I am following this https://docs.aws.amazon.com/sagemaker/latest/dg/edge-device-fleet-create.html#edge-device-fleet-create-console docs to create device fleet. In this console, Role ARN is optional but it throws RoleARN is required. If I provide proper RoleArn it throws Failed to create/modify RoleAlias. Check your IAM role permission.
I have no idea what is going wrong. Any hint would be appreciable.
Mohamed, this means that Sagemaker Edge Manager was unable to use the RoleAlias you provided to take the necessary actions when creating a DeviceFleet. It needs to have the AmazonSageMakerEdgeDeviceFleetPolicy attached (or have similar permissions granted) and it needs to trust both SageMaker and IoT Core.
Related
I am new to AWS. I am trying to import an OVA to a AMI and use it for an EC2 instance as described here:
One of the commands it asks you to run is
aws ec2 describe-import-image-tasks --import-task-ids import-ami-1234567890abcdef0
When I do this I get
An error occurred (UnauthorizedOperation) when calling the DescribeImportImageTasks operation: You are not authorized to perform this operation.
I believe this means I need to add the appropriate Role (with a policy to be able to describe-import-image-tasks) to my cli user.
In the IAM console, I see this search feature to filter policies for a role which I will assign to my user. However it doesn't seem to have any results for describe-import-image-tasks
Is there an easy way to determine which policies are needed to run an AWS Cli command?
There is not an easy way. The CLI commands usually (but not always) map to a single IAM action that you need permission to perform. In your case, it appears you need the ec2:DescribeImportImageTasks permission, as listed here.
I'm working on an AWS account managed by another team which use it only for S3 storage. We have authorization to use sagemaker, and administartor said “AmazonSageMakerFullAccess” have been given to me.
I'm trying to access sagemaker studio, for that I'm ask to "Setup SageMaker Domain" by aws.
I then need a "Default execution role"
If I try to create one, I got error "User ... is not authorized to perform: iam:CreateRole on resource: ..."
There is an option to use a custom exiting one with the format
"arn:aws:iam::YourAccountID:role/yourRole"
but while I have an account Id, I don't know what role to use.
I don't have permission to create role, and the ones I see in IAM service doesn't seem to be related to sagemaker (also I don't have permission to see the details of those roles).
Should the sagemaker setup be done by the administrator who can create a new role ? Or is there a way for me to do it, and if so where can I find the role I need ?
If you don't attach any role to AWS SageMaker, and when you try to create SageMaker resource the very first time it will create a default execution role for the service. Either get the permission to create a role or ask your administrator to create a execution role for your SageMaker so that next time when you create one you can use the same role.
I have a problem when creating a Role I am getting an error that says “Cannot attach a Service Role Policy to a Customer Role”
In fact, there is something called Customer Managed Role, which the above error seems to display as 'Customer Role'.
From AWS documentation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role)
A role that a service assumes to perform actions in your account on your behalf. When you set up some AWS service environments, you must define a role for the service to assume. This service role must include all the permissions required for the service to access the AWS resources that it needs.
Now if you create a role, which isn't a service role, and attach permissions yourself, it appears under what AWS shows as Customer Managed Role (Screenshot below). If you look carefully, the service roles in AWS show the AWS box icon and the Customer Managed ones don't.
Reason: I was facing the above error as well and the reason was that my Role had custom inlined policies attached. If a Role has custom attached policies (inlined), AWS doesn't let you attach the Service Roles to it. You can filter the roles and find out what's causing the issue.
I hope this is documented somewhere as I was scratching my head for quite some time on this.
I am having trouble creating ec2 instances with my IAM role.
The permissions I gave are
List
DescribeInstances
DescribeKeyPairs
Read
DescribeTags
Tagging
CreateTags
Write
CreateKeyPair
DeleteKeyPair
ImportKeyPair
RunInstances
TerminateInstances
The error is
error while describing instance(...) attribute (instanceInitiatedShutdownBehaviour): UnnauthorizedOperation: You are no authorized to perform this operation.
However, on the AWS console, the ec2 instance is created. I am unable to terraform destroy it due to the same error.
It works if I give full ec2 access (ec2:*) so it has nothing to do with my terraform code.
Thank you.
I went through the same error and it is because of lack of permission. In the error:
error while describing instance(...) attribute (instanceInitiatedShutdownBehaviour): UnnauthorizedOperation: You are no authorized to perform this operation.
the UnnauthorizedOperation is trying to describe an instance attribute since you do not have the ec2:DescribeInstanceAttribute permission.
Depending on how your terraform config looks like for the instances, you may require more permissions. You can enable debug logs in your apply command to get more information:
TF_LOG=DEBUG terraform apply
Use the visual policy editor to add permissions to your IAM role and look out for
Action Warnings. It will tell you if you are missing any permissions required by the existing permission.
While creating AWS EMR cluster, always i get the issue- Service role EMR_DefaultRole has insufficient EC2 permissions
And the cluster terminates automatically, have even done steps as per aws documentation of recreating emr specific roles, but no progress please guide how to resolve the issue- Service role EMR_DefaultRole has insufficient EC2 permissions
EMR needs two roles to start the cluster 1) EC2 Instance profile role 2)EMR Service role. The service role should have enough permissions to provision new resources to start the cluster, EC2 instances, their network etc. There could be many reasons for this common error:
Verify the resources and their actions. Refer https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-iam-role.html.
Check if you are passing the tag that signifies if cluster needs to use emr managed policy.
{
"Key": "for-use-with-amazon-emr-managed-policies",
"Value": "true"
}
At last try to find out the exact reason from cloud trail. Go to aws>cloud trail. From the event history configuration enable the error code so that you can see the exact error. If you find the error code something like 'You are not authorized to perform this operation. Encoded authorization failure message'. Then open the event history details, pick up the encrypted error message and decrypt using aws cli
aws sts decode-authorization-message message. This will show you the complete role details, event, resources, action. Compare it with AWS IAM permissions and you can find out the missing permission or parameter that you need to pass while creating the job flow.