I have been working with GCP IAM and during writing a script that creates and deleted custom roles on demand I (accidentally) created 300 roles which are the max quotas of roles allowed in GCP, and now I can't create new roles.
I have tried to delete them but it only changes their status to deleted and doesn't really delete the role.
Is there a way to completely delete the roles I have created so I will be able to release the quotas?
the best solution I'm looking for is using GCP API in python because I still need to create a script that creates and deleted custom roles on demand.
If the status of the custom roles that you want to be deleted is already "deleted", the quotas it consumes will be released after 7 days. The reason that it is still showing is because there is an option for undelete. Here is what shows on the official GCP documentation:
When a role is deleted, its bindings remain, but are inactive. You can undelete a role within 7 days. During this 7-day period, the role will show as Deleted in the Cloud Console, and will not appear in programmatic list commands (unless showDeleted is set in the request).
After 7 days, the role is scheduled for permanent deletion. At this point, the role no longer counts towards the limit of 300 custom roles per organization or 300 custom roles per project.
You can check this link for a better explanation with regards to the topic and the code needed for it.
You don't need any script. just go to the console IAM --> Roles and from there use the filter and choose Type: Custom. After that click on the primary checkbox to select all the results and remove them
Related
We are not able to enable AWS inspector in our account in us-west-2. Our observation is that we are able to enable it in the other regions.
We use cloudformation to setup the infrastructure. Looking at the error we thought that this might be due to some conflicting stacks/stacksets in our account. So, we went ahead and deleted all those. However, even after a day, the issue still persists.
We are getting following error message -
Two state changes cannot be made at the same time. Wait till current status change completes.
Has anyone faced this issue? Is there a way to resolve this?
amazon inspector need some policies to be enabled , first
go to IAM policy
choose create new policy
choose inspector2 as the service
choose the action BatchGetAccountStatus the next
attach the new policy to your user account
if not enabled see the needed permission in inspector landing page and make this steps for add this permission
We are in process of improving the IAM roles in our project and we need to enable dev team to only resize their cluster to save the cost.
We are struggling to get the exact set of permissions needed to enable user to only scale up and scale down cluster nodes (i.e. resizing). We referred below GCP IAM documentation but it didn't help either to get this information.
https://cloud.google.com/iam/docs/permissions-reference
Currently, we have given below set of permissions(some of them may not required) however we are not able to do cluster resizing with this. And one more issue is GKE does not give any permission error, we see the "Node Pool Resized Successfully" notification but nodepool size doesn't change.
Is there any documentation or link which has the mapping of set of permissions vs user activity type of mapping for GCP IAM.
The GKE cluster will be created with the permissions that is set on the 'Access scopes' section in the 'Advanced edit' tab. So only the APIs with the access enabled in this section will be shown as enabled. These permissions denote the type and level of API access granted to the VM in the node pool. Scopes inform the access level your cluster nodes will have to specific GCP services as a whole. Please see this link for more information about accesss scopes.
In the tab of 'Create a Kubernetes cluster', click 'Advanced edit'. Then you will see another tab called 'Edit node pool' pops up with more options. If you click 'Set access for each API', you will see the option to set these permissions.
'Permissions' are defined when the cluster is created. You can not edit it directly on the cluster after the creation. You may want to create a new cluster with appropriate permissions or create a new Node Pool with the new scopes you need and then delete your old 'default' Node Pool as specified in this link .
When you add or remove nodes in your cluster, Google Kubernetes Engine (GKE) adds or removes the associated virtual machine (VM) instances from the underlying Compute Engine Managed Instance Groups (MIGs) provisioned for your node pools.
Please see this link for more information about resizing the cluster.
I am getting the following error:
Cannot open this file because of an error: must
reference a valid S3 object to which you have access
Let me lay out some context that will prevent incorrect responses.
I am using an account I have had for several years.
I have tried using both the root and AdministratorAccess enabled IAM role.
I have created an account managed by this account as a parent and tried there.
I am using a CloudFormation template from AWS Well Architected Labs.
I log in to console, go to CloudFormation, select create stack and that is when I hit the blocker. Despite the error, CloudFormation CREATES the bucket and object.
Here is the really strange parts:
My colleague tried to recreate. He did not encounter same issue.
I set up a brand new account, completely separate from this one (i.e. not managed in the organization) and I could not recreate.
That is correct, when I set up a new account, completely separate, the stack would create just fine.
I thought maybe over the years, I had accumulated some bad policies or roles that were causing me issues - so I cleaned up shop right down to bare essentials. STILL getting the error.
Right now, I can just use my brand spanking new account and I don't need to worry about this. However, I am completely stumped by what is causing this issue. I cannot see any reason why this error is appearing. And I would really like to continue to use my main account which I have held for several years and has all my domains registered.
I am using Admin IAM roles and even Root accounts. I am experiencing same issue in child accounts to my parent accounts but NOT in completely separate accounts. I see no policy, role or any other restriction listed anywhere on AWS that restricts CloudFormation in any way. It is even creating buckets and objects when I click "Create Stack".
I am completely stumped and I guess I would like to be ale to understand what has corrupted my account and its ability to use this feature?
Please how can get the list of all services I am using.
I have gone to Service Quotas at
https://ap-east-1.console.aws.amazon.com/servicequotas/home?region=ap-east-1
on the dashboard. I could see a list of Items e.g. EC2, VPC, RDS, Dynamo etc but I did not understand what is there.
As I did not request for some of the services I am seeing I even went into budget at
https://console.aws.amazon.com/billing/home?region=ap-east-1#/budgets
and also credits. Maybe I can get the services I have been given credits to use
https://console.aws.amazon.com/billing/home?region=ap-east-1#/budgets?
Also, how can I stop any service which I do not want?
The Billing service is not giving me tangible information also. I do not want the bill to pile up before I start taking needed steps.
Is there a location where I can see all services I am using or maybe there is a code I can enter somewhere which would produce such result?
You can use AWS Config Resource Inventory feature.
AWS Config will discover resources that exist in your account, record their current configuration, and capture any changes to these configurations. Config will also retain configuration details for resources that have been deleted. A comprehensive snapshot of all resources and their configuration attributes provides a complete inventory of resources in your account.
https://aws.amazon.com/config/
There is not an easy answer on this one, as there is not an AWS service that you can use to do this out of the box (yet).
There are some AWS services that you can use to get you close, like:
AWS Config (as suggested by #kepils)
Another option is to use Resource Groups and Tagging to list all resources within a region within account (as described in this answer).
In both cases however, the issue is that both Config and Resource Groups come with the same limitation - they can't see all AWS services on their own.
Another option would be to use a third party tool to do this, if your end goal is to find what do you currently have running in your account like aws-inventory or cloudmapper
On the second part of your question on how to stop any services which you don't want you can do the following:
Don't grant excessive permissions to your users. If someone needs to work on EC2 instances, then their IAM role and respective policy should allow only that instead of for example full access.
You can limit the scope and services permitted for use within account by creating Service Control Policies which are allowing only the specific resources you plan to use.
Set-up an AWS Budget Notifications and potentially AWS Budget Actions.
I'm trying to set up my first SageMaker Studio so my team and myself can run some post processing scripts in a shared environment but I'm having issues.
I've followed the steps in this video(https://www.youtube.com/watch?v=wiDHCWVrjCU&ab_channel=AmazonWebServices) which are:
Select Standard setup
Select AWS Identity and Access Management (IAM)
Under permissions - Create and select new execution role
Under Network and storage - Select VPC, Subnet and Security group
Hit the submit button at the bottom of the page.
In the video, he clicks submit and is taken to the control panel where he starts the next phase of adding users, however I'm greeted with this error.
Resource limit Error
I've checked my Registered domains under route 53 and it says No domains to display, I've also checked my S2 and I have no instances so I have no idea where the 2 domains being utilized are.
My dashboard, image and Notebooks are all empty so as far as I know there's nothing setup on this Sage Maker account.
Could anyone tell me how to resolve this error?
AWS Sagemaker now supports multi-domain <announced in the Re-Invent 2022, Tested in US-EAST-1 >
enter image description here
You can have maximum 1 studio domain per region, by the default limits. Though, it seems like you have two domains already provisioned. Try to delete all the domains through the AWS cli and recreate with the AWS Management Console.
Unfortunately, AWS Management Console cannot visualize more than one Studio domain.