I am new to using AWS and Serverless Application Model (SAM). While following the GitHub of one of the recent AWS Virtual Workshop, I am facing problem in SAM deployment.
In particular, while following the module 1, these are the steps they provide (All these steps are performed from Cloud9 terminal):
Find the Account Id.
accountId=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .accountId)
Name the S3 bucket appending the Account Id
s3_deploy_bucket="theme-park-sam-deploys-${accountId}"
Create the s3 bucket with that name.
aws s3 mb s3://$s3_deploy_bucket
Go to the appropriate directory with SAM YAML file.
Package
sam package --output-template-file packaged.yaml --s3-bucket $s3_deploy_bucket
Deploy
sam deploy --template-file packaged.yaml --stack-name theme-park-ride-times --capabilities CAPABILITY_IAM
All the steps work well until step 5. On executing step 6, after the successful creation of a few resources, I am facing an error on a particular creation and it fails. This results in a rollback and all created resources are also deleted.
ResourceStatus: CREATE_FAILED
ResourceType: AWS::Events::Rule
LogicalResourceId': UpdateRidesUpdateRidesEvent
ResourceStatusReason: User: arn:aws:sts::969009900039:assumed-role/vocstartsoft/user810955=ameya.181co205#nitk.edu.in is not authorized to perform: events:PutRule on resource:arn:aws:events:us-east-1:969009900039:rule/theme-park-ride-times-UpdateRidesUpdateRidesEvent-1C6BYBO984UL7 with an explicit deny (Service: AmazonCloudWatchEvents; Status Code: 400; Error Code: AccessDeniedException; Request ID: c6d8162d-a3f1-405f-b6e8-2fd5437c4392)
Please let me the solution to this problem. Thanks in Advance.
Since you are using AWS Educate Starter Account, you have a lot of limitations imposed on what you can and can't do in your sandbox account.
The general list of what is allowed is:
AWS Services Supported with AWS Educate Starter Account
Also note that this is not exhaustive list:
Some services may have additional restrictions as described in the table below.
The error message you got is an explicit deny. This means that you aren't allowed to do what you are attempting due to limitations of the starter account.
An alternative to using the start account, is using having your account (an option only for educators on AWS Educate). This way, if you are educator, AWS Educate could provide you credits towards your classes. But since you use your own account, you would have full control over it.
If the error you are facing is part of a classroom or tutorial they provide, you may contact their customer support. If this deny prohibits you from completing their own tutorials or classrooms, they should be able to fix that.
Related
I encountered the following error when launching an AWS VPC from the command line interface following a quickstart guide here.
Commands used:
git clone https://github.com/aws-quickstart/quickstart-aws-biotech-blueprint-cdk.git
cd quickstart-aws-biotech-blueprint-cdk
npm install
npm run build
cdk bootstrap
npm run build && cdk deploy
Error message:
AwsBiotechBlueprint: creating CloudFormation changeset...
11:38:13 AM | CREATE_FAILED | AWS::IAM::Role
| ConfigEnabledPr
omi...corderRoleFC6F886B
Policy arn:aws:iam::aws:policy/service-role/AWSConfigRole does not exist or is not
attachable. (Service
: AmazonIdentityManagement; Status Code: 404; Error Code: NoSuchEntity; Request ID:
f03b794e-7aa5-4f24-
899e-2aefaa6e8fb3; Proxy: null)
I am using an IAM user (not Root) and the error appears to indicate that "AWSConfigRole" policy is not associated with my user. To correct this error I added the "AWSConfigRole" permissions through the IAM management console via my web browser.
Unfortunately when I rerun the steps in the quickstart I still encounter the exact same error.
How can I ensure the updated permissions from the IAM management console are being properly communicated to the command line interface?
I still encounter the exact same error.
Because this policy should be setup for IAM role for Config service to assume, not your IAM user. Also AWSConfigRole policy has been long depricated. Now you should be using AWS_ConfigRole instead explaining why it can't be used anymore.
It seems that the template you are deploying is old and not up to date. Its better to make an issue about this to the devs of the template, as they should update it.
I created a project and deployed it to my personal account (678999999999).
My friend David asked me if I can deploy it to his account(123455555555) too.
So I set on my terminal AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN as temporary env variables, and I gave them the values of David's aws account.
When I do cdk deploy to David account I get the following error:
❌ Building assets failed: Error: Building Assets Failed:
Error: Could not assume role in target account
using current credentials (which are for account 123455555555) User: arn:aws:sts::123455555555:assumed-role/
AWSReservedSSO_PowerUserAccess_999999999ed47109/moyshe.zuchmir#gmail.com is not authorized
to perform: sts:AssumeRole on resource: arn:aws:iam::678999999999:role/cdk-hnb659fds-deploy-role-678999999999-eu-west-2.
Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap
the environment with the right '--trust', using the latest version of the CDK CLI.
At this point I tried to do cdk bootstrap to the project under David's account(as I still have the credentials for David's account in my env variables). The bootstrap seemed to work but when I did CDK deploy later on I got the same error again.
Any help?
Thank you!
You can set multiple AWS profiles .
https://kuchbhilearning.blogspot.com/2022/09/configure-aws-profile.html
For an example :
aws s3 ls --profile david
you can use : yarn cdk deploy --profile david
Any command that you execute should be followed with profile else it will take the default account/profile
When I try to deploy the hello world SAM application using sam deploy --guided, I get the following error.
Configuring SAM deploy
======================
Looking for config file [samconfig.toml] : Not found
Setting default arguments for 'sam deploy'
=========================================
Stack Name [sam-app]: sam-app
AWS Region [eu-west-1]: eu-west-1
#Shows you resources changes to be deployed and require a 'Y' to initiate deploy
Confirm changes before deploy [y/N]: y
#SAM needs permission to be able to create roles to connect to the resources in your template
Allow SAM CLI IAM role creation [Y/n]: y
#Preserves the state of previously provisioned resources when an operation fails
Disable rollback [y/N]: y
HelloWorldFunction may not have authorization defined, Is this okay? [y/N]: y
Save arguments to configuration file [Y/n]: y
SAM configuration file [samconfig.toml]:
SAM configuration environment [default]:
Looking for resources needed for deployment:
Creating the required resources...
Error: Failed to create managed resources: An error occurred (AccessDenied) when calling the CreateChangeSet operation: User: arn:aws:iam::899719
272550:user/xxxxxxxx#xxxxxxxxxxxxxxxxxxxxxxxx is not authorized to perform: cloudformation:CreateChangeSet on resource: arn:aws:cloudformation:eu-west-1:899719272550:stack/aws-sam-cli-managed-default/* because no identity-based policy allows the cloudformation:CreateChangeSet action
Could you please help me to fix it?
Thanks in advance
Better late than never. The answer to your problem is in your question itself.
SAM cli uses your AWS Credentials/Role that you had setup while configuring your aws cli using aws configure command. If you don't know what I'm talking about check Setting up AWS credentials here.
Needless to say this role needs to have atleast the following set of permission for it to create/update cloudformation stacks successfully.
cloudformation:CreateChangeSet
cloudformation:CreateStack
cloudformation:DeleteStack
cloudformation:DescribeChangeSet
cloudformation:DescribeStackEvents
cloudformation:DescribeStacks
cloudformation:ExecuteChangeSet
cloudformation:GetTemplateSummary
cloudformation:ListStackResources
cloudformation:UpdateStack
The role you are using is currently missing the cloudformation:CreateChangeSet permission and hence it's failing. Try adding all of the permissions mentioned above to your role and re-deploy the app.
Reference:
AWS Serverless Application Model - Permissions
I am attempting to follow this example of setting up an AWS Pipeline for use across multiple accounts. I have the four different accounts set up. I've followed through on each step of the process successfully. No commands are generating any errors. The pipeline completes successfully. I can then connect to the pipeline and commit my code changes. In short, every single step up to the final one works as written in the documentation.
However, I'm then presented with an error on the initial trigger of the code commit:
Insufficient permissions
The service role or action role doesn’t have the permissions required
to access the AWS CodeCommit repository named dbmigration. Update the
IAM role permissions, and then try again. Error: User:
arn:aws:sts::12345678912:assumed-role/my-pipeline-CodePipelineRole-1UPXOXOXO1WD0H/987654321
is not authorized to perform: codecommit:UploadArchive on resource:
arn:aws:codecommit:us-east-2:123456789:dbmigration
The AWS Account I used to create the pipeline is not the root account, but an IAM Administrator login with admin privileges across the account. I've tried adding AWSCodeCommitFullAccess and AWSCodePipelineFullAccess, which I would have thought would have been part of Administration anyway. However, that didn't change anything.
My assumption is I've done something horribly wrong, but I'm not able to identify what that is. Any suggestions for better troubleshooting, let alone suggestions on how to fix it would be most welcome.
The code used to create the pipeline, again, run using the IAM login, Administrator, from a fourth AWS account, is as follows:
aws cloudformation deploy --stack-name my-pipeline `
--template-file db-migration-master.yml `
--parameter-overrides ProjectName=dbmigration `
EmailAddress=grant#scarydba.com `
DevAccountId=98765432123 `
TestAccountId=123456789012 `
ProdAccountID=210987654321 --capabilities CAPABILITY_NAMED_IAM
All the templates are from the linked article and not modified or customized.
Based on the comments.
The error message indicated that the role my-pipeline-CodePipelineRole-1UPXOXOXO1WD0H/987654321 was missing permission codecommit:UploadArchive which:
Grants permission to the service role for AWS CodePipeline to upload repository changes into a pipeline
The solution was to add the codecommit:UploadArchive to the role as an inline policy.
The SFProSetup stack was deleted by mistake. This deleted an IAM role needed for serverless deploy
So I redeployed the template under a new name but the following error message still occurs when deploying my service.
Error: {"errorMessage":"Your AWS credential for deployment profile default is configured to use the IAM role arn:aws:iam::730609332320:role/SFProRole, but access to that role was denied by IAM. - Please contact support and provide this identifier to reference this issue - NVB2DG9Q46SQ"}
I have one aws profile and have been deploying successfully before this.
I redeployed the template with the following command
aws cloudformation deploy --template-file ~/Desktop/serverless_setup.yml --stack-name SFProSetup --region us-east-1 --profile default --parameter-overrides OrgId=xyz123 ProfileName=default --capabilities CAPABILITY_NAMED_IAM
A series of steps led me to find that the stack must be deployed in us-east-1 because that's the only region the Reporter component can talk to. --capabilities CAPABILITY_NAMED_IAM was necessary because the template creates an AWS role with a capability. And finally, I noticed a parameter for OrgId was used in the original stack creation, so I added it to the paramter overrides in the command. I'm guessing this is my id in serverless OrgId=xyz123