This has happened to me on multiple occasions and I can't for the life of me figure out why. Examples:
Boto3 script: If I create a role and then try to assume it i will get an error. BUT if the role is already created the service can assume it fine.
Ansible playbook: If I run a playbook which first creates the roles and then I try to assign them, i will get an error. BUT if i first run a different playbook and then the one that assigns the roles, everything is fine.
I have tried waiting to make sure the role is created, but i still got the error. The error is:
"An error occurred (InvalidInputException) when calling the CreateCrawler operation: Service is unable to assume role arn:aws:iam::<acc_id>:role/GlueReadS3. Please verify role's TrustPolicy"
The weird thing is, the same role can be assumed by CloudFormation just fine.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "glue.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
I should mention that the boto3 error also returned the Role ARN (so I'm assuming that it was created) and also that I made a get_role beforehand to get the ARN it also did not work
Maybe you can check the role in IAM, in my case, I thought I created a role like
arn:aws:iam::<acc_id>:role/GlueReadS3, but I then go to IAM and checked, it was actually arn:aws:iam::<acc_id>:role/service-role/GlueReadS3.
Related
I am experimenting the AWS SDK for python to access Timestream. I tried their in house example code from the repository and I wrote my own code to create a database:
import boto3
from botocore.config import Config
client = boto3.client('timestream-write')
response = client.create_database(DatabaseName='test')
Both sample code and my own code got the following error:
AccessDeniedException: An error occurred (AccessDeniedException) when
calling the DescribeEndpoints operation: This operation is not
allowed.
I googled a bit, but I could not find any information about it. Thanks!
Timestream is currently only available in a handful of regions. Make sure the boto3 region configuration set the correct region to those eligible ones.
The credentials that you are using to interact with Timestream should use an IAM role that has has either an AWS managed policy or a custom policy that allow you to call timestream:DescribeEndpoints. See this page for an example: https://docs.aws.amazon.com/timestream/latest/developerguide/security_iam_id-based-policy-examples.html
Assuming you configured your environment to use the AWS CLI and ran aws configure, the IAM User that is tied to those credentials should be granted timestream:DescribeEndpoints. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html
You may have gotten this permissions error because you are missing TableName, which is a required parameter.
https://docs.aws.amazon.com/timestream/latest/developerguide/API_CreateTable.html
in your iam role add this permission policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"timestream:DescribeEndpoints"
],
"Resource": "*"
}
] }
DescribeEndpoints is called bt sdk in case you defined endpoints interface like this in your vpc
query-cell2.timestream..amazonaws.com.
I created a rotation function manually and linked it to Secret Manager, I've managed to enable the rotation but when I checked the logs in CloudWatch for this rotation lambda, it showing me error:
[ERROR] ClientError: An error occurred (AccessDeniedException)
when calling the DescribeSecret operation:
User: arn:awsxxxxxxx:assumed-role/xxxxx-lambda-exec-role/
MyLambdaName is not authorized to perform: secretsmanager:DescribeSecret
on resource: MysecretARN
I know something is wrong with my execution role, so I checked my policy attached to this role, it has:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"lambda:InvokeFunction",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecretVersionStage",
"secretsmanager:RotateSecret"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:xxx",
"arn:aws:lambda:us-east-1:xxx"
]
}
]
}
I also attached 'AWSLambdaBasicExecutionRole` to my exec role,am I missing something else? Why I kept getting that error, I've been messing around with this whole rotation thing, exhausted! please help
I also tried to add a few KMS actions but still getting the same error...I've been working on this for a couple of days now and the AWS documents are very confusing and some are even misleading me to a completely different direction... Why it's so complicated to configure a bloody rotation....(crying)
Make sure that secret arn is present in the Resources section of the policy. The error message mentions - 'MyLambdaName is not authorized to perform: secretsmanager:DescribeSecret on resource: MysecretARN'
but I don't see MysecretARN in the list of resources you allow the lambda to access
All secrets in Secrete manager are encrypted with a key(AWS KMS). Please ensure that your lambda has permission to read the needed key.
UPD: I mean that the logic is following - The
Lambda must have the permission to read the Secret and to use key (KMS) to decrypt the value of Secret.
I'm trying to set up a codeBuild project through the nodejs AWS-SDK. I'm able to create a new IAM role with policies attached, but when I use it in the .createProject() it gives me an error:
CodeBuild is not authorized to perform: sts:AssumeRole on arn:aws:iam::[account]:role/service-role/[role-name]
The weird thing is that, when I open the trusted relationships JSON of the role and save it (without any changes) it suddenly works.
the AssumeRole JSON file:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I'm using a federated user. I don't know if that makes a difference (the process of requesting a regular account takes a few days, so I haven't tried that yet).
I tried to copy the before and after save to see what was going on, but when I store it in a file it has the exact same bytes. I'm really confused, I've been trying to fix this for almost half a day now.
I figured out what the problem was. Apparently, when you create a role and immediately start using it you'll get a "not authorized" error. But you also get this when the role doesn't even exist.
I added a manual wait of 10 seconds, not it works.
The SDK has a function for this called "waitfor", which can be used on roles and policies.
I am running a lambda which will automatically trigger a comprehend job through the use of boto3.
However, for some reason my IAM is not working! I have the following permissions on my role for this job:
IAMFullAccess
AmazonS3FullAccess
ComprehendFullAccess
AWSLambdaExecute
But, when the job is created in comprehend, it instantly fails with the following error message:
NO_WRITE_ACCESS_TO_OUTPUT: The provided data access role does not have write access to the output S3 URI.
Any ideas on how to fix this? I have given the role full S3 permission?
Can you check your role's trust policy and see if comprehend is trusted?
An example trust policy from here - https://docs.aws.amazon.com/comprehend/latest/dg/access-control-managing-permissions.html
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "comprehend.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
All IAM API calls are asynchronous. So, if you are creating roles and policies via boto3 and immediately assuming them and running comprehend, they might not work. You can either wait by sleeping for a few seconds or have a retry mechanism. That's how I solved this issue.
Going through some tutorials on AWS Lambda Functions. I keep receiving the error, "It seems there was an error during your role template creation, please double check if the role name is already existing and try again."
I've tried many different scenarios, new roles, existing roles, editing the roles in IAM, give more access and then trying them. I tried creating a lambda function "Authored from Scratch" and "Blueprints". I also logged into my root account to see if my user account had an issue.
Frustrated... can't create anything in Lambda because I receive this error 100% of the time.
AWS Lambda Error Blueprint Screenshot
AWS Lambda Error Scratch New Role Screenshot
I encountered this and it drove me nuts. In the end I wondered if the GUI was giving me incorrect info, and the role was in fact NOT 'already existing'. I went off and did something else for a couple of minutes, and when I came back everything worked fine with no problems. I suspect it's an AWS console bug.
This is still an issue in 2020!
I choose an existing role or try to create a new one, and I get the An error occured during the creation of your role template. Double-check whether the role name already exists and try again. no matter what I choose.
The only option is to wait for 10 minutes and try again.
Jan 26,2021 - Still an issue .So this is essentially a role based issue and definitely seems to be a bug in the lambda console. What worked for me is to first go to the IAM console , create a role , attach a policy with 'AdministratorAccess',and in 'Trust Relationships' tab add 'lambda.amazonaws.com' as a trusted entity. After this , while creating a lambda function, use this existing role ( instead of creating a new one), and it it should work.
What a terrible bug!
I was trying to create Java 8 Lambda function with "Create a new role with basic Lambda permissions" and it took me 30 minutes to stop getting this error.
The only solution seems to be to wait.
i had same issue but after add condition in trust policy of role.
my working role trust policy was
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole",
}
}
}
but when i add, condition for assume by specific resource like below, i don't know will it work or not and it give me error "It seems there was an error during your role template creation, please double check if the role name is already existing and try again." .
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:lambda:us-east-1:1234567890:function:project-developers-*"
}
}
}
]
}
so after change like first one, it's work fine.