I'm trying to auto-deploy my static websites Github changes to my s3 bucket and when I went to create the pipeline, it threw a "Could not create role AWSCodePipelineServiceRole" error.
My github has permissions setup correctly. The repo name, bucket name, and object key are correct.
Has anyone ever encountered this?
I resolved this issue by:
Step 1: adding the deployment user I was logged on as into a
Deployers Group, to which I granted the IAMFullAccess policy.
Step 2: I successfully created the pipeline by following the same
steps as indicated by the AWS tutorial.
Step 3: once create, I
reversed engineered the group and single policy attached to it that
the wizard created. It showed a really long policy that you can't
really invent. The IAM section being:
"Statement": [
{
"Action": [
"iam:PassRole"
],
"Resource": "*",
I am just concerned that the Deployers group I created now has IAMFullAccess...
Also, I found that if you are logged as an admin, and add privileges to an IAM user, that user may not immediately enjoy these new privileges. I decided to log out and log back in to commit them. Maybe there is a lighter way, but I couldn't find it.
The reason behind the issue was that your IAM user (the user you are logged in as) is restricted to create role with service role name 'AWSCodePipelineServiceRole'.
In order to provide IAM user permission to create role with service role name ‘AWSCodePipeline*’ e.g. ‘AWSCodePipelineServiceRole-us-east-1-test’, you need to attach the below policy to your IAM user:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:CreateRole",
"Resource": "arn:aws:iam::*:role/AWSCodePipeline*"
}
]
}
Try couple of things:
Try to create the IAM role with different name (e.g. AWSCodePipelineServiceRole2020).
Give the pipeline a different name and keep the role name as it is
(auto generated) by pipline.
I hope this will help.
I had to add these 4 policies to get the CodePipeline creation issue fixed.
"iam:CreateRole",
"iam:CreatePolicy",
"iam:AttachRolePolicy",
"iam:PassRole"
Related
According to the AWS CodeBuild documentation, the Create Project operation requires only the codebuild:CreateProject and iam:PassRole Actions to be granted. I have done this in my role's policy, and set the Resource to "*", but when I click on the Create Project button, I immediately get Access Denied with no further information. I have no problems doing the analogous operation in CodeArtifact, CodePipeline, and CodeCommit. If I set "s3:*", I do not get the error, so evidently it's an S3 permission I'm missing, but which one?
What I am trying to do is create a role with reduced permissions so that a user can run a build and manage CodeSuite resources (add and edit repositories, pipelines, etc.) without using Administrator privileges.
Here is my policy JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*Object",
"s3:*ObjectVersion",
"s3:*BucketAcl",
"s3:*BucketLocation",
"iam:*",
"codepipeline:*",
"codeartifact:*",
"codecommit:*",
"codebuild:*"
],
"Resource": "*"
}
]
}
(I am aware this configuration is inadvisable; I am trying to isolate the issue, and provide a minimum reproducible example)
With a little bit of educated trial and error, I narrowed it down to a List* Action, which is sufficiently specific for my purposes. I'm guessing it's ListObjects and ListObjectVersions, but I'm too lazy to confirm it.
Question
Please help understand the cause and solution for the problem.
Problem
SageMaker Studio domain creation fails due to KMS permissions. The IAM Role specified to the SageMaker arn:aws:iam::316725000538:role/SageMaker has the permissions for KMS required as specified in https://docs.aws.amazon.com/sagemaker/latest/dg/api-permissions-reference.html.
Domain creation failed
Unable to create Amazon EFS for domain 'd-1dq5c9rpkswy' because you don't have permissions to use the KMS key 'arn:aws:kms:us-east-2:316725000538:key/1e2dbf9d-daa0-408d-a290-1633b615c54f'. See https://docs.aws.amazon.com/sagemaker/latest/dg/api-permissions-reference.html for required permissions for CreateDomain action.
tells the IAM permissions
IAM Permission for CreateDomain action
Amazon SageMaker API Permissions: Actions, Permissions, and Resources Reference
The IAM permission required for the CreateDomain action have been attached to the IAM role.
I had the same problem when trying to use the aws/s3 key. I created my own Customer Managed Key (CMK) and it worked just fine.
I think it's related to the AWS assigned policy on the aws/s3 key.
This part:
"Condition": {
"StringEquals": {
"kms:CallerAccount": "120455730103",
"kms:ViaService": "s3.us-east-1.amazonaws.com"
}
I don't think SageMaker meets the kms:ViaService condition.
Apart from SageMakerFullAccess we need to create a new policy and attach that to your user.
Create a new policy with below json -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sagemaker:CreateUserProfile",
"sagemaker:CreateModel",
"sagemaker:CreateLabelingJob",
"sagemaker:CreateFlowDefinition",
"sagemaker:CreateDomain",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateNotebookInstance",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateImage",
"sagemaker:CreateMonitoringSchedule",
"sagemaker:RenderUiTemplate",
"sagemaker:UpdateImage",
"sagemaker:CreateHyperParameterTuningJob"
],
"Resource": "*"
}
]
}
I am following the AWS tutorial on how to set up the new video streaming product IVC https://docs.aws.amazon.com/ivs/latest/userguide/GSIVS.html
I set up a IAM user with the following permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ivs:CreateChannel"
],
"Resource": "*"
}
]
}
But when I try to create a channel with logged in as the above mentioned IAM user I get the error
ivs.AccessDeniedException:
User: arn:aws:iam::532654645459:user/alex-iam is not authorized to perform:
ivs:CreateChannel on resource: *
Am I missing something? Here are is screenshots for the policy setup.
(OP here) The solution that worked for me was to change the policy to grant all permissions to IVS for IAM user as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ivs:*"
],
"Resource": "*"
}
]
}
Everything worked fine afterward (create channels, list channels, view channels details).
To deal with this issue, best is to reach out to AWS Support Center via “Account and billing support”. For details about the case, select “Account” for the Type and “Other Account Issues” for the Category. As for the subject and description, please provide as many details about the error as possible, such as the error code above.
What could also be helpful is to (especially on a fresh AWS account) is to spin up p/ launch an EC2 instance (Micro or whatever) and spin it back down. Try using IVS after that and see if that helped.
What type of account are you using ( free tier, educate account)?
In educate account IAM users do no have access to some services. This might be on of the issues.
I have solved the problem by add policy to the lambda function
Go to the AWS IAM page and navigate to Role.
And then find the role for your lambda function and click add permission button
and create inline policy
There, you can create and attach policy to role.
as you written on above.
After that, your functions will work well
I am trying to export data from a table in my Aurora database to a bucket I have created in my S3, using the "SELECT INTO OUTFILE S3" command that is promoted by Amazon here.
Select * from testauroradb.'table1' into outfile S3 's3://data-dump-bucket/Data';
When I try to run the above line I receive the following error:
Error Code: 1045. Access denied for user 'username'#'%' (using password: YES)
According to some forms this is due to the user not having permissions and that they need to be granted by the root user. However this is the root user and according to some documentation provided by Amazon, the root user has the ability to perform the "SELECT INTO S3" command. I have also checked and can verify that the user does have the ability to run the "SELECT INTO S3" command. (I know it is not good practice to use the root user but this is only a test database).
I also created an IAM role and policy to have access to the S3 and have linked it to the Aurora Database. Policy for access to S3:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:ListBucket",
"s3:DeleteObject",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::data-dump-bucket/Data"
]
}
]
}
I attached the policy to an IAM role. Then I added the Role ARN to the parameter aws_default_s3_role in the parameter group that is attached to the Aurora Cluster.
Following some forums only, some people had success changing the outbound rules for the security groups to "TYPE:SSH, Port:22, Destination:0.0.0.0/0". But this didn't work for me either. If anyone can tell me what to do or what I have done wrong I would appreciate it.
I was running into the same issue. I added AmazonS3FullAccess policy to my IAM role and it worked.
Run this command on you database
GRANT LOAD FROM S3 ON . TO 'user'#'domain-or-ip-address'
I want my AWS IAM users that belong to a specific group to be able to manage their own credentials, including the creation of their first access key. It is a requirement that they don't get other permissions such as listing the account's users.
It seems that console access is not an option as it needs permissions I don't want to grant (such as ListUsers).
Thus I tried the AWS CLI option and added the following policy, as advised in AWS documentation.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey*",
"iam:*SSHPublicKey*"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
}
}
This works well, except that it seems AWS CLI requires an access key to login (which my users don't have yet, I want them to create their access key themselves).
As a work around, I create the access key for them, and then ask them to change it, but it's quite cumbersome.
Is there a way to log into AWS CLI with the user name and password? Is there another way to achieve my use case?
I encountered a similar issue. I want my non root users to be able to change their password and change (create/make inactive/delete) their access key for CLI access. However, those users must not be able to list users or display/do anything with other users.
My attempt to achieve the minimal policy is this JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:DeleteAccessKey",
"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:ListAccessKeys"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:GetAccountPasswordPolicy",
"Resource": "*"
}
]
}
Some explanation for AWS noobs like myself:
I created a custom policy in IAM > Policies > Create policy. I picked up the relevant permission, add the resources scope and then assign this permission to my user group.
iam:ChangePassword is obviously the password change permission which is restricted to the current user only by the resource = "arn:aws:iam::*:user/${aws:username}". Replace * with the account Id (without hyphens) if you need to restrict to a specific account.
As mentioned in AWS doc, iam:GetAccountPasswordPolicy is required
Sources:
AWS doc
SO: Refer to logged user in policies
iam:*AccessKey manage access key for the current user as well:
create allows the creation of a new key so that admin do not know the key
update allows make inactive action
delete allows access key deletion as there is a quota of two keys per account