I have a function (Node.js 8.10) in us-west-2 and I am unable to attach the layer arn:aws:lambda:us-east-1:553035198032:layer:git:3. I get the following error message upon save:
You are not authorized to perform: lambda:GetLayerVersion.
I have the AWSLambdaFullAccess managed policy attached to my user, and even the persons with AdministratorAccess get the same error. I also checked in the policy simulator and it specifies that this permission IS allowed to be run by myself and the Administrator users.
Any ideas as to what I might be doing wrong?
REGION MISMATCH
I followed the README here, but failed to notice the region difference, nor the Version ARNs section that implies the package author has created the layer in multiple regions.
Related
I am trying to upload a new AWS GameLift Linux server using the AWS CLI but I get the following error:
An error occurred (AccessDeniedException) when calling the CreateBuild operation: User: arn:aws:iam::------:user/----- is not authorized to perform: gamelift:CreateBuild because no identity-based policy allows the gamelift:CreateBuild action
I added the arn:aws:iam::aws:policy/GameLiftGameServerGroupPolicy to my group permissions. I can see in the policy json that there isn't a CreateBuild action. It either needs to be added or you can't do it this way.
The AWS documentation is useless and on this page: https://docs.aws.amazon.com/gamelift/latest/developerguide/security_iam_troubleshoot.html#security_iam_troubleshoot-no-permissions
it helpfully advises: ... asks his administrator to update his policies
My user is the main root user for my AWS account but I have no idea how to resolve this. Any ideas?
I worked out how to create a new Policy and add the service permissions. You click on 'create policy' and then choose the 'GameLift' service. I added all the available actions. Seemed to do the trick.
Why did AWS miss this out of the documentation?
I'm getting this error while modifying the stack change
API: iam:PutRolePolicy User: arn:aws:sts::769558805:assumed-role/AWS-QuickSetup-StackSet-Local-AdministrationRole/AWSCloudFormation is not authorized to perform: iam:PutRolePolicy on resource: role test-eu-west-1-lambdaRole because no identity-based policy allows the iam:PutRolePolicy action
Previously, I also updated the same using the Designer, however, everything went smoothly without any errors. The error only appeared this time. Does anyone know what may be the cause is?
Questions:
Where should I put this iam:PutRolePolicy policy? In JSON template or attach it to the AWS-QuickSetup-StackSet-Local-AdministrationRole/AWSCloudFormation in IAM > Policy?
Okay, so my stack has these events:
LogGroup
LambdaFunction
EventsRuleSchedule1
LambdaPermissionEventsRuleSchedule1
which require these rules in policy:
EventBridge
IAM
Lambda
S3
S3 Object Lambda
After several steps of creating change sets, receiving errors, and fixing them, I finally made it work. So the solution here was to check the error line by line, type by type, then adjust the policy accordingly.
However, this is still a bit time-consuming as I needed to test and run the stack every time I added a new policy. Not sure if there is a way to know all these "required" policies before executing stacks, if anyone knows any references, please comment below.
I am having trouble creating ec2 instances with my IAM role.
The permissions I gave are
List
DescribeInstances
DescribeKeyPairs
Read
DescribeTags
Tagging
CreateTags
Write
CreateKeyPair
DeleteKeyPair
ImportKeyPair
RunInstances
TerminateInstances
The error is
error while describing instance(...) attribute (instanceInitiatedShutdownBehaviour): UnnauthorizedOperation: You are no authorized to perform this operation.
However, on the AWS console, the ec2 instance is created. I am unable to terraform destroy it due to the same error.
It works if I give full ec2 access (ec2:*) so it has nothing to do with my terraform code.
Thank you.
I went through the same error and it is because of lack of permission. In the error:
error while describing instance(...) attribute (instanceInitiatedShutdownBehaviour): UnnauthorizedOperation: You are no authorized to perform this operation.
the UnnauthorizedOperation is trying to describe an instance attribute since you do not have the ec2:DescribeInstanceAttribute permission.
Depending on how your terraform config looks like for the instances, you may require more permissions. You can enable debug logs in your apply command to get more information:
TF_LOG=DEBUG terraform apply
Use the visual policy editor to add permissions to your IAM role and look out for
Action Warnings. It will tell you if you are missing any permissions required by the existing permission.
I am following this https://docs.aws.amazon.com/sagemaker/latest/dg/edge-device-fleet-create.html#edge-device-fleet-create-console docs to create device fleet. In this console, Role ARN is optional but it throws RoleARN is required. If I provide proper RoleArn it throws Failed to create/modify RoleAlias. Check your IAM role permission.
I have no idea what is going wrong. Any hint would be appreciable.
Mohamed, this means that Sagemaker Edge Manager was unable to use the RoleAlias you provided to take the necessary actions when creating a DeviceFleet. It needs to have the AmazonSageMakerEdgeDeviceFleetPolicy attached (or have similar permissions granted) and it needs to trust both SageMaker and IoT Core.
I'm trying to run the script setup_p2.sh for the fast.ai course. I keep getting this error:
An error occurred (UnauthorizedOperation) when calling the CreateVpc
operation: You are not authorized to perform this operation.
NOTE: setup_p2.sh was NOT available at the stated location, but I found it by cloning this repo: https://github.com/fastai/courses
I finally found the solution: Amazon changed the permissions screens when setting up the IAM (Identity Access Management) account. I solved it by creating a new security group with the "AdministratorAccess" permission, and adding that user to that group. Works now.