I'm trying to set up a codeBuild project through the nodejs AWS-SDK. I'm able to create a new IAM role with policies attached, but when I use it in the .createProject() it gives me an error:
CodeBuild is not authorized to perform: sts:AssumeRole on arn:aws:iam::[account]:role/service-role/[role-name]
The weird thing is that, when I open the trusted relationships JSON of the role and save it (without any changes) it suddenly works.
the AssumeRole JSON file:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I'm using a federated user. I don't know if that makes a difference (the process of requesting a regular account takes a few days, so I haven't tried that yet).
I tried to copy the before and after save to see what was going on, but when I store it in a file it has the exact same bytes. I'm really confused, I've been trying to fix this for almost half a day now.
I figured out what the problem was. Apparently, when you create a role and immediately start using it you'll get a "not authorized" error. But you also get this when the role doesn't even exist.
I added a manual wait of 10 seconds, not it works.
The SDK has a function for this called "waitfor", which can be used on roles and policies.
Related
According to the AWS CodeBuild documentation, the Create Project operation requires only the codebuild:CreateProject and iam:PassRole Actions to be granted. I have done this in my role's policy, and set the Resource to "*", but when I click on the Create Project button, I immediately get Access Denied with no further information. I have no problems doing the analogous operation in CodeArtifact, CodePipeline, and CodeCommit. If I set "s3:*", I do not get the error, so evidently it's an S3 permission I'm missing, but which one?
What I am trying to do is create a role with reduced permissions so that a user can run a build and manage CodeSuite resources (add and edit repositories, pipelines, etc.) without using Administrator privileges.
Here is my policy JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*Object",
"s3:*ObjectVersion",
"s3:*BucketAcl",
"s3:*BucketLocation",
"iam:*",
"codepipeline:*",
"codeartifact:*",
"codecommit:*",
"codebuild:*"
],
"Resource": "*"
}
]
}
(I am aware this configuration is inadvisable; I am trying to isolate the issue, and provide a minimum reproducible example)
With a little bit of educated trial and error, I narrowed it down to a List* Action, which is sufficiently specific for my purposes. I'm guessing it's ListObjects and ListObjectVersions, but I'm too lazy to confirm it.
I'm running a tech stack of react -> graphQL -> appsync -> lambda -> go
When I run my graphQL query from the client I recieve this error back:
Unable to assume role arn:aws:iam::<SOMENUMBER>:role/service-role/MyRoleForMyLambda.
In fact this was all running fine until I accidentally changed the function ARN and roles on my Datasource to other ones. I changed them back but now Appsync seems to be unable to find the role and function ARN. I tried creating a completely new Datasource but I have the same issue. Often the function ARN and/or roles don't appear in the dropdown and I enter them manually. Sometimes it lets me save without errors - other times when attempting to save the Datasource I get the helpful error message "Error". Sometimes after saving when I go to look at them again the function ARN field is blank unless I click on the 'not in drop down' link.
I don't think the problem is with my role itself as it appears that appsync can't even assume the role to start with. I've read about trust policies as a solution but I don't know where to put them.
Any help much appreciated.
In your IAM console, you need to add the Appsync service as a trusted entity to the role you are trying to assume
Click edit trust relationship and enter the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
This has happened to me on multiple occasions and I can't for the life of me figure out why. Examples:
Boto3 script: If I create a role and then try to assume it i will get an error. BUT if the role is already created the service can assume it fine.
Ansible playbook: If I run a playbook which first creates the roles and then I try to assign them, i will get an error. BUT if i first run a different playbook and then the one that assigns the roles, everything is fine.
I have tried waiting to make sure the role is created, but i still got the error. The error is:
"An error occurred (InvalidInputException) when calling the CreateCrawler operation: Service is unable to assume role arn:aws:iam::<acc_id>:role/GlueReadS3. Please verify role's TrustPolicy"
The weird thing is, the same role can be assumed by CloudFormation just fine.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "glue.amazonaws.com"
},
"Action": "sts:AssumeRole"
}]
}
I should mention that the boto3 error also returned the Role ARN (so I'm assuming that it was created) and also that I made a get_role beforehand to get the ARN it also did not work
Maybe you can check the role in IAM, in my case, I thought I created a role like
arn:aws:iam::<acc_id>:role/GlueReadS3, but I then go to IAM and checked, it was actually arn:aws:iam::<acc_id>:role/service-role/GlueReadS3.
I'm attempting to move a suite of end-to-end tests so that they are fully contained within AWS. I've done this through code build and gotten everything running up to the point of running the tests, which invoke an API to reset the database before every test run. I keep running into this error message when the first test attempts to run.
StatusCodeError: 403 - "{\"Message\":\"User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:eu-west-2:*:*"}"
At first, I thought the error was being caused by a lack of permissions on the role that was being used to build everything. I tried adding the correct permissions to IAM Role being used, eventual making them more open than I would like.
"Effect": "Allow",
"Action": [
"execute-api:Invoke",
"execute-api:ManageConnections"
],
"Resource": "arn:aws:execute-api:*:*:*"
Obviously didn't fix things but I did notice that the access advisor shows that the particular policy isn't being accessed.
Next, I went into the resource policy in API Gateway to see if there was something there. I removed some Ip Address conditions that were set up to restrict access to the office's Ip Addresses.
I've look inside of WAF and Shield and can't see anything that would be related to invoking the API. At this point I am at a lost on where my next investigation should start.
Edit
Here's the responce I'm getting back.
"requestId": "********-82f8-11e9-a732-0b550cf3fcd6",
"ip": "*.*.*.*",
"caller": "-",
"user": "-",
"requestTime": "30/May/2019:16:32:50 +0000",
"httpMethod": "GET",
"resourcePath": "/*/ref-data/{proxy+}", "status": "403", "protocol": "HTTP/1.1", "responseLength": "185"
Below are the steps you need to perform.
For API method - Make Auth = IAM
For API resource policy make sure you allow traffic coming from selected IAM role for specific/all methods
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::###############:role/###########"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:ap-southeast-1:###########:/#########/*/POST/####/####/"
}
]
}
Make sure same IAM role is attached to entities from where this API is being called e.g. EC2 - if your code resides on EC2
Make sure your API calls are not plain curl calls, they are aws sigv4 signed
Hope this works!
In this case it turned out the major blocker was the API gateway IP Restrictions set in the policy were getting in the way. I did not realise that changes made didn't take affect until (re)deployment. Once I did that with updated IP restrictions the API endpoint could be invoked.
Your role's policy which allows execute-api:Invoke appears to be correct, but the error message you provided says User: anonymous is not authorized to perform.... If you're expecting your role to be attempting this action, then something is wrong because your attempting the action with a user named anonymous.
The role that you use to build your stack isn't necessarily the role that is used to execute functions on that stack. I recommend you double check all of your IAM entities throughout and clearly identify and understand what each one is attempting to do. Make sure that whatever is invoking your function is actually the role you want with the correct policy attached.
Hope this helps!
Going through some tutorials on AWS Lambda Functions. I keep receiving the error, "It seems there was an error during your role template creation, please double check if the role name is already existing and try again."
I've tried many different scenarios, new roles, existing roles, editing the roles in IAM, give more access and then trying them. I tried creating a lambda function "Authored from Scratch" and "Blueprints". I also logged into my root account to see if my user account had an issue.
Frustrated... can't create anything in Lambda because I receive this error 100% of the time.
AWS Lambda Error Blueprint Screenshot
AWS Lambda Error Scratch New Role Screenshot
I encountered this and it drove me nuts. In the end I wondered if the GUI was giving me incorrect info, and the role was in fact NOT 'already existing'. I went off and did something else for a couple of minutes, and when I came back everything worked fine with no problems. I suspect it's an AWS console bug.
This is still an issue in 2020!
I choose an existing role or try to create a new one, and I get the An error occured during the creation of your role template. Double-check whether the role name already exists and try again. no matter what I choose.
The only option is to wait for 10 minutes and try again.
Jan 26,2021 - Still an issue .So this is essentially a role based issue and definitely seems to be a bug in the lambda console. What worked for me is to first go to the IAM console , create a role , attach a policy with 'AdministratorAccess',and in 'Trust Relationships' tab add 'lambda.amazonaws.com' as a trusted entity. After this , while creating a lambda function, use this existing role ( instead of creating a new one), and it it should work.
What a terrible bug!
I was trying to create Java 8 Lambda function with "Create a new role with basic Lambda permissions" and it took me 30 minutes to stop getting this error.
The only solution seems to be to wait.
i had same issue but after add condition in trust policy of role.
my working role trust policy was
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole",
}
}
}
but when i add, condition for assume by specific resource like below, i don't know will it work or not and it give me error "It seems there was an error during your role template creation, please double check if the role name is already existing and try again." .
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:lambda:us-east-1:1234567890:function:project-developers-*"
}
}
}
]
}
so after change like first one, it's work fine.