Version: 5.7.mysql_aurora.2.07.2
i am trying to link lambda function when my RDS get inserted using lambda_async. but was not able to reach it with an error
#63996 - Lambda API returned error: Missing IAM Credentials for specified aws_default_lambda_role
i have followed each and every step carefully but getting above error. :(
i have followed the documentation at
https://docs.amazonaws.cn/en_us/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Integrating.Lambda.html
and
Call AWS Lambda from Aurora RDS Stored Procedure Permissions Issue.
please help!!
actually i was placing lambda role in parameter group value. replacing with RDS IAM role solve my issue thanks!!
I found this answer: https://www.reddit.com/r/aws/comments/b2b9k4/new_rds_cluster_management_screen_missing_manage/ on which they sugest to add an IAM role for the cluster.
For that go to the RDS Cluster and under Connectivity & security tab, go to Manage IAM roles and add the desired role.
Note: You may need to enable also IAM DB authentication under Configuration tab.
Note2: Reboot your DB instance to apply changes.
Related
While creating AWS EMR cluster, always i get the issue- Service role EMR_DefaultRole has insufficient EC2 permissions
And the cluster terminates automatically, have even done steps as per aws documentation of recreating emr specific roles, but no progress please guide how to resolve the issue- Service role EMR_DefaultRole has insufficient EC2 permissions
EMR needs two roles to start the cluster 1) EC2 Instance profile role 2)EMR Service role. The service role should have enough permissions to provision new resources to start the cluster, EC2 instances, their network etc. There could be many reasons for this common error:
Verify the resources and their actions. Refer https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-iam-role.html.
Check if you are passing the tag that signifies if cluster needs to use emr managed policy.
{
"Key": "for-use-with-amazon-emr-managed-policies",
"Value": "true"
}
At last try to find out the exact reason from cloud trail. Go to aws>cloud trail. From the event history configuration enable the error code so that you can see the exact error. If you find the error code something like 'You are not authorized to perform this operation. Encoded authorization failure message'. Then open the event history details, pick up the encrypted error message and decrypt using aws cli
aws sts decode-authorization-message message. This will show you the complete role details, event, resources, action. Compare it with AWS IAM permissions and you can find out the missing permission or parameter that you need to pass while creating the job flow.
I tried to detach one of my IAM role from my instance (still running) and got a response of successful detachment.
Afterwards I tried to attach a new IAM role to the exactly same instance, however, this message occured: The association <AssociationId> is not the active association.
After using aws ec2 describe-iam-instance-profile-associations to check the IAM instance profile associations, I found that the state is disassociating. And I rechecked the associations the other day, it's still stuck at disassociating.
Then I tried aws ec2 associate-iam-instance-profile to associate my instance with a new role, but all I got is another instance association stuck at associating.
I also tried replace-iam-instance-profile-association and the same showed up: The association <AssociationId> is not the active association.
And rebooting instance did not work either.
Any solutions?
Thanks.
I've fixed this issue by launching a new instance base on the EBS snapshot of the problematic instance, which is the last thing I wanna do.
Anyway, this could be considered as a workaround. :(
It really sucks that you have to pay to create AWS technical support cases.
Found an easy solution for this!
Hope this helps some people finding this.
After getting stuck in the "disassociating" or "associating" state, use the aws CLI to find the associations that causes the problem (They will be stuck at the state ""disassociating" or "associating""):
aws ec2 describe-iam-instance-profile-associations
After finding them use:
aws ec2 disassociate-iam-instance-profile --association-id iip-assoc-xxxxxx
to remove them. Not quite intuitive but you can actually remove the ones in the state "disassociating" after that you can add a new role/instance-profile.
Error : Unable to detach, there are no existing instance profile associations.
While you are trying to add Role to EC2 instance
Debug and Verify:
run > aws iam list-instance-profiles
command output :
{
"InstanceProfiles": []
}
run > aws iam list-instance-profiles-for-role --role-name Your-Role-Name
command output :
{
"InstanceProfiles": []
}
Solution :
run > aws iam create-instance-profile --instance-profile-name profile-name-sameas-role-name
run > aws iam add-role-to-instance-profile --instance-profile-name profile-name-sameas-role-name --role-name role-name
Done !!
Go Back to EC2 dashboard and try to Add the IAM Role again. This time it should work.
I'm trying to get manual snapshots setup for my AWS Elasticsearch cluster. I'm not sure how to setup the correct IAM permissions on the S3 bucket though because there is already a service-role created and I'm unable to add additional policies.
What am I supposed to do here?
Thanks!
I was able to resolve this by creating a second IAM role using the CLI (it doesn't seem to be an option through the GUI)
When I try to launch an Elastic Beanstalk environment from the command line, I get this error during the process:
Environment health has transitioned from Pending to Warning. Access
denied while accessing Auto Scaling and Elastic Load Balancing using
role "arn:aws:iam::XXXXXXXXXX:role/aws-elasticbeanstalk-service-role".
Verify the role policy.
When I launch it from the console, I do not get this warning. I have tried to replicate the same AWS console configuration from the CLI , but I still get this error.
Any clue what's going on?
If anyone is still getting a similar error and is still unsure how to solve it
Navigate to IAM in the AWS Console.
Navigate to the aws-elasticbeanstalk-service-role (under Access Management > Roles).
Attach the following policies:
AutoScalingFullAccess
ElasticLoadBalancingFullAccess
I then rebuilt the environment, no more errors!
The following article helped me understand this better: https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles-service.html
You can go to your IAM console. You will see the "aws-elasticbeanstalk-service-role", Under the permission tab, you can grant the specific you want to give the policy on your behalf. Refresh and you should have "Ok". Make sure the permission you grant the role can manage this " Auto Scaling and Elastic Load Balancing using role"
Elastic Beanstalk now uses a Service Role to call other AWS services on your behalf. The IAM role is created in your account and you give permissions to launch
Service role is optional but recommended for new environments.
Especially for enhanced health monitoring (which is what your using based on the error message), service role is mandatory. A misconfigured service role can lead to this error message.
The console experience makes it very easy for you to create/use the role with the correct permissions. This is because you just need to select the correct role from the dropdown (if the role already exists) when using the create environment wizard.
When using the CLI you need to pass the service role option setting. (namespace: aws:elasticbeanstalk:environment, option_name: ServiceRole). You can find the required permissions for a role configured in this documentation.
There are some more details about service role in my previous stack overflow answer here.
If anyone can not solve the error whit the previous actions what I had to do is:
Add to aws-elasticbeanstalk-service-role the following policies AutoScalingFullAccess | ElasticLoadBalancingFullAccess
Not re-start but build the environment again
(after a while it kept launching the error)
Then I added:
AdministratorAccess-AWSElasticBeanstalk (again to aws-elasticbeanstalk-service-role)
Re-build the environment again
It is working at the moment.
I have created a few environments before so I know how the Amazon EBS works however lately I have been having the following issue while creating an environment:
The instance profile aws-elasticbeanstalk-ec2-role associated with the environment has no role. Please attach a role to the instance profile.
I follow the steps to create a new environment. When it gets to the Permissions page, I create a new role as there are no existing ones. Then I follow the rest of the steps and eventually it starts to launch. After a couple minutes, I get the error above. Any help towards this will be helpful.
To solve this issue, I created a new role from the IAM Manager console. I selected Amazon EC2 as my Service Role Type. I attached the AWSElasticBeanstalkFullAccess policy. Then when creating a new environment, I chose the new role I created.
Though I am bit late in answering this issue, posting here if someone faces this error now.
In case your user has all the required permission to create role and BS has already created the "The instance profile aws-elasticbeanstalk-ec2-role".
The reason of this error is due to roles only and when we try to launch EC2 from aws BS, it creates a role naming "aws-elasticbeanstalk-ec2-role" with required permissions.
But, if there is already a role with Trusted entities "AWS service: ec2" so BS will check permission in that already existing older role.
So go to Roles > Search ec2 related roles and select the role which is active.
And just add AWSElasticBeanstalkFullAccess permission to that ec2 role, and this issue will be resolved.