I am new to the AWS platform and am trying to do a project similar to what is described here: https://aws.amazon.com/blogs/machine-learning/build-a-serverless-twitter-reader-using-aws-fargate/
I am currently in Step 4:Store configuration information in AWS Systems Manager Parameter Store.
When I go to Parameter Store in AWS System Manager I get an error saying:
User:
arn:aws:sts::413511889088:assumed-role/vocstartsoft/user292978=pdas#connect.ust.hk
is not authorized to perform: resource-groups:ListGroups on resource:
arn:aws:resource-groups:us-east-1:413511889088:/groups-list with an
explicit deny
There is nothing else that displays here except the error. I am using an AWS educate account to do this. Any advice would be helpful.
Related
I am trying to upload a new AWS GameLift Linux server using the AWS CLI but I get the following error:
An error occurred (AccessDeniedException) when calling the CreateBuild operation: User: arn:aws:iam::------:user/----- is not authorized to perform: gamelift:CreateBuild because no identity-based policy allows the gamelift:CreateBuild action
I added the arn:aws:iam::aws:policy/GameLiftGameServerGroupPolicy to my group permissions. I can see in the policy json that there isn't a CreateBuild action. It either needs to be added or you can't do it this way.
The AWS documentation is useless and on this page: https://docs.aws.amazon.com/gamelift/latest/developerguide/security_iam_troubleshoot.html#security_iam_troubleshoot-no-permissions
it helpfully advises: ... asks his administrator to update his policies
My user is the main root user for my AWS account but I have no idea how to resolve this. Any ideas?
I worked out how to create a new Policy and add the service permissions. You click on 'create policy' and then choose the 'GameLift' service. I added all the available actions. Seemed to do the trick.
Why did AWS miss this out of the documentation?
I have 2 AWS accounts, one personal and a client account.
Personal account:
account id: 789XXXXXX
Client account:
account id: 123XXXXXX
I'm working on the client and tried to run my lambda function locally, when I do I get the following error: AccessDeniedException: User: arn:aws:iam::789XXXXXX:user/amplify-pUDkX is not authorized to perform: secretsmanager:GetSecretValue on resource: postgres-secret because no identity-based policy allows the secretsmanager:GetSecretValue action.
I was a bit confused as this function had been working previously, once I looked into the error message I noticed that the user amplify-pUDkX didn't even exist on the client account and that the AWS account id along with the user actually matched up to my personal account. I've already run amplify configure and it's connected to the client account, I've also been making updates to the resources on the client account through the amplify cli so I know I'm not signed into the wrong account.
Also just to note, when the function gets deployed it's able to function no problem so this is only happening on my local machine.
I'd appreciate any help, thanks.
This is due to saved aws credentials in C:\Users\username\.aws. You can remove the ones not required. Also while setting up the app using cli you get the option to choose profile to avoid this issue.
I need to access a DynamoDB in AWS on my computer, where I have set up my credentials in AWS CLI. ALthough my provided user has the appropriate access authorization I get this error message, always when I have to get an Item from my database-table:
User: arn:aws:iam::[user-number]:user/[username] is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:eu-west-1:[user-number]:table/data_table_1 with an explicit deny
As already said, this user is authorized by the administrator to perform this request.
Maybe I am overseeing something or it has to do sth. with this "explicit deny".
I appreciate your help. Thanks
**For the Policies MFA must be present. So maybe I have to authorize myself with MFA device? How do I do that (if I am correct) via the AWS CLI?
I made an AWS educate account but sage maker gives me an error while training a model:
ClientError: An error occurred (AccessDeniedException) when calling the CreateTrainingJob operation: User: arn:aws:sts::387322780008:assumed-role/AmazonSageMaker-ExecutionRole-20200830T040703/SageMaker is not authorized to perform: sagemaker:CreateTrainingJob on resource: arn:aws:sagemaker:us-east-1:387322780008:training-job/xgboost-2020-08-29-20-06-24-680 with an explicit deny
Did any one know the solution
The error you’re seeing is an explicit deny which means that the IAM permissions attached are denying that action.
Looking at the availability of AWS educate ensure that you’re creating the resources in us-east-1 and that the instance type is one of the following:
ml.t2.medium
ml.t2.large
ml.t3.medium
ml.t3.large
If both of these conditions are met and you still cannot access then you should reach out to AWS support to validate why you do not have the necessary permissions for your classroom.
AWS Educate accounts are intentionally limited in their capabilities.
For any enquiries regarding AWS Education accounts, you will need to contact AWS Educate directly: AWS Educate | Contact Us
I've got an issue where a Cognito-authenticated user seems to have the correct permissions to interact with SSM, but all calls to SSM are being rejected. Here's what my policy looks like:
Cognito Role
Of course in a production environment we won't have open permissions like that and certainly won't have the Administrator policy attached, but this was to test as well as make the point that we really can't authenticate here.
I should add that we can access our dynamodb resources using tha policy with no issues, it's just SSM giving us trouble. We're getting error messages similar to this:
AccessDeniedException: User: arn:aws:sts::ACCOUNTID:assumed-role/COGNITOROLE is not authorized to perform: ssm:GetParametersByPath on resource: arn:aws:ssm:us-west-2:ACCOUNTID:parameter/
where I've replaced the account number and role name. Does anyone know what I'm doing wrong? Thanks a ton in advance.