under your user home folder. Information about these files can be found at https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/credentials.html
If your credentials are simple access key - secret key pairings, you can use the AWS Toolkit to create new profiles. In Visual Studio, go to the View menu and select AWS Explorer. From the AWS Explorer, there will be buttons that allow you to add/edit/delete credentials profiles. Using these will allow you to create or modify a profile's access key and secret key. More details about this workflow can be found at https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/keys-profiles-credentials.html
I figure out that my credentials are wrong.
The AWS Toolkit uses credentials configured in the terminal and saves it under the folder ".aws" into the user home folder.
How I use more then one account, some time I change this credentials (I know that is possible to configure profiles).
I am trying to use the AWS SageMaker Studio > Get Started > Quick Start, as an IAM user with the AmazonSageMakerFullAccess policy attached, but I am getting the following error:
User: arn:aws:iam::<user-id>:user/<username> is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker:us-west-1:<user-id>:domain/d-<domain-id>
I looked up some documentation on the CreateDomain command, and it looks like it involves EFS storage and VPC configuration, so I have also added the FullAccess policies for these services to my IAM user, but am still getting the same error.
I also tried adding a custom policy as shown here: https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html#sagemaker-roles-createdomain-perms which also seemed to have no effect.
What am I doing wrong here?
AmazonSageMakerFullAccess policy gives the user access to perform actions such as start training jobs, deploy endpoints, along with limited access on other services such as ECR, Glue etc. This is generally attached to a SageMaker notebook instance or Studio.
The user creating the SageMaker domain needs sagemaker:CreateDomain permission, i.e., to your IAM user, add:
{
"Sid": "AllowCreateDomain",
"Effect": "Allow",
"Action": "sagemaker:CreateDomain",
"Resource": "*"
}
I work at AWS and my opinions are my own.
Trying to host a web application (html) using server-less approach on AWS Amplify connecting to the AWS CodeCommit repository(where the html code version history is maintained). Save and Deploy app on Amplify is failing in 'Build' step and is returning the following error:
2020-08-17T01:32:37.631Z [INFO]: Cloning into 'Test'...
2020-08-17T01:32:42.406Z [INFO]: fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/Test/': The requested URL returned error: 403
2020-08-17T01:32:42.409Z [ERROR]: !!! Unable to clone repository
Steps followed: https://aws.amazon.com/getting-started/hands-on/build-serverless-web-app-lambda-apigateway-s3-dynamodb-cognito/module-1/
The step-1(Host a static website, in above link) only working if I give the repo name as 'wildrydes-site' exactly. If I jus change the name to something else with all the same files, it doesn't work. Am I missing something here??
If you are getting a 403 error, you could check the policy associated with the service role in IAM. You need to specify the CodeCommit repository within the policy that uses the service role you specified in Amplify.
Amplify App Detail
Service Role Policy
You need to set service role for your app.
If you don't have a service role for amplify backend deployment, you have to create one.
The Amplify Console requires permissions to deploy backend resources with your front end. You use a service role to accomplish this
The following would be helpful.
Adding a service role to the Amplify Console when you connect an app
create role for aws service. select use cases "Amplify" then "Backend Deployment"
go to amplify console. open app settings, general. Set this role for your app's service role
The amplify app is is missing permissions to your git repository. Make sure you connect your AWS Amplify app to your repository in AWS CodeCommit.
Here's an image excerpt:
Please check the auto generated policy "AWSAmplifyExecutionPolicy" created by AWSAmplify in IAM console. The autogenerated AWSAmplifyExecutionPolicy specifies permission to access your repository in CodeCommit. The Resource in the CodeCommit policy, should have the ARN of your repository.
Add a inline policy to give access on Codecommit to clone the repository and check the build code for any further errors.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "codecommit:*",
"Resource": "*"
}
]
}
check your role policy json in that check whether this is policy having access of your repo arn
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:ap-south-1:<accountid>:log-group:/aws/amplify/xxxxxx",
"arn:aws:logs:ap-south-1:<accountid>:log-group:/aws/amplify/xxxxxx:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [ // here is your repo arn is required if not not present add it
"arn:aws:codecommit:ap-south-1:<accountid>:<repo_name>",
"arn:aws:codecommit:ap-south-1:<accountid>:<repo_name>"
],
"Action": [
"codecommit:GitPull"
]
}
]
}
I encounter the same issue. As other answer mentioned, there need a role.
I want to give my detail steps:
goto amplify console;
choose the application;
click "general" in "application setting" in the left menu;
click "edit" at the right top;
click "create new role";
In the next page, some items will be choosed automatically, include "AWS production", "Amplify", "Amplify - Backend Deployment";
next and next;
If this procedure failed, try to get more authority or login as admin.
I have set up an EMR cluster with Zeppelin installed on it. I configured Zeppelin with Active Directory authentication and I have associated those AD users with IAM roles. I was hoping to restrict access to specific resources on S3 after logging into zeppelin using the AD credentials. However, it doesn't seem to be respecting the permissions the IAM role has defined. The EMR role has S3 access so I am wondering if that is overriding the permissions or that is actually the only role it cares about in this scenario
Does anyone have any idea?
I'm actually about to try to tackle this problem this week. I will try to post updates as I have some. I know that this is an old post, but I've found so many helpful things on this site that I figured it might help someone else even if doesn't help the original poster.
The question was if anyone has any ideas, and I do have an idea. So even though I'm not sure if it will work yet, I'm still posting my idea as a response to the question.
So far, what I've found isn't ideal for large organizations because it requires some per user modifications on the master node, but I haven't run into any blockers yet for a cluster at the scale that I need it to be. At least nothing that can't be fixed with a few configuration management tool scripts.
The idea is to:
Create a vanilla Amazon EMR cluster
Configure SSL
Configure authentication via Active Directory
(this step is what I am currently on) Configure Zeppelin to use impersonation (i.e. run the actual notebook processes as the authenticated user), which so far seems to require creating a local OS (Linux) user (with a username matching the AD username) for each user that will be authenticating to the Zeppelin UI. Employing one of the impersonation configurations can then cause Zeppelin run the notebooks as that OS user (there are a couple of different impersonation configurations possible).
Once impersonation is working, manually configure my own OS account's ~/.aws/credentials and ~/.aws/config files.
Write a Notebook that will test various access combinations based on different policies that will be temporarily attached to my account.
The idea is to have the Zeppelin notebook processes kick off as the OS user that is named the same as the AD authenticated user, and then have an ~/.aws/credentials and ~/.aws/config file in each users' home directory, hoping that that might cause the connection to S3 to follow the rules that are attached to the AWS account that is associated with the keys in each user's credentials file.
I'm crossing my fingers that this will work, because if it doesn't, my idea for how to potentially accomplish this will become significantly more complex. I'm planning on continuing to work on this problem tomorrow afternoon. I'll try to post an update when I have made some more progress.
One way to allow access to S3 by IAM user/role is to meet these 2 conditions:
Create S3 bucket policy matching S3 resources with IAM user/role. This should be done in S3/your bucket/Permissions/Bucket Policy.
Example:
{
"Version": "2012-10-17",
"Id": "Policy...843",
"Statement": [
{
"Sid": "Stmt...434",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account-id>:user/your-s3-user",
"arn:aws:iam::<account-id>:role/your-s3-role"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::target-bucket/*",
"arn:aws:s3:::other-bucket/specific-resource"
]
}
]
}
Allow S3 actions for your IAM user/role. This should be done in IAM/Users/your user/Permissions/Add inline policy. Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:HeadBucket",
"s3:ListObjects"
],
"Resource": "s3:*"
}
]
}
Please note this might be not the only and/or best way, but it worked for me.
I'm getting the following error when I try to create a development endpoint for AWS Glue.
{ "service":"AWSGlue",
"statusCode":400,
"errorCode":"ValidationException",
"requestId":"<here goes an UUID>",
"errorMessage":"Role arn:aws:iam::<IAM ID>:role/AWSGlueServiceRole-DefaultRole
should be given assume role permissions for Glue Service.\n",
"type":"AwsServiceError" }
And my role has the following permissions.
AmazonS3FullAccess
AWSGlueServiceNotebookRole
AmazonAthenaFullAccess
AWSGlueServiceRole
CloudWatchLogsReadOnlyAccess
AWSGlueConsoleFullAccess
AWSCloudFormationReadOnlyAccess
Any clues on what am I missing?
In your trust relationship, the trust should be established with glue.amazonaws.com. Your role (AWSGlueServiceRole-DefaultRole) may not have this. To confirm, go to the IAM roles console, select the IAM role: AWSGlueServiceRole-DefaultRole and click on the Trust Relationship tab.
The json for this should look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "glue.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Example screenshot for the Trust relationship:
I was tripped up by this as well; the problem is that when you use the console to create a default glue service role it ends up creating the IAM role like this:
arn:aws:iam:::role/service-role/AWSGlueServiceRole-DefaultRole
Make note of the "service-role" in the path.
But then when choosing that role as the role you want to use in the console wizard for setting up a new dev endpoint it doesn't include the "service-role" in the path and looks for a role named like this:
arn:aws:iam:::role/AWSGlueServiceRole-DefaultRole
I think this is just a bug in the console wizard for creating dev endpoints. I got around it by creating a new role that doesn't have "service-role" in the path and then chose that role in the console wizard and was able to successfully create a dev endpoint.
The problem was somehow related to an old Role that I already messed up with. Created a brand new role just for development following this link and this link, worked like a charm.