I have an AWS Lambda function which queries an Amazon Athena database. But I get a permission error when executing the Lambda function:
An error occurred (AccessDeniedException) when calling the GetQueryExecution operation: User: arn:aws:sts::773592622512:assumed-role/lambda_access-role/reddit_monitor is not authorized to perform: athena:GetQueryExecution on resource: arn:aws:athena:ap-southeast-2:773592622512:workgroup/primary: ClientError
I have created this policy for the Lambda function:
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"athena:StartQueryExecution"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${var.athena-bucket}",
"arn:aws:s3:::${var.athena-bucket}/*"
]
}
]
}
I wonder why it still doesn't have permission to query Athena? Have I missed anything here?
You granted athena:StartQueryExecution instead of athena:GetQueryExecution.
Related
I have multiple users and lambda functions in my AWS account, as an example user1, user2, user3, user4 and have the same name for lambda function as well.
I have created the following policy to invoke the Lambda function, but I am getting a following error:
Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-west-2:111111111111:function:${aws.username}"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111111111111:role/lambda_role",
"arn:aws:lambda:us-west-2:111111111111:function:*"
]
}
]
}
I can create the function without any issue but when I try to invoke the Lambda function, I am getting an error message. However, the policy is attached to the user account.
An error occurred (AccessDeniedException) when calling the Invoke operation: User: arn:aws:iam:: 111111111111:user/user1 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2: 111111111111:function:user1 because no identity-based policy allows the lambda:InvokeFunction action
I am trying to setup eksctl for eks but it throwing
"Error: unable to determine AMI to use: error getting AMI from SSM Parameter Store: AccessDeniedException: User: arn:aws:iam:::user/cnc is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1::parameter/aws/service/eks/optimized-ami/1.18/amazon-linux-2/recommended/image_id".
The IAM Permission Policy I am using is
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:::parameter/*"
}
]
I also tried using policy simulation for check the permissions , it is giving me "Implicitly Denied (No matching statement)"
I had the same issue. The way I resolved it was by adding the region to the ssm resource. And also added a ssm:GetParameter like this:
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action":[
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action":[
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:ca-central-1::parameter/*"
}
]
If you notice I've added the region ca-central-1 and you should change it to your current region.
For me, I was using --with-decryption for a SecureString. My Instance Profile also needed to have KMS rights to the alias/parameter-store-key
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter*"
],
"Resource": "arn:aws:ssm:us-west-2:111122223333:parameter/ITParameters/*"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
]
}
Mine was in the other direction. I had ssm:GetParameter, and the error message was AccessDeniedException: User is not authorized to perform: ssm:GetParameter on resource because no identity-based policy allows the ssm:GetParameter action, but implicitly the missing ssm:GetParameters was causing the request to be denied with a misleading error message.
I think you might need to authorize the "ssm:GetParameter" action as well.
I had the same error message as #plantbeard
but mine was related to capitalisation
I was using Serverless and taking the param name from the stage enviroment eg dev
but my parameter was called /Dev/param
renaming to /dev/param fixed it for me
For anyone else who still has issues, I was receiving the same error for my Lambda function:
"AccessDeniedException: User: arn:aws:sts::xxxxxx:assumed-role/[role-name]-role-xxxxxx/[lambda-function-name] is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:xxxxxx:parameter/[parameter_path1]/[parameter_pathx] because no identity-based policy allows the ssm:GetParameter action",
I found that on the policies page
https://us-east-1.console.aws.amazon.com/iamv2/home#/policies
I needed to add the rule to a "Customer managed" Type Policy Named
AWSLambdaBasicExecutionRole-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (I think someone else created this though and I just added on to it)
That looked like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:us-east-1:xxxxxxxxxx:parameter/[parameter_path1]/[parameter_pathx]"
}
]
}
I'm issuing an STS token for a user interface that includes the following statement for lambda permissions:
{
"Sid" : "AllowUserInvokeLambda",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:us-east-2:*:function:CreateThumbnail",
"arn:aws:lambda:us-east-2:*:function:ImageScanner"
]
},
When I try to invoke the function from the aws-sdk.js in the browser, I get back an error with the message:
"User: arn:aws:sts::123456789012:assumed-role/test_sts_role/user-12345 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-2:198765432109:function:ImageScanner"
Am I missing something in that policy?
I found the issue, your policy is missing the account number. so it should be,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserInvokeLambda",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:ap-southeast-2:012345678901:function:*"
]
}
]
}
Note: Also You should assign this policy to the role you are assuming, not to the user who is assuming. can you confirm that part.
Reference: https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/
I have a codestar project that calls a python lambda function. This function tries to put an item into the DynamoDB. I am getting the following error:
"errorMessage": "An error occurred (AccessDeniedException) when calling the PutItem operation: User: arn:aws:sts::13556632xxxx:assumed-role/CodeStar-split-lambda-Execution/awscodestar-split-lambda-lambda-CreateUser-RBA73BJH7NHY is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:1355663xxxx:table/split-users"
}
I included the AmazonDynamoDBFullAccess, AWSLambdaBasicExecutionRole, and AWSLambdaInvocation-DynamoDB policies on the CodeStar-split-lambda-Execution role, and I am still getting the error.
I also made my own policy and tried it too.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:13556632xxxx:table/split-users"
]
}
]
}
How can I get dynamoDB to have authorization to put an item?
I'm trying to allow a group i defined to have invalidation privliges
I defined a policy on the group that looks like this
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1511787279000",
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation",
"cloudfront:ListInvalidations"
],
"Resource": [
"*"
]
}
]
}
ultimately i'd like to lock the resource down to specific Cloudfront arns. but even at this point it doesn't work. when i use the aws cli tool i get
An error occurred (AccessDenied) when calling the CreateInvalidation operation: User: arn:aws:iam::5555555555:user/username is not authorized to perform: cloudfront:CreateInvalidation
What am i doing wrong?