When I enter the example code from here https://docs.aws.amazon.com/de_de/translate/latest/dg/async.html
$ aws translate start-text-translation-job --job-name batch-test \
--source-language-code en \
--target-language-codes fr \
--input-data-config S3Uri=s3://input-bucket-name/folder,ContentType=text/plain \
--output-data-config S3Uri=s3://output-bucket-name/ \
--data-access-role-arn arn:aws:iam::012345678901:role/service-role/AmazonTranslateInputOutputAccess
Then the following error is throw:
An error occurred
(InvalidRequestException) when calling the StartTextTranslationJob
operation: Translate is not authorized to assume role:
arn:aws:iam::012345678901:role/service-role/AmazonTranslateInputOutputAccess.
Please update the role's trust policy.
The role AmazonTranslateInputOutputAccess is already created but anyhow should be affect the thrown error.
Could fix it by adding a trust policy of:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "translate.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Adding this will fix the issue.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowTranslation",
"Effect": "Allow",
"Resource": "*",
"Action": "translate:*"
}
]
}
If You want to auto detect the source language and translate the text, then you also have to add the comprehend action in your Iam role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowTranslation",
"Effect": "Allow",
"Resource": "*",
"Action": [ "translate:*", "comprehend:*" ]
}
]
}
Related
I have created a user and grant three permissions to it.
IAMFullAccess, AmazonSageMakerFullAccess and AmazonS3FullAccess
Now when i try to setup sagemaker domain, it throw following exceptions
ValidationException
Access denied in getting/accepting the portfolio shared by SageMaker. Please call withservicecatalog:AcceptPortfolioShare & servicecatalog:ListAcceptedPortfolioShares permission.
AccessDeniedException
User: arn:aws:iam::117609614511:user/tac-sagemaker is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker:us-east-1:117609614511:domain/d-bpq1nh2g5t9l because no identity-based policy allows the sagemaker:CreateDomain action
First, I did not understand, though i granted full sagmaker access, why its not picking createDomain policy,
Second, i go to my role and manually added these policies.
Here are policies for my sagemaker role
AmazonSageMaker-ExecutionPolicy-20220813T004513
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s34sagemaker"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s34sagemaker/*"
]
}
]
}
SagemakerCreateDomain
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sagemaker:CreateDomain",
"Resource": "arn:aws:sagemaker:*:117609614511:domain/*"
}
]
}
sagemakerportfolioservices
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "servicecatalog:AcceptPortfolioShare",
"Resource": "arn:aws:catalog:*:117609614511:portfolio/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "servicecatalog:ListAcceptedPortfolioShares",
"Resource": "*"
}
]
}
But still it giving me same error
Edit
I added two new policy to my user
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
AWSServiceCatalogAdminFullAccess
Now ValidationException is gone, but still having AccessDeniedException
EDIT2:
I have attached a new custom policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"sagemaker:CreateDomain"
],
"Resource": "*"
}
]
}
But still the error is same
I would recommend using the CloudFormation template in this blog to help create the Domain and User Profile.
https://aws.amazon.com/blogs/machine-learning/automate-a-centralized-deployment-of-amazon-sagemaker-studio-with-aws-service-catalog/
I have tried setting up a permissions policy granting ssm:GetParameter and ssm:GetParameters to a role, but I get that error that "ssm:GetParameter is not allowed for this role". The only way I've found to eliminate the error is to grant ssm:* however I'd like to keep my permissions to a minimum. What am I missing here?
failing permission (account_id obscured):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:us-east-1:{redacted}:parameter/*"
}
]
}
working permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:*",
"Resource": "arn:aws:ssm:us-east-1:{redacted}:parameter/*"
}
]
}
Try using
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
]
If that does not help, allow "ssm:DescribeParameters".
I generated the below code using S3 policy generator, when I paste the code in AWS S3 edit policy console it shows error. Pls help
{
"Id": "Policy1611491895768",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1611491893687",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::aws-landing-zone-configuration-756692330110-ap-south-1",
"Principal": {
"AWS": [
"\"AWS\": \"arn:aws:iam::756692330110::user/aravindkumar.s#gmail.com\""
]
}
}
]
}
There are few issues,
GetObject is applicable only to bucket objects not bucket , so, Resouce should contain /* at the end.
Principle is not formatted right.
Here is updated policy
{
"Version": "2012-10-17",
"Id": "Policy1611491895768",
"Statement": [
{
"Sid": "Stmt1611491893687",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::756692330110:user/aravindkumar.s#gmail.com"]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::aws-landing-zone-configuration-756692330110-ap-south-1/*"
}
]
}
I am trying to add trust relationships to allow codedeploy to work for my role
I have the following json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com", "codedeploy.amazonaws.com"]
},
"Action": ["sts:AssumeRole",
"codedeploy:GetApplication",
"codedeploy:GetDeploymentGroup",
"codedeploy:CreateDeployment",
"codedeploy:GetDeployment"
]
}
]
}
I keep getting the following error
You are mixing two different concepts in the policy: trust relationship and IAM actions.
You need to have two different policies, one for the IAM Role like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
and other for the IAM Policy as:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codedeploy.amazonaws.com"
},
"Action": [
"codedeploy:GetApplication",
"codedeploy:GetDeploymentGroup",
"codedeploy:CreateDeployment",
"codedeploy:GetDeployment"
]
}
]
}
I have a domain: domain1 and trying to allow user1 to access it. This is the policy:
{ "Version": "2012-10-17", "Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::340539148951:user/user1"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:340539148951:domain/domain1/*"
} ] }
When the user1 tries logs in the Console and tries to go to ElasticSearch content, he gets this error:
ListDomainNames: {"Message":"User:
arn:aws:iam::340539148951:user/user1 is not authorized to perform:
es:ListDomainNames on resource:
arn:aws:es:us-east-1:340539148951:domain/*"}
So the question is where do I set this? At the user level? What would the policy be?
Dima.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1504015454000",
"Effect": "Allow",
"Action": [
"es:*"
],
"Resource": [
"arn:aws:es:us-east-1:340539148951:domain/*"
]
}
]
}
Probably too much es:* - but it worked