I use this command to add invoke lambda permission on cloudwatch:
aws lambda add-permission --function-name lambdaName \
--statement-id test --action lambda:InvokeFunction \
--principal logs.ap-southeast-2.amazonaws.com
what I don't understand is how I can view this permission on AWS console. I tried to look at cloudwatch but couldn't find anywhere about permission. And how can I convert it to cloudformation?
In console, you have to go to Permissions and look at Resource-based policy:
Related
Hi I get this error when i try and create an Amplify Backend.
Seems to be realated to not being able to create lambda functions
aws lambda --profile haniq-main create-function --function-name my-function --zip-file fileb://function.zip --handler index.handler --runtime nodejs18.x --role arn:aws:iam::640766513655:role/lambda-ex
An error occurred (AccessDeniedException) when calling the CreateFunction operation: None
Well my account was blocked internally :)
When I try to trigger the update-function-code through the Command line, I'm getting an error "not reachable in this region".
I believe that my current config profile being in eu-west-2 region is conflicting with the function deployment to us-east-1. Without having to change my profile and/or region, what is the best way to allow my user to access/write to this regions lambda function
aws lambda update-function-code \
--function-name arn:aws:lambda:us-east-1:xxxxxxxx:function:xxxxxx \
--zip-file fileb://lambda_bundle.zip
ERROR:
An error occurred (ResourceNotFoundException) when calling the UpdateFunctionCode operation: Functions from 'us-east-1' are not reachable in this region ('eu-west-2')
Usually you would just add --region to your command:
aws lambda update-function-code \
--function-name arn:aws:lambda:us-east-1:xxxxxxxx:function:xxxxxx \
--zip-file fileb://lambda_bundle.zip \
--region us-east-1
I want to create a lamba deployment package in python (with dependencies) using the Amazon tutorial.
When I push the .zip package with
aws lambda update-function-code --function-name my-function --zip-file fileb://function.zip
I get the following error
An error occurred (AccessDeniedException) when calling the UpdateFunctionCode operation:
User: arn:aws:iam::<ACCOUNT-ID>:user/jeanclaude is not authorized to perform: lambda:UpdateFunctionCode
on resource: arn:aws:lambda:eu-west-3:<ACCOUNT-ID>:function:my-function
Which policy should I grant to jeanclaude to give him the correct access?
The User created in AWS IAM which is configured with your AWS CLI using access_key and secret_key should have enough privileges to interact with AWS Lambda.
I would prefer AWSLambdaFullAccess policy attached to your User/Role. This is just for testing purpose and later you can reduce the privileges if you want.
Once you have done the above then if you run the command
aws lambda update-function-code --function-name "helloworld" --zip-file "fileb://./helloworld.zip" --region "eu-west-2"
it should work, note that for update-function-code mandatory field is just the --function-name other fields are optional.aws cli update-fuction-code
Also please take a note of the create-function command it has just the following fields as mandatory and all other are optional aws cli docs
create-function
--function-name <value>
--runtime <value>
--role <value>
--handler <value>
and the --role here is the role required by the lambda while executing to interact with other services (not to be confused by the user above)
The user needs permission to UpdateFunctionCode for that ARN. More specific information is here.
I want to create an IAM policy and attach it to some IAM role using AWS command-line interface.
Creating policy is quite simple:
aws iam create-policy --policy-name "${policy_name}" --policy-document file://policy.json
But to attach the newly created policy to the target role I must know the ARN of the policy:
aws iam attach-role-policy --role-name "${role_name}" --policy-arn "${policy_arn}"
What is the correct way to retrieve ARN of the newly created policy?
Right now I'm construcing policy_arn myself using policy_name and the account_id:
policy_arn=arn:aws:iam::"${account_id}":policy/"${policy_name}"
This is how I retrieve the account_id:
account_id=$(aws ec2 describe-security-groups --query 'SecurityGroups[0].OwnerId' --output text)
However this feels quite hacky.
Is there a better way to find out ARN of the created policy?
If you add --output text to your create-policy, it will print the ARN.
aws iam create-policy --policy-name "${policy_name}" --policy-document file://policy.json --output text
You can get the policies and their ARN:
aws iam list-policies --query 'Policies[*].[PolicyName, Arn]' --output text
To get the ARN for just one policy:
aws iam list-policies --query 'Policies[?PolicyName==`FullAccess`].Arn' --output text
Output:
arn:aws:iam::aws:policy/FullAccess
You may also try this
POLICY_ARN=$(aws iam create-policy --policy-name xxx --policy-document file://xxx.json --output text --query Policy.Arn)
I'm trying to create a cluster using aws cli emr command. However, I can't seem to be able to create-default-roles needed before calling aws emr create-cluster
$ aws emr create-default-roles
A client error (NoSuchEntity) occurred when calling the GetRole operation: Unknown
I have made sure that my user has the following permissions:
IAMFullAccess - AWS Managed policy
AmazonElasticMapReduceforEC2Role - AWS Managed policy
AmazonElasticMapReduceFullAccess - AWS Managed policy
Any tips? Is there a place where I can just copy the roles json and create them manually?
The reason I started to do this is because when I run aws emr create-cluster it returns a cluster-id. But when that cluster-id is queries it state is set to terminated with the error: EMR service role arn:aws:iam::141703095098:role/EMR_DefaultRole is invalid
I DID manage to add these roles using the console by going to:
My Security Credentials > Roles > Create New Role
First Role with the following properties:
name: EMR_DefaultRole
policy: AmazonElasticMapReduceRole
Second Role with the following properties:
name: EMR_EC2_DefaultRole
policy: AmazonElasticMapReduceforEC2Role
Unfortunately I didn't get the command-line to work, but I suspect I might be something to do with my local setup.
I had issues with the console. With the client this worked:
# upgrade aws cli (can't hurt)
pip install --upgrade --user awscli
# aws configure process if you haven't (look it up)
# delete all the defunct shizzles
aws iam remove-role-from-instance-profile --instance-profile-name EMR_EC2_DefaultRole \
--role-name EMR_EC2_DefaultRole
aws iam delete-instance-profile \
--instance-profile-name EMR_EC2_DefaultRole
aws iam detach-role-policy \
--role-name EMR_EC2_DefaultRole \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role
aws iam delete-role --role-name EMR_EC2_DefaultRole
aws iam detach-role-policy --role-name EMR_DefaultRole \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole
aws iam delete-role --role-name EMR_DefaultRole
# now re-create them
aws emr create-default-roles
Note if you have attached policies, you might have to go into the console and delete them or find the appropriate aws cli command.
Source (our product is buggy and our role system is cumbersome, but if you buy premium support we'll tell you the workarounds):
https://aws.amazon.com/premiumsupport/knowledge-center/emr-default-role-invalid/