I am attempting to put a cloudwatch event rule using code:
await cloudwatchevents.putRule({
Name: 'xxx-ec2-start',
EventPattern: '{"source":["aws.ec2"],"detail-type":["EC2 Instance State-change Notification"],"detail":{"state":["running"]}}',
State: 'ENABLED',
RoleArn: `arn:aws:iam::${account.Id}:role/skynet-cloudwatch-eventbus`,
}).promise()
However, I am getting:
(node:29939) UnhandledPromiseRejectionWarning: ValidationException: Provided role 'arn:aws:iam::00000000000:role/xxx-cloudwatch-eventbus' cannot be assumed by principal 'events.amazonaws.com'.
The role already has the assume policy doc to allow events.amazonaws.com. Why does it still fail?
The reason you are getting this error is "events.amazonaws.com" is not listed as a Trusted Entity for role theRole.(in your case skynet-cloudwatch-eventbus)
One way to fix this is by going to https://console.aws.amazon.com/iam/home?region=us-east-1#roles/theRole (adapt this link to your region + real role name) > Trust Relationships tab > Edit Trust Relationships button > paste in "events.amazonaws.com" under services as in the example given below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com",
"apigateway.amazonaws.com",
"events.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
You've probably already found your answer by now, but you might be able to figure out what's wrong by looking for AssumeRole events in CloudTrail that have errors.
In my case, I set up the assume role policy correctly, but was receiving the same message you've specified. The CloudTrail AssumeRole event provided more meaningful details:
errorCode: RegionDisabledException
errorMessage: STS is not activated in this region for account:xyz. Your account administrator can activate STS in this region using the IAM Console.
Enabling STS in this region resolved the issue in this case.
Related
This question has been answered here but it didn't solve my problem.
I get the An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: AssumeRole policy may only specify STS AssumeRole actions when I try to call aws iam create-role --role-name AutoscalingRole-Name --assume-role-policy-document file://./IAM_Trust_Policy.json
If my IAM_Trust_Policy.json contains only this code:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
}
It's working like a charm. But I needed something more, I'm creating an autoscaling role and I have a policy with these requirements:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"autoscaling.amazonaws.com"
]
},
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"ec2:DescribeLaunchTemplateVersions"
]
}
}
And for some reason I get the An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: AssumeRole policy may only specify STS AssumeRole actions
Can anyone see where I'm wrong? Thanks
As #luk2302 commented, you are mixing up two policy types. Both are required for your Role to be useful:
Trust Policy: whom you allow to assume the role
This is your first policy document
Principal is required - this is whom you allow
Use this as the AssumeRolePolicyDocument parameter in CreateRole .
Access/Permissions Policies: the permissions the role will have
This is your second policy document
Principal is not allowed - makes no sense here
There are two ways to attach these permissions to your role (aka Identity-based Policies):
As a standalone Managed Policy with AttachRolePolicy
Or as an Inline Policy embedded in your role with PutRolePolicy
In other words, remove the Principal from your second policy document and call PutRolePolicy to embed it with your role.
You can not use role policy with assume-role-policy.
I think you are trying to rediscover the wheel.
AWS has one role for your need to autoscale AWSServiceRoleForAutoScaling managed role.
I am having great difficulties in getting OpenSearch to publish alerts to Amazon SNS. I have set up the SNS topic and permissions properly, and set up the role for the SNS destination in OpenSearch per this link which I called “test-OpenSearch-Role”, but when the trigger activates and tries to send an alert I get the following error in the alert:
“Error: Failed running action: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/cp-sts-grant-role/swift-us-west-2-prod-xxxxxxxxxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxx:role/Test-OpenSearch-Role (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 78e679a3-7373-4fe8-b1c1-a9b5d0d9dcda; Proxy: null)”
I’m not sure what this “User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/cp-sts-grant-role/swift-us-west-2-prod-xxxxxxxxxxxx” is and I haven’t been able to get it to obtain the permissions in the “test-OpenSearch-Role” to publish to SNS. I’m not very experienced when it comes to AWS inline policies for roles but here is the JSON of the test-OpenSearch-Role:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “sts:AssumeRole”,
“Resource”: “*"
},
{
“Effect”: “Allow”,
“Action”: “sns:Publish”,
“Resource”: "*”
}
]
}
What am I doing wrong? Any help or suggestions would be greatly appreciated.
I had the same error message when trying to send alerts from OpenSearch (and Elastic Search). As suggested above, I think the issue in your case may be the lack of a trust relationship.
I got it to work by setting the role used for alerts on OpenSearch / ElasticSearch (naviation: Kibana / Dashboard => alerting => destinations => edit) up with permissions (AWS => IAM => roles => find role => permissions) using this policy for publishing to SNS:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "*"
}
]
}
(for resources on the sns:publish policy, you can be more specific by putting the SNS ARN instead of "*": e.g. arn:aws:sns:<region>:<accountnumber>:<name>)
I also had to add this policy to the same role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "*"
}
]
}
Then I needed "trust relationships" (next tab from permissions in IAM) like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "es.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Furthermore, make sure you copy the correct ARN from the role created into the OpenSearch (Elastic Search) alert settings: I wasted much time by mistakenly putting the "Instance profile ARN" from the top-right of the role summary instead of the "ARN" (in the middle). I.e. use arn:aws:iam::<accountnumber>:role/<rolename> and not arn:aws:iam::<accountnumber>:instance-profile/<rolename>.
My error message was something like this:
User: arn:aws:sts::444444143907:assumed-role/cp-sts-grant-role/swift-eu-central-1-prod-005555733555
is not authorized to perform: sts:AssumeRole on resource:
arn:aws:iam::005555733555:role/<myrolename>
(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied;
Request ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx; Proxy: null)"
...where 005555733555 is approximately my account number and 444444143907 some other account number. I didn't need to do anything particular with the other account number (such as explicitly allowing access from it)
I am using Service Catalog to execute the SSM Automation Document, so my Service Catalog has its own Role called "My_END_USER_Role", and I've created another role with permission to stop the EC2 for SSM Automation Document.
My_END_USER_Role this roles has the AWSServiceCatalogEndUserFullAccess, the easy solution is to give this role directly the permission that I need but I do not want the user out of the Service Catalog do any action like stop EC2, so I want to assume MY_SSM_ROLE with extra permission, but I get this error
An error occurred (InvalidAutomationExecutionParametersException) when calling the StartAutomationExecution operation: The defined assume role is unable to be assumed.
base on AWS Troubleshooting - section Assume Role Can't Be Assumed either is role not existed which cannot be true for me or The assume role doesn't have a trust relationship with the Systems Manager service, now I am stuck here how should I give the trust relationship!!?
SSM Automation Document
description: Stop EC2 Instance
schemaVersion: '0.3'
assumeRole: '{{ AutomationAssumeRole }}'
parameters:
AutomationAssumeRole:
type: String
default: 'arn:aws:iam::ACCOUNTID:role/MY_SSM_ROLE'
description: The ARN of the role that allows Automation to perform the actions on your behalf.
InstanceId:
type: 'AWS::EC2::Instance::Id'
mainSteps:
- name: StopInstance
action: 'aws:changeInstanceState'
inputs:
InstanceIds:
- '{{ InstanceId }}'
DesiredState: stopped
just for a test I gave MY_SSM_ROLE the admin permission and also includes this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"iam:PassRole",
"ssm:StartAutomationExecution"
],
"Resource": "*"
}
]
}
found the solution, I had to add a proper services to trust relationship for MY_SSM_ROLE Role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ssm.amazonaws.com",
"iam.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
Does anyone know what should be the minimum IAM permissions that would allow a user creating an EKS cluster?
I'm assuming a role to just create a cluster with Terraform and that role has got the following statements in its policy defined (nothing more than that):
{
"Sid": "AllowEKSCreate",
"Effect": "Allow",
"Action": [
"eks:List*",
"eks:Describe*",
"eks:CreateCluster",
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "AllowEKSAll",
"Effect": "Allow",
"Action": "eks:*",
"Resource": "arn:aws:eks:eu-west-1:XXXXXXXXXX:cluster/my-cluster"
}
In CloudTrail I'am only seeing:
AWS access key: XXXXXXXX
AWS region: eu-west-1
Error code: AccessDenied
Event ID: XXXXXXXX
Event name: CreateCluster
Event source: eks.amazonaws.com
Successful events:
sts:GetCallerIdentity
ec2:DescribeAccountAttributes
No other event is present in CloudTrail that would be unsuccessful.
Found it!
The missing permission was iam:PassRole on the Cluster IAM Role resource.
For some reason CloudTrail does not reveal that information :(
P.S.
I think I made my question very clear so am wondering why someone would give me -1.
I am attempting to auto-deploy DAX for DynamoDB, but keep getting the following error from both python and CLI:
An error occurred (InvalidParameterValueException) when calling the CreateCluster operation: No permission to assume role: arn:aws:iam::xxxxxxxxxxxx:role/service-role/230e772f-DAXServiceRole
The CLI command i use is:
aws dax create-cluster --region some.region --cluster-name some.dax_name --node-type some.node_type --replication-factor 1 --subnet-group-name some.subnet_group_name --security-group-ids some.security_group_id --iam-role-arn some.iam_role_arn
Running this directly from the cli, works fine, running it manually through console also works fine. Anyone else had this issue?
OK, looks like my script was attempting to create the DAX cluster too soon after it created the role. This caused it to not be able to find it. I added time between and it was able to find the role.
The IAM role needs to be created with service or else you will face the same error, for example I have created role with below policy and I faced the same issue.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "some role arn"
},
"Action": "sts:AssumeRole"
}
]
}
Basically the above policy will add trust entities under Principal.
Dax IAM role need to create with below policy method to avoid above error.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "dax.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
For more details please check aws doc https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.create-cluster.cli.create-service-role.html