I am getting following error when I am trying to attach IOT policy to aws cognito pool. I try to attach policy from CLI. Can someone help me get rid of following error.
An error occurred (InvalidRequestException) when calling the AttachPrincipalPolicy operation: Invalid principal type
I am getting this error after running the following command.
aws iot attach-principal-policy --policy-name 'myPolicy' --principal 'us-east-2_XXXXX' --region 'us-east-2'
Is there any way to attach policy from AWS GUI.
Thanks
I think the error is that you are passing the Pool Id, however in that field you must pass the Identity Pool Id.
Identity pool Id example
foo#bar:~$ aws iot attach-principal-policy --policy-name 'real-time-weather-iot-policy' --principal 'us-west-2:<identity_pool_id>' --region us-west-2
Related
This seems so simple. I have ONE account, and I am getting a "Cross-account pass role is not allowed"` error when trying to run a Cloud Formation stack.
I am using this guide:
https://github.com/aws-samples/amazon-eks-refarch-cloudformation
I have made just a couple of tweeks to the custom.mk (network, ec2 types etc).
To create the cluster, per the README, I am runing this command in my terminal, and my IAM user account is in the "admin" group with full access to CloudFormation:
ASGAutoAssignPublicIp=no make create-eks-cluster
This is the error:
An error occurred (AccessDenied) when calling the CreateStack operation: Cross-account pass role is not allowed. make: *** [create-eks-cluster] Error 254
Looking at the Makefile, it is using this get the account:
aws sts get-caller-identity --query 'Account' --output text
When I run that command from the same terminal it works fine --my account # is displayed.
Can anyone suggest what I might try here?
Verify that you are passing the ARN for the EKS Role (AmazonEKSAdminRole) that you created in the custom.mk
You should not need to perform cross-account role passing at all, but being that the Makefile passes a default EKS_ADMIN_ROLE here.
The role used to deploy these stack is that EKS_ADMIN_ROLE so if you are trying to utilize the defaulted role (within the accountId 903779448426), that implicitly doesnt have access to your AWS account and thus cannot create stacks within your account.
I am trying to get permission for my IoT Analytics Pipeline to invoke my Lambda Function but I am unable to. It is giving me the error that User is not authorized to perform lambda:AddPermission on Resource. what is it? And how can I fix it? I am putting the command instruction in AWS CLI which is given in the User guide.
And 2nd is there any other way (especially through IAM) other than AWS CLI to get permission for my Pipeline to invoke my Lamdafunctions?
I used this instruction in AWS CLI:
aws lambda add-permission --function-name myLambda1 --action lambda:InvokeFunction --statement-id iotanalytics --principal iotanalytics.amazonaws.com --source-account 123456789012 --source-arn arn:aws:iotanalytics:us-east-1:123456789012:pipeline/analytics_lambda1_pipeline
Make the user admin on AWS that should resolve this issue.
I am having my EC2 in Dev account and my credentials are in the Security account of AWS,
I am trying to retrieve secrets from Secret Manager from my security account, Both EC2 and credentials are in a different region
aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-2:2222222:secret:demo/democreds/secret_string --version-stage AWSCURRENT --region us-east-2
I am able to get the secrets by the above command, but when running terraform plan I am getting
this error :
Error: error reading Secrets Manager Secret Version: AccessDeniedException: User: arn:aws:sts::1111111111:assumed-role/user_name/xxxxxxxxx is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-2:222222222:secret:demo/democreds/secret_string
status code: 400, request id: 123dcdaaaa-cdcd33-2bb0d-6dhbc-083gbd6622111
I have already attached a policy to role which I am using for secretsmanager:GetSecretValue
Solved this, by replicating the secret in the security account in the same region as EC2 in another account. Regions have to match if we are retrieving secrets from other account via terraform.
It is actually very tricky the way how it works.
You can access a secret from "Account A and eu-central-1 region" that is created in "Account B and eu-west-1 region" using AWS CLI by specifying --region parameter to match with the region of the source Account B (eu-west-1):
# Account A
# region: eu-central-1
$ aws secretsmanager get-secret-value --secret-id="arn:aws:secretsmanager:eu-west-1:1234567:secret:my-secret-smart9x" --region eu-west-1
# {valid result}
If you do not specify the --region eu-west-1, despite the fact that you indicate the ARN of the secret, which includes the region where the secret is located, the call to AWS Secrets Manager API is made to the region of the client (eu-central-1), resulting in the following error:
$ aws secretsmanager get-secret-value --secret-id="arn:aws:secretsmanager:eu-west-1:1234567:secret:my-secret-smart9x"
An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::7654321:assumed-role/my-role/my-session is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:eu-west-1:1234567:secret:my-secret-smart9x because no resource-based policy allows the secretsmanager:GetSecretValue action
This can be solved without Secret Replication to another region (no additional costs) by always specifying the --region parameter to the request when you use AWC CLI or SDK. The same applies to terraform, where you can probably use a different provider in some cases.
However, when it comes to Lambda Event Source or other AWS components (for example a resource needs to be created in region eu-west-1 and access a secret from region eu-central-1, https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping#amazon-mq-activemq) that make the call to AWS Secrets Manager by only specifying the ARN (user has no possibility to specify the region where is the secret), you MUST replicate the secret to the same region where the consumer is calling from, which means extra costs (basically, $0.40 per secret, $0.40 per replica).
Can't AWS just detect that secret we try to get from Account A is in eu-west-1 region, based on the ARN? No? Yes?
ref: https://aws.amazon.com/blogs/security/how-to-replicate-secrets-aws-secrets-manager-multiple-regions/
Goal: Retrieve secret from secretsmanager on an aws ec2 instance programmatically through command line.
I have created an IAM role with policies that grant full-access to AWSSecretsManager and AWSEC2instance also to assume the role and modify the role of any aws ec2 instance.
I created an aws instance and attached the IAM role to it and executed the following steps:
- aws secretsmanager list-secrets
An error occurred (UnrecognizedClientException) when calling the ListSecrets operation: The security token included in the request is invalid.
I get an error. I am able to retrieve the security credentials using the metadata of the instance.
- Am I missing something here? I basically want to retrieve the secret in an aws instance in a secure way.
- When I try to run the above command to list-secrets. The cli complains that it needs an region. My ec2-instance and secrets all are in us-east-2. So, I use the same region. And it still does not work.
Any suggestions/pointers would be highly appreciated. Thanks!
Here is How I would troubleshoot.
check whether the instance is aware of the IAM role attached to that.
aws sts get-caller-identity
try passing the region to the command
aws secretsmanager list-secrets --region us-east-2
I would check whether the AWS_REGION or AWS_DEFAULT_REGION, but even if these values are set, passing --region should override it.
Hope this help you get somewhere.
Have you run "aws configure" on the instance? Sounds like it might be using the token in there rather that the EC2 instance role. See references below for the sequence it checks but basically, the EC2 role is the last place it looks, if it gets credentials earlier, it will use them.
See here for the priority/sequence: https://docs.aws.amazon.com/amazonswf/latest/awsrbflowguide/set-up-creds.html
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html ("Using the Default Credential Provider Chain")
I am trying to create an Event Subscription for RDS via AWS CLI
I have successfully created an SNS and can confirm it in AWS Console.
I am also able to create Event Subscription via AWS Console but not through AWS CLI
The command that I am running :
aws rds create-event-subscription --subscription-name rds-replica-events-subscription --sns-topic-arn arn:aws:sns:us-east-2:XXXXXXXX:RDS-replication-alarms --enabled
The error message :
An error occurred (SNSInvalidTopic) when calling the CreateEventSubscription operation: Failed to create Subscription because of Topic arn:aws:sns:us-east-2:XXXXXXXX:RDS-replication-alarms ARN Name Invalid.
Fixed. I had to add region.
aws rds create-event-subscription --region us-east-2--subscription-name rds-replica-events-subscription --sns-topic-arn arn:aws:sns:us-east-2:XXXXXXXX:RDS-replication-alarms --enabled