I am trying CLI based command to embed QuickSight Dashboard as per this link quicksightembed and this AWS Video AWSQuickSight
.
CLI Command :
aws configure
aws sts assume-role --role-arn "arn:aws:iam::842034702001:role/QuickSightEmbed" --role-session-name QSviewer
aws quicksight register-user --aws-account-id 842034702001 --namespace default --identity-type IAM --iam-arn "arn:aws:iam::842034702001:role/QuickSightEmbed" --user-role READER --session-name QuickSightEmbed --email String#email.com
Assumed Role is successful but while registering the user, I am getting below error :
An error occurred (AccessDeniedException) when calling the RegisterUser operation: User: arn:aws:iam::238683320570:user/String is not authorized to perform: quicksight:RegisterUser on resource: arn:aws:quicksight:eu-west-1:842034702001:user/default/QuickSightEmbed/QuickSightEmbed
Please suggest how we can avoid this error.
Custom Policy which we are using :
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "quicksight:RegisterUser",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "quicksight:GetDashboardEmbedUrl",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "sts:AssumeRole",
"Resource": "*",
"Effect": "Allow"
}
]
}
One thing that stands out is that the session name must match between calls.
In the first call you're using --role-session-name QSviewer but in the second you're using --session-name QuickSightEmbed. These ought to match.
Related
I have AWS organization with users (id: 111111111111) and dev (id: 222222222222) accounts. Users first login to the users account, and then able to switch to the dev account.
The problem: Users are able to switch role via console (website), but NOT via the CLI...
This is how I switch via the CLI:
export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
$(aws sts assume-role \
--role-arn arn:aws:iam::222222222222:role/administrator \
--role-session-name TestSessionName \
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
--output text))
And I get the following error:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::111111111111:user/gitlab-ci-user is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::222222222222:role/administrator
Made sure which user i'm logged in via cli:
> aws sts get-caller-identity
{
"UserId": "...",
"Account": "111111111111",
"Arn": "arn:aws:iam::111111111111:user/gitlab-ci-user"
}
The user gitlab-ci-user is member of the AdminsDevAssumeRole group, and the following policy:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": [
"arn:aws:iam::222222222222:role/administrator"
]
}
],
"Version": "2012-10-17"
}
In the dev account (222222222222), I got role administrator, with the following trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
Any idea why i'm not able to switch role via cli (but do in console)?
I'm trying to use kubectl to work on a EKS Cluster created from an other user.
I followed the different instructions from the documentation to create the kube config file with the command : aws eks --region eu-central-1 update-kubeconfig --name internal --role-arn arn:aws:iam::xxxxxxxxxx:role/eks_role_internal.
Then when i try to test the configuration (kubectl get svc), i'm getting the error :
could not get token: AccessDenied: User: arn:aws:iam::xxxxxxxxxxxx:user/me is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxxx:role/eks_role_internal
Here is the config for the Policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxxxxxxxxxx:role/eks_role_internal"
}
]
}
And the trust relationship of the role :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"eks.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
The first reason getting this error message is misconfigured Trusted relationship on a role that is going to be assumed.
I also was seeing this error when the attached condition in the trusted relationship of having MFA wasn't met:
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
AWS cli isn't smart enough to see this case and ask for the MFA code, it just throws that error message.
I've initially run aws --region eu-west-1 eks update-kubeconfig --name prod-1234 --role-arn arn:aws:iam::1234:user/chris-devops to get access to the EKS cluster.
When doing anything like: kubectl get ... I get an error of:
An error occurred (AccessDenied) when calling the AssumeRole
operation: User: arn:aws:iam::1234:user/chris-devops is not authorized
to perform: sts:AssumeRole on resource:
arn:aws:iam::1234:user/chris-devops
Why do I get this error? How do I gain access?
I've added the following to the user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::1234:user/chris-devops"
}
]
}
In addition I also have full Administrator access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
I've read through: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_cant-assume-role
And my understanding is I'm meeting all the criteria.
aws eks --region eu-west-1 update-kubeconfig --name prod-eks-3flXvI2r --role-arn http://arn:aws:iam::1234:role/prod-eks-1234-admins
I had to specify the correct role... Woohooo
Your policy is wrong. User can’t assume another IAM user. It should be something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::1234:role/prod-Eks-1234-admins"
}
]
}
Trying to install AWS CodeDeploy agent on my EC2 instance
aws s3 cp s3://aws-codedeploy-ap-southeast-2/latest/install . --region ap-southeast-2
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
The IAM Role for the instance has Policy Document
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
and Trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "codedeploy.ap-southeast-2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I followed the guideline at
http://docs.aws.amazon.com/codedeploy/latest/userguide/codedeploy-agent-operations-install-linux.html
Also I attached AdministratorGroup Policy to my user.
Code Deploy agent is now running in my box.
That command is not correct. cpis used to upload something to S3, to download a file you could use curl or wget:
curl -O https://aws-codedeploy-ap-southeast-2.s3.amazonaws.com/latest/install
or
wget https://aws-codedeploy-ap-southeast-2.s3.amazonaws.com/latest/install
Here is my registry policy for my user :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1494526914000",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": [
"*"
]
}
]
}
I have no MFA auth
but when i try :
bussiere#kusanagi:~/Workspace/*****$ aws ecr get-login
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::*******:user/bussiere is not authorized to perform: ecr:GetAuthorizationToken on resource: *
bussiere#kusanagi:~/Workspace/*****$
thanks a lot and regards
Maybe unhelpful considering you seem to have the right policy, but the permissions aren't correct somehow. Do you have the region set and are you using the keys for that user in the cli? Also as a test, does it work using the managed policy AmazonEC2ContainerRegistryPowerUser?
http://docs.aws.amazon.com/AmazonECR/latest/userguide/common-errors.html#error-unauthorized