I've been trying to use Codestar on AWS Ruby on Rails using Elastic Beanstalk. I tried applying and assigning auto scaling full access policies to no avail. Can anybody help me navigate around these errors? Also using root account. Tried assigning this under roles but no success.
Error messages:
Creating Auto Scaling group failed Reason: API: autoscaling:CreateAutoScalingGroup The default Service-Linked Role for Auto Scaling could not be created. com.amazonaws.services.identitymanagement.model.AmazonIdentityManagementException:
User: arn:aws:sts::**********:assumed-role/CodeStarWorker-phcnetworks-net-CloudFormation/AWSCloudFormation is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::**************:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
(Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied; Request ID: *******-******-*******)
Stack named 'awseb-e-*********-stack' aborted operation. Current state: 'CREATE_FAILED' Reason: The following resource(s) failed to create: [AWSEBAutoScalingGroup].
The reported error says that the role "CodeStarWorker-phcnetworks-net-CloudFormation" is not authorized to perform operation iam:CreateServiceLinkedRole on the set of resources defined in IAM policy.So action "CreateServiceLinkedRole" needs to be added to the role for your autoscaling policies to succeed.
Related
I have a spring java app that runs fine locally, but after uploading the jar file to elastic beanstalk, I'm unable to access the end point and the app health shows as severe.
in the logs it says the following:
User:
arn:aws:sts::487484241999:assumed-role/aws-elasticbeanstalk-ec2-role/i-0e95c4754f49ff217
is not authorized to perform: rds:DescribeDBInstances on resource:
arn:aws:rds:eu-west-2:487484241999:db:[redacted] because no
identity-based policy allows the rds:DescribeDBInstances action
(Service: AmazonRDS; Status Code: 403; Error Code: AccessDenied;
Request ID: 37290a99-f52c-4553-a614-90ffe980da97; Proxy: null)
I have set the correct permissions to the user, I think the issue has something to do with permissions/trust policies surrounding assumed-role
I've successfully created an EKS cluster and some other resources via a terraform script. However, I am unable to successfully complete the terraform destroy. I get the following error upon deletion of EKS cluster:
Error: error deleting EKS Cluster (cluster-name): AccessDeniedException:
status code: 403, request id: request-uuid
Any ideas?
The role I'm using needs to allow the eks:DeleteCluster operation in its policy.
I am creating an Aws Emr cluster with AWS Java SDK. Below is the code snippet.
JobFlowInstancesConfig jobFlowInstanceConfig = new JobFlowInstancesConfig()
.withEc2SubnetId(config.getEc2SubnetId())
.withEc2KeyName(config.getEc2KeyName())
.withInstanceCount(config.getInstanceCount())
.withKeepJobFlowAliveWhenNoSteps(true)
.withMasterInstanceType(config.getMasterInstanceType())
.withSlaveInstanceType(config.getSlaveInstanceType());
RunJobFlowRequest request = new RunJobFlowRequest()
.withName(clusterName)
.withReleaseLabel(config.getReleaseLabel())
.withApplications(applications)
.withLogUri(config.getLogUri())
.withServiceRole(config.getServiceRole())
.withJobFlowRole(config.getJobFlowRole())
.withInstances(jobFlowInstanceConfig);
RunJobFlowResult runJobFlowResult = emrClient.runJobFlow(request);
As you can see I am setting "JobFlowRole" using .withJobFlowRole(config.getJobFlowRole()), but it is taking default values which does not have permission to create cluster.
I am getting following error:
com.amazonaws.services.elasticmapreduce.model.AmazonElasticMapReduceException: User: arn:aws:sts::6...0:assumed-role/default-role/i-0...4 is not authorized to perform: iam:PassRole on resource: arn:aws:iam::6...0:role/EMR_DefaultRole (Service: AmazonElasticMapReduce; Status Code: 400; Error Code: AccessDeniedException; Request ID: a...f)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1701)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1356)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1102)
Help please.
The JobFlowRole is the role of EMR service and this is not the role for creation EMR. See documentation.
You should have the right permission to create an EMR where you used to get the AWS credentials. The iam:PassRole is missing for your credentials.
user/abcd is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::453006003233:role/Elastic_Transcoder_Default_Role (Service: AmazonIdentityManagement; Status Code: 403; Error Code: AccessDenied;
We need to attach the policy ElasticTranscoderDefaultRole with the particular group to which the IAM is added.
This is error:
ActivityFailed:AmazonServiceException:AmazonElasticMapReduce:AccessDeniedException
User: arn:aws:iam::833376745199:user/data_analytics is not authorized to perform: elasticmapreduce:DescribeCluster (Service: AmazonElasticMapReduce; Status Code: 400; Error Code: AccessDeniedException; Request ID: 593d224c-7097-11e6-a574-fd5be6acde1b)
Make sure that the IAM user that you're using to start the task runner has the elasticmapreduce:DescribeCluster permission. Unless you want to apply a more restrictive policy to your task runner, an easy way to do this would be to attach the AmazonEC2RoleForDataPipeline to your IAM user.