The SFProSetup stack was deleted by mistake. This deleted an IAM role needed for serverless deploy
So I redeployed the template under a new name but the following error message still occurs when deploying my service.
Error: {"errorMessage":"Your AWS credential for deployment profile default is configured to use the IAM role arn:aws:iam::730609332320:role/SFProRole, but access to that role was denied by IAM. - Please contact support and provide this identifier to reference this issue - NVB2DG9Q46SQ"}
I have one aws profile and have been deploying successfully before this.
I redeployed the template with the following command
aws cloudformation deploy --template-file ~/Desktop/serverless_setup.yml --stack-name SFProSetup --region us-east-1 --profile default --parameter-overrides OrgId=xyz123 ProfileName=default --capabilities CAPABILITY_NAMED_IAM
A series of steps led me to find that the stack must be deployed in us-east-1 because that's the only region the Reporter component can talk to. --capabilities CAPABILITY_NAMED_IAM was necessary because the template creates an AWS role with a capability. And finally, I noticed a parameter for OrgId was used in the original stack creation, so I added it to the paramter overrides in the command. I'm guessing this is my id in serverless OrgId=xyz123
Related
enter image description here
in aws cloudformation why do we have to edit iam roles in template only then why is the option given in console,when trying to update iam role it says nothing to update
The role in question is used to grant the Cloudformation the permissions to deploy specific resources as part of the stack. By default if you don't specify what role the stack should use, it will use the permissions assigned to a user that's creating the CFN stack. So for example in case you don't have permissions to deploy an IAM resources and you try to deploy a CFN stack containing an IAM Role it will fail due to lack of permissions. This is where the Cloudformation IAM Roles come in handy. You can have a Cloudformation role deployed that has more permissions that the role you're using to deploy the stack itself and by assigning it to the CFN stack you're now able to privision those resources.
To update the IAM Role that the stack uses without making any changes to the stack resources you can got to Update -> Use current template -> Change IAM role (in Permissions) pick the role you want the stack to use and click Update stack. Once completed you can check the Stack info and in Overview the new IAM Role arn should be listed.
When deploying the resources from the pipeline or aws cli you can also specify the role you want your stack to use to provision the resources.
aws cloudformation deploy \
--template-file package.yaml \
--stack-name YOUR-STACK-NAME \
--role-arn arn:aws:iam::123456789012:role/YOUR-IAM-ROLE
Your screenshot shows AWS CloudFormation (CFN) service role. This is totally different role from those in your templates. Namely, CFN will use that role to create/update your stack. By default CFN uses your own IAM user permissions, but you can tell CFN to use the given CFN service role instead.
I am creating an IAM user using cloud formation but getting below mentioned error:
"API: iam:CreateUser User: arn:aws:sts::11111111111:assumed-role/MyCloudFormationRole/AWSCloudFormation is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::11111111111:user/username1 with an explicit deny"
I have created MyCloudFormationRole and have given it full iam access (iam:*) and i am running cloudformation command using this role.
create stack command:
aws cloudformation create-stack --stack-name my-users --template-body file://C:/template.yml --parameters file://C:/parameters.json --role-arn arn:aws:iam::11111111111:role/MyCloudFormationRole --capabilities CAPABILITY_NAMED_IAM
Is there anything missing here ?
When you are not allowed to do something it is either because you lack permissions or someone explicitly forbids it. In your case the "explicit deny" suggests the latter is the case. The policies can be in various locations:
identity policy
resource policy
session policy
permission boundary
SCP
You would simply need to check which one denies the request.
See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
I am new to using AWS and Serverless Application Model (SAM). While following the GitHub of one of the recent AWS Virtual Workshop, I am facing problem in SAM deployment.
In particular, while following the module 1, these are the steps they provide (All these steps are performed from Cloud9 terminal):
Find the Account Id.
accountId=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .accountId)
Name the S3 bucket appending the Account Id
s3_deploy_bucket="theme-park-sam-deploys-${accountId}"
Create the s3 bucket with that name.
aws s3 mb s3://$s3_deploy_bucket
Go to the appropriate directory with SAM YAML file.
Package
sam package --output-template-file packaged.yaml --s3-bucket $s3_deploy_bucket
Deploy
sam deploy --template-file packaged.yaml --stack-name theme-park-ride-times --capabilities CAPABILITY_IAM
All the steps work well until step 5. On executing step 6, after the successful creation of a few resources, I am facing an error on a particular creation and it fails. This results in a rollback and all created resources are also deleted.
ResourceStatus: CREATE_FAILED
ResourceType: AWS::Events::Rule
LogicalResourceId': UpdateRidesUpdateRidesEvent
ResourceStatusReason: User: arn:aws:sts::969009900039:assumed-role/vocstartsoft/user810955=ameya.181co205#nitk.edu.in is not authorized to perform: events:PutRule on resource:arn:aws:events:us-east-1:969009900039:rule/theme-park-ride-times-UpdateRidesUpdateRidesEvent-1C6BYBO984UL7 with an explicit deny (Service: AmazonCloudWatchEvents; Status Code: 400; Error Code: AccessDeniedException; Request ID: c6d8162d-a3f1-405f-b6e8-2fd5437c4392)
Please let me the solution to this problem. Thanks in Advance.
Since you are using AWS Educate Starter Account, you have a lot of limitations imposed on what you can and can't do in your sandbox account.
The general list of what is allowed is:
AWS Services Supported with AWS Educate Starter Account
Also note that this is not exhaustive list:
Some services may have additional restrictions as described in the table below.
The error message you got is an explicit deny. This means that you aren't allowed to do what you are attempting due to limitations of the starter account.
An alternative to using the start account, is using having your account (an option only for educators on AWS Educate). This way, if you are educator, AWS Educate could provide you credits towards your classes. But since you use your own account, you would have full control over it.
If the error you are facing is part of a classroom or tutorial they provide, you may contact their customer support. If this deny prohibits you from completing their own tutorials or classrooms, they should be able to fix that.
I am new to AWS and I am following this link. I couldn't find the difference between ECS_SERVICE_ROLE_ARN and ECS_TASK_ROLE_ARN. Also I wanted to know how I could find them. I used this command
aws sts get-caller-identity
But this gives common field "arn". But I don't know which one is this.
The service role Arn is the Arn of the role that is interacting with the ECS service. The task role Arn is the role under which the individual task is executing.
To find the service role Arn, you should be able to look in IAM Roles for the ECS service role.
To find a task role Arn for a given task, you should be able to use:
aws ecs describe-tasks
You could find the ExecutionRoleArn and TaskRoleArn in the json file 'cloudformation-core-output.json', which is generated at the "Step 1 Deploy CloudFormation Templates" after you executed a link:
aws cloudformation describe-stacks --stack-name MythicalMysfitsCoreStack > ~/environment/cloudformation-core-output.json
I am creating a nodejs application and deploying it as a lambda function on AWS. I am following the link:
http://docs.aws.amazon.com/lambda/latest/dg/with-on-demand-https-example-create-iam-role.html
I am now stuck at step 2.2-2.3. Step 2.2 has the json with the policy that needs to be attached to the role. When I use the below command (step 2.3) to create the lambda function:
ws lambda create-function --region us-east-1 --function-name LambdaFunctionOverHttps --zip-file fileb://LambdaFunctionOverHttps.zip --role execution-role-arn --handler LambdaFunctionOverHttps.handler --runtime nodejs4.3
Then I get the below error:-
An error occurred (ValidationException) when calling the
CreateFunction operation: 1 validation error detected: Value
'execution-role-arn' at 'role' failed to satisfy constraint: Member
must satisfy regular expression pattern:
arn:aws:iam::\d{12}:role/?[a-zA-Z_0-9+=,.#-_/]+
I even created the file "execution-role-arn" which had the json from Step 2.2. How can I resolve this error and create the lambda function?
I faced the same error, turns out you have to specify the Role ARN, not the Role name. So instead of --role roleName , put --role arn:aws:iam::1234567891:role/service-role/roleName . You can find you role ARN by clicking on the role name in Roles tab, and then at the top you'll find the role ARN.
AWS really needs to fix their documentation for almost all of their services.
Update: The role needs to be replaced with the actual arn role name for the lambda function instead of a separate file. This can be found on the role you just created in step 2.2. So, the proper way to do this is as follows:
aws lambda create-function
--region us-east-1
--function-name LambdaFunctionOverHttps
--zip-file fileb://LambdaFunctionOverHttps.zip
--role arn:aws:iam::9999999999999:role/lambda-gateway-execution-role
--handler LambdaFunctionOverHttps.handler
--runtime nodejs4.3
This worked out fine and the lambda function got created. Note that I had pointed the default profile to admin with the aws config command.