GlueJobRunnerSession is not authorized to perform: glue:GetJob on resource
It is difficult to determine the issue without having more details about your specific scenario. Either not all permissions are correctly set, or there is another policy in place that overrides the permissions.
In order to troubleshoot this yourself, you can use the AWS IAM Policy Simulator to test and find out if the permissions are set and if there are conflicting policies interfering.
Related
every time i try to create an environment from my cli it pop up this error
ERROR Unable to assign role. Please verify that you have permission to pass this role: aws-elasticbeanstalk-service-role.
and give me failed to launch environment
even though i setup the aws access key and secret access key and give the user the permissions of administrator
AWS has a strictly defined policy evaluation logic.
Deny evaluation – By default, all requests are denied. This is called an implicit deny. The AWS enforcement code evaluates all policies within the account that apply to the request. These include AWS Organizations SCPs, resource-based policies, identity-based policies, IAM permissions boundaries, and session policies. In all those policies, the enforcement code looks for a Deny statement that applies to the request. This is called an explicit deny. If the code finds even one explicit deny that applies, the code returns a final decision of Deny. If there is no explicit deny, the code continues.
As you can see, the first step checks for an explicit deny in all policies within the account that apply to the request. Although you have the admin permissions there could be Organizations SCPs, resource-based policies, IAM permissions boundaries, or another IAM policy attached to your IAM account or group that explicitly deny passing a role. If you have access just check them one by one. Or ask your administrator to do that.
If a user in AWS is having AdministratorAccess policy attached, he has full AWS access for that account. But with permission boundaries attached to that user his access can be confined. For example say the user has permission boundaries set to AmazonDynamoDBFullAccess, then the full access is just confined to DynamoDB.
What is real benefit of above approach, one could have just removed the AdministratorAccess policy and attached AmazonDynamoDBFullAccess to the user to achieve the same restrictions/permissions.
Is there anything more to understand?
That is not not purpose of IAM Permission Boundaries, nor is it the way it operates.
From Permissions boundaries for IAM entities - AWS Identity and Access Management:
AWS supports permissions boundaries for IAM entities (users or roles). A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
To explain via an example, let's say that a developer needs permission to create an IAM Role in their software development duties. This can be a very dangerous permission to assign because they could create a Role that has full Admin permissions, thereby granting themselves even more permission that desired.
To limit their abilities, a permission boundary could be added to the developer such that they are only able to create an IAM Role if the role they define is attached to a permission boundary that limits the permissions of the Role (eg so it can only be used to access S3 and DynamoDB, but not other services). It can be a little confusing, but think of it as a set of rules that must be attached to any permissions they give, so that they can't grant full permissions. It's a way to grant them permissions, but limits what permissions they can on-grant to other entities.
This concept is totally separate to assigning IAM managed policies that you mention in your question. In most circumstances, assigning an IAM managed policy is perfectly sufficient. Permissions boundaries only really apply when somebody has permission to create new IAM entities.
Can anyone help me with any solution to solve this error while creating an AWS Lambda application from IAM user account:
Error creating application: You are not authorized to perform: serverlessrepo:GetApplication.
My permissions are:
In IAM console, firstly go into Policy to create policy and choose the service name Serverless Application Repository. And config actions and resources for your requirement (by default, the selected option of Resources is a specific repository).
After created, go to User in IAM console and attach the new policy for this user.
Now you should be able to perform: serverlessrepo:GetApplication. If you found that refreshing page does not take effect, please log out and log in again to apply the policy.
As the exception says
You are not authorized to perform: serverlessrepo:GetApplication
This means that your IAM user, or the role assumed by the deployment process, does not have an Allow effect for the serverlessrepo:GetApplication action.
To resolve this add a policy with an Allow effect for serverlessrepo:GetApplication to your IAM user, or the role being assumed by the deployment function.
I am following these instructions in order to send our EKS cluster logs to CloudWatch:
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-setup-logs.html
Since it wasn't working I ran the suggested to command to tail the logs for one of the fluentd pods:
kubectl logs fluentd-cloudwatch-fc7vx -n amazon-cloudwatch
I am seeing this error:
error_class=Aws::CloudWatchLogs::Errors::AccessDeniedException
error="User:
arn:aws:sts::913xxxxx71:assumed-role/eksctl-prod-nodegroup-standard-wo-NodeInstanceRole-1ESBFXHSI966X/i-0937e3xxxx07ea6
is not authorized to perform: logs:DescribeLogGroups on resource:
arn:aws:logs:us-west-2:913617820371:log-group::log-stream:"
I have a role that has the right permissions, but how can I give the role to the arn:aws:sts::913xxxxx71:assumed-role/eksctl-prod-nodegroup-standard-wo-NodeInstanceRole-1ESBFXHSI966X/i-0937e3xxxx07ea6 user?
You need to perform step to attach the CloudWatchAgentServerPolicy policy to cluster worker node role documented here: https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Container-Insights-prerequisites.html
To do this, you need to assume the role. This can be done a few different ways:
You can setup an AWS profile and use that to execute commands as a different role.
You can use a tool like awsudo
One caveat is the the role you are assuming must have a trust relationship setup so that is permits others to assume it. There is an example of this trust relationship setup in the link for (1) above.
That being said, you probably shouldn't be doing any of this for your use case.
If your other role is in a state where it needs to be updated to allow assumption, it is going to be much easier and more secure for you to just update the eksctl-prod-nodegroup-standard-wo-NodeInstanceRole-1ESBFXHSI966X role directly with the permissions you need.
Ideally you can associate the role with the same policy that is attached to the other role with the desired permissions.
I am getting following error, when I try to access IAM dashboard on aws.
User: arn:aws:iam::9490xxxxxxxx:user/xyz is not authorized to perform: iam:ListUsers on resource: arn:aws:iam::9490xsxxxxxxx:user/
The fact is that, I have IAMFullPermission policy attached to my account, as shown below :-
I don't know, still what permissions I need to provide.
Thanks in advance.
As Rajesh commented, logging into the console and opening the policy simulator will allow you to select your user, and the iam:ListUsers permission and simulate the evaluation to find the exact reason for the failure.
https://policysim.aws.amazon.com/home/index.jsp?#users
That screenshot of attached policies will give that user/role access to iam:ListUsers from multiple built in AWS polcies, and that error message suggests that the user does not have permission (i.e. a missing allow policy rather than an explicit deny).
When determining the cause of IAM errors I try the following:
Does the response appear cached? (Making changes to allow an action and then immediately attempting again does not always work. You can test this with the CLI by calling an API that will be not allowed. The first call will be slightly slower than subsequent calls. IAM changes can also take time to propagate).
What does the policy simulator say? (especially useful when considering more complicated policies with conditions like MFA required or MFA age)
The Policy Simulator will narrow down scenarios like:
User does not actually have that policy attached
User is part of a group that has an explicit deny policy (doesn't look to be the case here)
Other conditions are not satisfied that are not immediately apparent. E.g. MFA required or resource restrictions to only allow access to manage own user details.