I am trying to work with AWS Elemental MediaPackage and AWS Elemental MediaLive. I'm have a good amount of experience with AWS and IAM Roles. I've attached a Full Access policy for both services but somehow I still do not have access. I'm trying to figure out what I am missing.
The error is not about your IAM user permissions which you've posted in the question. The error is about some IAM role which does not have necessary permissions.
Since you removed the name of the role from the first screenshot, I can't comment which role is it exactly. So you have to go to the role in IAM console, and add the permissions missing which are also listed in the error message.
Related
I am attempting to publish one of my AWS VPC Subnets flowlogs to CloudWatch.. however it states some permission issue..
I've checked and rechecked... it says to setup an IAM Role (Which I have) with permissions as follows
Here's the trust policy on the IAM Role
As well as its permissions setup
Citations :
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
https://docs.aws.amazon.com/vpc/latest/userguide/working-with-flow-logs.html
Okay, so the answer was... while I had set the permissions for the IAM Role properly within my AWS Organization... the org itself did NOT have ANY permissions enabled to push flow logs.. so I had to go to my root account, edit the organizations permissions... and wipe out and redeploy the flow log.. I can now confirm everything is working fine.
TLDR: If you're using AWS Orgs.. don't forget your global permissions!
A developer on our team is trying to view AWS CloudFront caching stats (https://console.aws.amazon.com/cloudfront/v3/home?#/popular_urls and https://console.aws.amazon.com/cloudfront/v3/home?#/cache) and is getting IAM permissions errors saying that he doesn't have cloudfront:GetPopularURLs and cloudfront:ListCacheStatsDataPointSeries permissions. I'm trying to give him access, but these IAM permissions don't exist in the IAM UI (see screenshots below). How can that be?
please give a try to this below into your policy file.
"cloudfront:Get*",
"cloudfront:List*",
I have a problem when creating a Role I am getting an error that says “Cannot attach a Service Role Policy to a Customer Role”
In fact, there is something called Customer Managed Role, which the above error seems to display as 'Customer Role'.
From AWS documentation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role)
A role that a service assumes to perform actions in your account on your behalf. When you set up some AWS service environments, you must define a role for the service to assume. This service role must include all the permissions required for the service to access the AWS resources that it needs.
Now if you create a role, which isn't a service role, and attach permissions yourself, it appears under what AWS shows as Customer Managed Role (Screenshot below). If you look carefully, the service roles in AWS show the AWS box icon and the Customer Managed ones don't.
Reason: I was facing the above error as well and the reason was that my Role had custom inlined policies attached. If a Role has custom attached policies (inlined), AWS doesn't let you attach the Service Roles to it. You can filter the roles and find out what's causing the issue.
I hope this is documented somewhere as I was scratching my head for quite some time on this.
Kind of a newbie still with AWS IAM. Is there a way to find all of the available Roles in a given account that have a specific Policy attached? i.e. if you only know the Policy, and you don't know the roles it's attached to, how do you find all of the roles that a given policy is attached?
If you're using API/CLI, you can make use of the ListEntitiesForPolicy call. A CLI command that you could run would be:
$ aws iam list-entities-for-policy --policy-arn <arn_of_policy> --entity-filter Role
Go to Identity and Access Management (IAM) -> Policies -> Choose a spesific policy. The info you are looking for is under Policy usage tab.
I am trying to create a destination in AWS DMS for an S3 and I am getting this message "AWS Account owning the Role must match the caller of the API", I searched for this error and could not find what it refers to. Any idea what I have to do?
double check if you have the correct service_access_role_arn set.
,I got this error too, and the mistake I made was to add the s3 bucket arn into the Service Role ARN rather than the IAM role ARN. See the AWS docs below to create a policy, attach it to a role, and use the role ARN. This worked for me.
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-dms-target/#:~:text=1.%20Open%20the%20AWS%20DMS%20console%2C%20and%20then,copied%20into%20the%20Service%20Access%20Role%20ARN%20field