I am attempting to follow this example of setting up an AWS Pipeline for use across multiple accounts. I have the four different accounts set up. I've followed through on each step of the process successfully. No commands are generating any errors. The pipeline completes successfully. I can then connect to the pipeline and commit my code changes. In short, every single step up to the final one works as written in the documentation.
However, I'm then presented with an error on the initial trigger of the code commit:
Insufficient permissions
The service role or action role doesn’t have the permissions required
to access the AWS CodeCommit repository named dbmigration. Update the
IAM role permissions, and then try again. Error: User:
arn:aws:sts::12345678912:assumed-role/my-pipeline-CodePipelineRole-1UPXOXOXO1WD0H/987654321
is not authorized to perform: codecommit:UploadArchive on resource:
arn:aws:codecommit:us-east-2:123456789:dbmigration
The AWS Account I used to create the pipeline is not the root account, but an IAM Administrator login with admin privileges across the account. I've tried adding AWSCodeCommitFullAccess and AWSCodePipelineFullAccess, which I would have thought would have been part of Administration anyway. However, that didn't change anything.
My assumption is I've done something horribly wrong, but I'm not able to identify what that is. Any suggestions for better troubleshooting, let alone suggestions on how to fix it would be most welcome.
The code used to create the pipeline, again, run using the IAM login, Administrator, from a fourth AWS account, is as follows:
aws cloudformation deploy --stack-name my-pipeline `
--template-file db-migration-master.yml `
--parameter-overrides ProjectName=dbmigration `
EmailAddress=grant#scarydba.com `
DevAccountId=98765432123 `
TestAccountId=123456789012 `
ProdAccountID=210987654321 --capabilities CAPABILITY_NAMED_IAM
All the templates are from the linked article and not modified or customized.
Based on the comments.
The error message indicated that the role my-pipeline-CodePipelineRole-1UPXOXOXO1WD0H/987654321 was missing permission codecommit:UploadArchive which:
Grants permission to the service role for AWS CodePipeline to upload repository changes into a pipeline
The solution was to add the codecommit:UploadArchive to the role as an inline policy.
Related
I am trying to upload a new AWS GameLift Linux server using the AWS CLI but I get the following error:
An error occurred (AccessDeniedException) when calling the CreateBuild operation: User: arn:aws:iam::------:user/----- is not authorized to perform: gamelift:CreateBuild because no identity-based policy allows the gamelift:CreateBuild action
I added the arn:aws:iam::aws:policy/GameLiftGameServerGroupPolicy to my group permissions. I can see in the policy json that there isn't a CreateBuild action. It either needs to be added or you can't do it this way.
The AWS documentation is useless and on this page: https://docs.aws.amazon.com/gamelift/latest/developerguide/security_iam_troubleshoot.html#security_iam_troubleshoot-no-permissions
it helpfully advises: ... asks his administrator to update his policies
My user is the main root user for my AWS account but I have no idea how to resolve this. Any ideas?
I worked out how to create a new Policy and add the service permissions. You click on 'create policy' and then choose the 'GameLift' service. I added all the available actions. Seemed to do the trick.
Why did AWS miss this out of the documentation?
I have updated my cdk from version 1 to version 2, when I tried to do this locally using npm run cdk -- deploy --context awsEnv=dev --all --profile=dev, this works flawlessly.
However when the Circle CI CI/CD pipeline tries to deploy in the same dev environment, it throws an error
User: arn:aws:sts::xxxxxxxx:assumed-role/*******************************************************/jatinmehrotra is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:**************:xxxxx:parameter/cdk-bootstrap/xxxxxxxxx/version because no identity-based policy allows the ssm:GetParameter action
SO basically Circle CI CI/CD pipeline for deployment assumes the roles and create temporary credentials using aws sts assume role command.
Note:- after updating to cdk v2 I can see a new role, which has the same name as the bootstrap ssm parameter. Does that have to do something with error?
As of now, I think the assume role credentials (even though it has sufficient permissions) are not able to access the bootstrap parameter.
After some troubleshooting and carefully reading the error logs, i manually updated the role's permission with full SSM parameters permission whose credentials are being used to deploy the resources.
This resolved the issue.
I linked a repo in CodeCommit to Sagemaker. However when I try to start an instance with that repo it fails and I get a message:
fatal: unable to access 'https://git-codecommit.us-east-1.amazonaws.com/v1/repos/MyRepo/': The requested URL returned error: 403
I think maybe it has something to do with the IAM role. Is there some policy I should add to the AmazonSageMaker-ExecutionRole. I am completely new to this so please excuse any incorrect usage of terms here.
This is presumably caused by your IAM role ; if you used the UI to create a role, I think by default, it creates a role requiring resources to have "sagemaker" in their ARN (Codecommit repos, S3 buckets...). So you have 2 options:
Try renaming your repo eg "myrepo-sagemaker"
Or edit (ask your admin if you don't have the ability) your SM IAM role to be allowed to access MyRepo
I cloned this solution azure-devops-on-aws and used dotnet lambda deploy-serverless ... to deploy the MyLizardApp to my personal AWS account.
During the learning curve, I created an S3 bucket my-lizard-test, IAM user group MyLizardGroup with user lizard-user and group policy MyLizardApp-Policy. Included in the policy are these services:
API Gateway (full access, all resources)
CloudFormation (full access, all resources)
Lambda (full access, all resources)
S3 (full access, all resources)
(Eventually) the deployment succeeded and I had a Lambda application serving the simple razor page showing the time.
I then copied the LambdaEntryPoint.cs, aws-lambda-tools-defaults.json and serverless.template files to my own dotnet core webapp (also a razor project) and attempted to deploy it to the same AWS account with the same command. The only changes made were the namespace of the LambdaEntryPoint class (reflected in the serverless.template file) and the .csproj file to include:
<AWSProjectType>Lambda</AWSProjectType>
and:
<PackageReference Include="Amazon.Lambda.AspNetCoreServer" Version="5.0.0" />
The dotnet lambda deploy-serverless ... command failed with the message:
User: arn:aws:iam::123456789120:user/lizard-user is not authorized to perform: iam:PassRole on resource: arn:aws:iam::123456789120:role/MyLizardAppServiceRole (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: 12345678-1234-1234-1234-123456789012; Proxy: null)
I got the command to succeed by adding the IAM service to the MyLizardApp-Policy with the PassRole (all resources).
Why was this necessary for my personal app and not the demo solution from github? If the answer is not clear, what should I be looking for as differences? My personal app is not significantly different from the demo solution and I don't think the functional differences (in C#) would matter.
Whenever an AWS Service assumes (uses) an IAM Role, the service must have iam:PassRole permission to grant permission to use the Role. This required to prevent users from gaining too much permission.
For example, imagine a normal (non-Admin) user who launches an Amazon EC2 instance. When launching the instance, they can nominate an IAM Role to be assigned to the instance. If this user was permitted to select any IAM Role, they could select an Admin role and assign it to the EC2 instance. They could then login to the instance and use the credentials to make API calls as an Admin. This is an unwanted "privilege escalation".
Similarly, when an AWS Lambda function executes, it uses an IAM Role to obtain permissions. The iam:PassRole permission is used to control which roles a user can assign to the Lambda function.
So, there is something in that project that is trying to use an IAM Role and needs appropriate permissions.
First of all, we need to know what PassRole is:
iam:PassRole is the permission that controls which users can delegate an IAM role to an AWS resource.
As I can see in the repo, there is a file for CodeDeploy which already have credentials so maybe you are using CodeDeploy.
But btw, you are using an instances to deploy a Lambda function, and you need to pass the role to that Lambda so that is what PassRole do
AWS Services cannot directly assume service-linked roles. The role must be passed to the service by a user with the iam::PassRole permission.
The role-passing needs to be done only once, when a resource (e.g. EC2 instance) is created. After that the resource can assume the role repeatedly.
EC2 Instance profile is implemented this way. When a user launches an instance, it passes a role to the instance to act as an instance profile (it in addition needs iam:AddRoleToInstanceProfile for this case).
Other service-linked roles are also passed in this way.
Do not confuse it with the iam::CreateRole permission. A user may freely create service-linked roles, but is unable to pass the role to a service when needed.
In the management console, and to some extent in the CLI commands, role-passing is implicit, so you may encounter it without clear error messages when using non-root accounts.
As for why sometimes you need this permission, ands sometimes you don't, that is because when you use the root user, it will have AdministratorAccess which basically allows all actions on all resources.
If you create a new IAM user or account with blank permissions then you will need to add this permission manually.
I am trying to set up a Continuous Integration pipeline for my simple AWS lambda function. To confess, the is my very first time using AWS code pipeline. I am having trouble with setting up the pipeline. The deploy stage in the pipeline is failing.
I created a CodeBuild
Then I created an application in CodeDeploy
Then I created a CodePipeline choosing the source as GitHub. The selected a repository and branch from the GitHub. Then linked the pipeline with the CodeDeploy application and CodeBuild I previously created.
After I save the pipeline and when the pipeline is built, I am getting this error.
When I check the error details, it says this
Unable to access the artifact with Amazon S3 object key 'the-goodyard-pipelin/BuildArtif/G12YurC' located in the Amazon S3 artifact bucket 'codepipeline-us-east-1-820116794245'. The provided role does not have sufficient permissions.
Basically, that Bucket does not exist as well. Isn't the Bucket created automatically? What went wrong with my set up?
The Bucket exist as well. It is just throwing error.
In the bucket, I can see the zip file as well.
Well, the error message looks self explanatory, the role you assigned to codebuild doesn't have enough access to go to s3.
Go to codebuild -> Build projects - > Choose your project -> Click on tab 'Build Details'.
You will see a 'Service Role' ARN, that if you click on it, it will send you to that IAM role (if you are not an admin for that account, you may not have enough permissions to see IAM, as it is a critical permission service, so check this with the admin.)
Check the policies for that role, and check if the policies have the action: s3:GetObject on resource: your bucket.
If it doesn't, then you need to add it. Use the visual editor, use S3 as service, add Get* as action, and your s3 bucket to it.