I'm trying to get manual snapshots setup for my AWS Elasticsearch cluster. I'm not sure how to setup the correct IAM permissions on the S3 bucket though because there is already a service-role created and I'm unable to add additional policies.
What am I supposed to do here?
Thanks!
I was able to resolve this by creating a second IAM role using the CLI (it doesn't seem to be an option through the GUI)
Related
I want to create a S3 Bucket via CloudFormation template. I found there is a way to do it for EC2 instance on this link.
Do we have a way to create S3 bucket using existing IAM role via cloudformation?
It looks like what you're looking for is a service role. From AWS:
A service role is an AWS Identity and Access Management (IAM) role that allows AWS CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM role that allows AWS CloudFormation to create, update, or delete your stack resources. By default, AWS CloudFormation uses a temporary session that it generates from your user credentials for stack operations. If you specify a service role, AWS CloudFormation uses the role's credentials.
For more information, you might want to take a look at this, specifically the permission part to find out how to use an existing IAM role for creating a Cloudformation stack.
By the way: Unfortunately the link that you've provided doesn't seem to be accessible anymore.
When deploying infrastructure using creating Cloudformation template, you can have 2 ways to do it:
Cloudformation can deploy resources using the permissions of the current user who deploys the CF template. This is the default way
Secondly (Optional), you can choose an existing role that can be attached to the CF template. Cloudformation service will use the permissions of that attached role to deploy all the required services. Given that the attached role has permissions to S3, you can create an S3 bucket as can be seen in the attached screenshot
I'm trying to export my table from DynamoDB to S3. Following the documentation here I created the two roles needed for the pipeline, DataPipelineDefaultRole and DataPipelineDefaultResourceRole. After trying to execute the pipeline, I discovered that my DataPipelineDefaultRole was not created with an instance profile.
I've been looking through forums and Amazon says that people receive errors like this when they create their IAM Roles through the CLI. Their recommendation is to create the roles through the console and then the instance profile will be attached to the roll automatically. I'm creating the role through the console but for the DataPipelineDefaultRole, there is no instance profile attached?
Is there a way to manually attach an instance profile? Or am I missing something that is causing this to not auto-generate?
This might help:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
It highlights info about instance profiles and namely how to create if you already have existing roles etc. I think this might be what you're looking for.
i.e .
aws iam create-instance-profile --instance-profile-name DataPipelineDefaultRole
then
aws iam add-role-to-instance-profile --role-name DataPipelineDefaultRole --instance-profile-name DataPipelineDefaultRole
I have test the solution by Liam and it's working fine.
aws iam create-instance-profile --instance-profile-name DataPipelineDefaultRole
aws iam add-role-to-instance-profile add-role-to-instance-profile --role-name DataPipelineDefaultRole --instance-profile-name DataPipelineDefaultRole
and there typo on the command provided should not repeat aws I am again.
reference: https://docs.aws.amazon.com/cli/latest/reference/iam/add-role-to-instance-profile.html
I am trying to work out the logic flow for an AWS CloudFormation template that will assume an IAM role that can pull files from a S3 bucket in another AWS account.
What I have so far is:
accountA has a roleA
roleA has policy that allows sts:AssumeRole for a role in accountB :arn:aws:iam::11122233444:role/AllowPullS3
accountB has role(AllowPullS3) with
policy allow:s3 listBucket + get,put,delete
trust relationship for accountA :Action:"sts:AssumeRole"
If I create an EC2 instance manually with the IAM:roleA and then use the CLI to get the assume-role credentials, I can then pull the files from the other account's S3 bucket as expected.
But what do I need to put where in my accountA CF template that will allow the EC2 instance to assume roleB and pull the file from the accountB S3 bucket as part of the formation?
I have tried following a lot of tutorials such as this cfn-iam:init tutorial but still can not fully grasp what goes where.
Thanks for your advice.
Art
It is not possible to tell CloudFormation to assume another role.
However, if you have a CLI script/command that works on the Amazon EC2 instance, then just pass that script as User Data. The script will run when your instance starts. User Data can be passed in your CloudFormation template, where the EC2 instance is defined.
See: Running Commands on Your Linux Instance at Launch
I have a question on using IAM roles with EC2 and EMR. Here's my current setup:
I have a EC2 machine launched with a particular IAM role (let's call this role 'admin'). My workflow is to upload a file to S3 from this machine and then create an EMR cluster with a particular IAM role (a 'runner' role). The EMR cluster works on the file uploaded to S3 from the admin machine.
Admin is a role with privileges to all APIs in all AWS services. Runner has access to all APIs in EMR, EC2 and S3.
For some reason, the EMR cluster is unable to access the input file loaded in S3. It keeps getting an 'access denied' exception from s3.
I guess writing to s3 from one IAM role and reading it from a different IAM role is what is causing the issue.
Any ideas on what is going wrong here or whether this is even a supported use-case is appreciated.
Thanks!
http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc
S3 objects are protected in three ways as seen in the post I linked to.
Your IAM role will need the permission to read S3 objects.
The S3 bucket policy must allow your IAM role access to the object.
The S3 ACL for the specific object must also allow your IAM role access to the object.
I'm very new to jenkins. I installed the S3 plugin. I wish to use AWS IAM S3 roles to make the plugin work.
However, I can't find any way to configure IAM roles within this plugin. I can see only setting up the access key and secret key.
Has anyone used IAM roles with this plugin?
Kindly help.
Thanks in advance.
IAM roles are assigned to EC2 instances at launch. There's nothing else to configure, thus your S3 plugin should just automatically work. This is dependent on the plugin supporting IAM roles, which it looks like it does according to your link. You will have to assign the correct bucket policy though using the instructions also found at the link.