I'm running a tech stack of react -> graphQL -> appsync -> lambda -> go
When I run my graphQL query from the client I recieve this error back:
Unable to assume role arn:aws:iam::<SOMENUMBER>:role/service-role/MyRoleForMyLambda.
In fact this was all running fine until I accidentally changed the function ARN and roles on my Datasource to other ones. I changed them back but now Appsync seems to be unable to find the role and function ARN. I tried creating a completely new Datasource but I have the same issue. Often the function ARN and/or roles don't appear in the dropdown and I enter them manually. Sometimes it lets me save without errors - other times when attempting to save the Datasource I get the helpful error message "Error". Sometimes after saving when I go to look at them again the function ARN field is blank unless I click on the 'not in drop down' link.
I don't think the problem is with my role itself as it appears that appsync can't even assume the role to start with. I've read about trust policies as a solution but I don't know where to put them.
Any help much appreciated.
In your IAM console, you need to add the Appsync service as a trusted entity to the role you are trying to assume
Click edit trust relationship and enter the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Related
I'm following this guide (Method 1, step 5) in order to configure Let's Encrypt wildcard certification to my domain, which is controlled by Lightsail DNS.
Making sure all the previous steps have been successfully completed, I am still facing in issue with the fifth-step, where generating the certifications apparently lacks authorization. I made the user to AWS IAM service, as was guided, with a custom permission rule that should suffice, according to the docs:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lightsail:DeleteDomainEntry",
"lightsail:CreateDomainEntry"
],
"Resource": "<Lightsail DNS zone ARN>"
}
]
}
The error message I get bounced with reads as follows:
Message_: User: arn:aws:iam::MY_USER_ID:user/Certbot is not authorized to perform: lightsail:CreateDomainEntry on resource: arn:aws:lightsail:us-east-1:MY_USER_ID:* because no identity-based policy allows the lightsail:CreateDomainEntry action
Note: I have tried to use the full arn path pointing to my domain directly, but decided to give the wildcard selection a go - no luck there, though.
I also tried to simulate these user roles within IAM, but the actions are denied there as well (Implicitly denied, no matching statements).
Any idea why this is, and what could I do to make this pass? Didn't manage to find any answers related to this issue neither, so now I'm here. I have tried this process with a different IAM user, with full administrative privilidges, and no issues what so ever. But as this is very risky and not ideal at all, I would like to get this to work with the so called "minimum privlidges".
Any help is greatly appreciated!
I'm trying to set up a codeBuild project through the nodejs AWS-SDK. I'm able to create a new IAM role with policies attached, but when I use it in the .createProject() it gives me an error:
CodeBuild is not authorized to perform: sts:AssumeRole on arn:aws:iam::[account]:role/service-role/[role-name]
The weird thing is that, when I open the trusted relationships JSON of the role and save it (without any changes) it suddenly works.
the AssumeRole JSON file:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I'm using a federated user. I don't know if that makes a difference (the process of requesting a regular account takes a few days, so I haven't tried that yet).
I tried to copy the before and after save to see what was going on, but when I store it in a file it has the exact same bytes. I'm really confused, I've been trying to fix this for almost half a day now.
I figured out what the problem was. Apparently, when you create a role and immediately start using it you'll get a "not authorized" error. But you also get this when the role doesn't even exist.
I added a manual wait of 10 seconds, not it works.
The SDK has a function for this called "waitfor", which can be used on roles and policies.
I have been able to use the AWS documentation to insert an mqtt message into a single column in a table. I would like to be able to update (not insert) multiple columns in the table. I used the DynamoDbv2 action in my IoT Rule, and I changed the IAM role to UpdateItem, but nothing is happening.
Is there a way to see where/when these errors are occuring?
Should I create a Lambda function to handle this instead? Is there an example of this?
Thanks.
First of all please keep in mind that DynamoDbV2 is using internally PutItem, so your are not able to only update attributes, but whole object will be overwritten.
If you want to update item you need to implement Lambda function and manually implement data update.
For IAM role, your trust relationship should contain:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "iot.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
You can use the DynamoDbV2 rule action to update multiple attributes (or columns if you will) in your DynamodDB table. Your role you provide to the Iot Rule needs to allow dynamodb:PutItem on the table in question. The role of course needs to have the IoT service in it's trust policy (also know as the assume role policy document in some places).
To help troubleshoot any issues you have turn on IoT logging and set the level to Debug. Then you can view any errors in the AWS Cloudwatch Logs.
https://docs.aws.amazon.com/iot/latest/developerguide/iot-rule-actions.html
Going through some tutorials on AWS Lambda Functions. I keep receiving the error, "It seems there was an error during your role template creation, please double check if the role name is already existing and try again."
I've tried many different scenarios, new roles, existing roles, editing the roles in IAM, give more access and then trying them. I tried creating a lambda function "Authored from Scratch" and "Blueprints". I also logged into my root account to see if my user account had an issue.
Frustrated... can't create anything in Lambda because I receive this error 100% of the time.
AWS Lambda Error Blueprint Screenshot
AWS Lambda Error Scratch New Role Screenshot
I encountered this and it drove me nuts. In the end I wondered if the GUI was giving me incorrect info, and the role was in fact NOT 'already existing'. I went off and did something else for a couple of minutes, and when I came back everything worked fine with no problems. I suspect it's an AWS console bug.
This is still an issue in 2020!
I choose an existing role or try to create a new one, and I get the An error occured during the creation of your role template. Double-check whether the role name already exists and try again. no matter what I choose.
The only option is to wait for 10 minutes and try again.
Jan 26,2021 - Still an issue .So this is essentially a role based issue and definitely seems to be a bug in the lambda console. What worked for me is to first go to the IAM console , create a role , attach a policy with 'AdministratorAccess',and in 'Trust Relationships' tab add 'lambda.amazonaws.com' as a trusted entity. After this , while creating a lambda function, use this existing role ( instead of creating a new one), and it it should work.
What a terrible bug!
I was trying to create Java 8 Lambda function with "Create a new role with basic Lambda permissions" and it took me 30 minutes to stop getting this error.
The only solution seems to be to wait.
i had same issue but after add condition in trust policy of role.
my working role trust policy was
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole",
}
}
}
but when i add, condition for assume by specific resource like below, i don't know will it work or not and it give me error "It seems there was an error during your role template creation, please double check if the role name is already existing and try again." .
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:lambda:us-east-1:1234567890:function:project-developers-*"
}
}
}
]
}
so after change like first one, it's work fine.
I'm getting the following error when I try to create a development endpoint for AWS Glue.
{ "service":"AWSGlue",
"statusCode":400,
"errorCode":"ValidationException",
"requestId":"<here goes an UUID>",
"errorMessage":"Role arn:aws:iam::<IAM ID>:role/AWSGlueServiceRole-DefaultRole
should be given assume role permissions for Glue Service.\n",
"type":"AwsServiceError" }
And my role has the following permissions.
AmazonS3FullAccess
AWSGlueServiceNotebookRole
AmazonAthenaFullAccess
AWSGlueServiceRole
CloudWatchLogsReadOnlyAccess
AWSGlueConsoleFullAccess
AWSCloudFormationReadOnlyAccess
Any clues on what am I missing?
In your trust relationship, the trust should be established with glue.amazonaws.com. Your role (AWSGlueServiceRole-DefaultRole) may not have this. To confirm, go to the IAM roles console, select the IAM role: AWSGlueServiceRole-DefaultRole and click on the Trust Relationship tab.
The json for this should look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "glue.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Example screenshot for the Trust relationship:
I was tripped up by this as well; the problem is that when you use the console to create a default glue service role it ends up creating the IAM role like this:
arn:aws:iam:::role/service-role/AWSGlueServiceRole-DefaultRole
Make note of the "service-role" in the path.
But then when choosing that role as the role you want to use in the console wizard for setting up a new dev endpoint it doesn't include the "service-role" in the path and looks for a role named like this:
arn:aws:iam:::role/AWSGlueServiceRole-DefaultRole
I think this is just a bug in the console wizard for creating dev endpoints. I got around it by creating a new role that doesn't have "service-role" in the path and then chose that role in the console wizard and was able to successfully create a dev endpoint.
The problem was somehow related to an old Role that I already messed up with. Created a brand new role just for development following this link and this link, worked like a charm.