Using BOTO3 script,Created a Role and a Policy and trying to attached policy to that role. I am getting error while attaching but if i do attach manually then working fine.
Using BOTO3 i am doing followings:
Created a AWS role say "TEST"
Created a policy called "POL"
Both have been created and we can see on AWS console. Now attaching policy to Role with below command
response = client.attach_role_policy(
RoleName='TEST',
PolicyArn='arn:aws:iam::6929051012:policy/POL'
)
getting below error.
raise error_class(parsed_response, operation_name)
botocore.errorfactory.NoSuchEntityException: An error occurred (NoSuchEntity) when calling the AttachRolePolicy operation: Policy arn:aws:iam::6929051012:policy/POL does not exist or is not attachable.
Manually i can attached this policy to Role.
Your Help is highly appreciated. Thanks
To reproduce your situation, I did the following:
Created an IAM Role (stack-role) via the management console
Created an IAM Policy via the management console (arn:aws:iam::123456789012:policy/stack-policy)
I then ran:
import boto3
iam_client = boto3.client('iam')
response = iam_client.attach_role_policy(
RoleName='stack-role',
PolicyArn='arn:aws:iam::123456789012:policy/stack-policy'
)
print (response)
The call returned successfully. I then looked at the Role in the IAM management console and the stack-policy was attached.
So, seems to work fine!
Related
I logged into AWS console as DEV-OPS-ENGINEER and created ROLE-1 with aws managed policy attached. I attached this role to ECS tasks.
Now from my machine I logged into aws cli as DEVELOPER and ran aws ecs update-service command but i am getting below mentioned error:
"An error occurred (AccessDeniedException) when calling the UpdateService operation: User: arn:aws:sts:::assumed-role/DEVELOPER is not authorized to perform: iam:PassRole on resource: arn:aws:iam:::role/ROLE-1"
My idea was all logged in user (with different roles) should be able to use ROLE-1.
Any idea why it is throwing me this error and how can I resolve it ?
To pass a role (and its permissions) to an AWS service, a user must have permissions to pass the role to the service. This helps administrators ensure that only approved users can configure a service with a role that grants permissions. To allow a user to pass a role to an AWS service, you must grant the PassRole permission to the user's IAM user, role, or group.
Find out more, including examples, in the AWS User Guide: Granting a user permissions to pass a role to an AWS service
I want to publish a message from my Aws account(111222333) ec2 instance to SNS topic owned by another AWS account(444555666), Topic owner gave the full permissions to my ec2 role. While publishing the message to topic I am getting the AuthorizationErrorException.
import boto3
import json
aws_region = 'us-east-1'
client = boto3.client('sns', region=aws_region)
message = {"foo": "bar"}
topic_arn = "arn:aws:sns:us-east-1:444555666:my_topic"
response = client.publish(
TopicArn=topic_arn,
Message=json.dumps({'default': json.dumps(message)}),
MessageStructure='json'
)
botocore.errorfactory.AuthorizationErrorException: An error occurred (AuthorizationError) when calling the Publish operation: User: arn:aws:sts::111222333:assumed-role/ecsec2role/i-0121fggsfdf56 is not authorized to perform: SNS:Publish on resource: arn:aws:sns:us-east-1:444555666:my_topic.
Do I need to mention any where which role to use my ec2 instance to run my script ?*
The ec2 instance assumes the role you attached with the instance profile.
Boto3 uses this role by default. You can view the role attached inside the ec2 console, or change the role from their.
The role has to be part of an allow statement in the sns topic policy inside the other account!
But also on your side the role needs to have explicit permission to publish on sns (sns:publish)!
I am Able to train my modelusing Sagemaker TensorFlow container.
Below is the code:
model_dir = '/opt/ml/model'
train_instance_type = 'ml.c4.xlarge'
hyperparameters = {'epochs': 10, 'batch_size': 256, 'learning_rate': 0.001}
script_mode_estimator = TensorFlow(
entry_point='model.py',
train_instance_type=train_instance_type,
train_instance_count=1,
model_dir=model_dir,
hyperparameters=hyperparameters,
role=sagemaker.get_execution_role(),
base_job_name='tf-fashion-mnist',
framework_version='1.12.0',
py_version='py3',
output_path='s3://my_bucket/testing',
script_mode=True
)
Model Fitting:
script_mode_estimator.fit(inputs)
But when i ama trying to deploy model i ama getting this below error:
Deploy code is:
script_mode_d=script_mode_estimator.deploy(initial_instance_count=1,
instance_type="ml.m4.xlarge")
Error is:
UnexpectedStatusException: Error hosting endpoint tf-fashion-mnist-2020-09-23-09-05-25-791: Failed. Reason: The role 'xyz' does not have BatchGetImage permission for the image: '520713654638.dkr.ecr.us-east-1.amazonaws.com/sagemaker-tensorflow-serving:1.12-cpu'.
Please help me to resolve this issue.
Reason: The role 'xyz' does not have BatchGetImage permission for the image: '520713654638.dkr.ecr.us-east-1.amazonaws.com/sagemaker-tensorflow-serving:1.12-cpu'.
This error means that the IAM role "xyz" (you can find this in the IAM console) does not have permission to make the BatchGetImage API call in ECR (Elastic Container Registry, you can find this service in the ECS console).
You can find a number of example IAM policies you can use for the "xyz" role to grant it permission to perform the API call her: https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-policy-examples.html
To add a policy go to the IAM console, look for the "xyz" role, and either add an (inline) policy, or edit one of its existing policies (if it already has a policy that grants similar permissions it would make sense to add this permission in that policy).
Instead of managing permissions by crafting a permission policy, you can use the AWS-managed AmazonSageMakerFullAccess permission policy, which allows for any actions you might want to perform in SageMaker (including BatchGetImage).
To do so:
Log onto the console -> IAM -> Roles -> Create Role
Create a service-linked role with sagemaker.amazonaws.com
Give the role AmazonSageMakerFullAccess
Give the role AmazonS3FullAccess
aws deploy register-on-premises-instance --instance-name XXXXX --iam-user-arn arn:aws:iam::XXXXXXXXXXXX:user/LightSailCodeDeployUser --region ap-south-1
An error occurred (AccessDeniedException) when calling the RegisterOnPremisesInstance operation: User: arn:aws:sts::XXXXXXXXXXX:assumed-role/AmazonLightsailInstanceRole/i-XXXXXXXXXXXXXX is not authorized to perform: codedeploy:RegisterOnPremisesInstance on resource: arn:aws:codedeploy:ap-south-1:XXXXXXXXXX:instance:XXXXXXXXXXXX
I didn't even create the role AmazonLightsailInstanceRole, then how did it come in the picture. My user have all permissions on codedeploy though. I am following this link to set up. https://aws.amazon.com/blogs/compute/using-aws-codedeploy-and-aws-codepipeline-to-deploy-applications-to-amazon-lightsail/
I made the same mistake and then realized that command is meant to be run on your local machine and not the instance!
AmazonLightsailInstanceRole is a service-linked role automatically created by aws:
Service-linked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf.
The error you are getting is not about you not having the codedeploy:RegisterOnPremisesInstance permission.
The error is about the AmazonLightsailInstanceRole not having it. It does not matter if you (i.e. your IAM user) has all CodeDeploy permissions.
Normally you would add the missing permissions to the role. How to work with the AmazonLightsailInstanceRole is described in the following AWS documentaiton:
Using Service-Linked Roles for Amazon Lightsail
Editing a Service-Linked Role
However, I'm not sure if you can modify the AmazonLightsailInstanceRole and add the missing permissions. Some service-linked roles can be modified, some not.
The documentation is a bit confusing. Create a new user in IAM with admin role (full privileges) and use the credentials of that user to run the command in your local machine.
I was wondering how to use simulate-principal-policy using the AWS CLI for an assumed role.
To provide some context, as part of my application's startup, I want to ensure that the application has the necessary permissions to access all the AWS resources it needs. I do this by getting the caller identity using aws sts get-caller-identity and use the returned caller identity as the policy source arn for the simulate-principal-policy request.
When our application runs on EC2, it uses an assumed role. so, get-caller-identity returns an assumed role arn.
If I try to execute simulate-principal-policy using my user arn as the policy source arn, the command works fine.
aws iam simulate-principal-policy --action-names "sqs:Receivemessage" --policy-source-arn "arn:aws:sts::123456789021:user/divesh"
However, trying to execute the command above by using an assumed role reports an error.
aws iam simulate-principal-policy --action-names "sqs:Receivemessage" --policy-source-arn "arn:aws:sts::123456789021:assumed-role/development/development-session"
An error occurred (InvalidInput) when calling the SimulatePrincipalPolicy operation: Invalid Entity Arn: arn:aws:sts::123456789021:assumed-role/development/development-session does not clearly define entity type and name.
Our application runs on a Kubernetes cluster and uses kiam to associate IAM roles to pods.
The problem with your request is that you are using the "Profile ARN" instead of the "Role ARN". To get the Role Arn, you can do the following:
Pull the Role Name from the Instance Profile Arn:
arn:aws:sts::123456789021:assumed-role/development/development-session becomes development/development-session
Get the instance profile based on that name:
aws iam get-instance-profile --instance-profile-name Instance Profile Arn
Find the Role Arn in the resulting document:
{
"InstanceProfile":{
"Roles":[
{
"Arn":"arn:aws:iam::992863558783:role/YourRole"
}
]
}
}
Use this ARN in simulate-principal-policy
aws iam simulate-principal-policy --action-names "sqs:Receivemessage" --policy-source-arn "arn:aws:iam::992863558783:role/YourRole"
In Python, the script would look like this:
import boto3
iam= boto3.client('iam')
profileArn = 'arn:aws:sts::123456789021:assumed-role/development/development-session'
iamProfileName = iamInstanceProfileArn.split(':assumed-role/')[1]
profile = iam.get_instance_profile(InstanceProfileName=iamProfileName)
policySourceArns = []
for role in profile['InstanceProfile']['Roles']:
policySourceArns.append(role['Arn'])
retval = iam.simulate_principal_policy(
PolicySourceArn = policySourceArns[0],
ActionNames = ['sqs:Receivemessage']
)