I am getting following error when I am trying to import vhd file from s3 into EC2
I have following Policy attached to my profile:
IAMFullAccess
VMImportExportRoleForAWSConnector
AmazonEC2FullAccess
AmazonS3FullAccess
AmazonVPCFullAccess
IAMReadOnlyAccess
AmazonRoute53FullAccess
RegionRestrictions
And I have created trusted role as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "vmie.amazonaws.com" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals":{
"sts:Externalid": "amosvmimport"
}
}
}
]
}
And I have created trusted policy as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:FullAccess"
],
"Resource": [
"arn:aws:s3:::cloudforms.vhd"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::cloudforms.vhd/*"
]
},
{
"Effect": "Allow",
"Action":[
"ec2:ModifySnapshotAttribute",
"ec2:CopySnapshot",
"ec2:RegisterImage",
"ec2:Describe*",
"ec2:FullAccess"
],
"Resource": "*"
}
]
}
Following command run successfully:
aws iam create-role --role-name amosvmimport --assume-role-policy-document file://trust-policy.json
aws iam put-role-policy --role-name amosvmimport --policy-name amosvmimport --policy-document file://role-policy.json
But when I an trying to run:
aws ec2 import-image --disk-containers file://containers.json --region ap-south-1
it is giving me error as below:
An error occurred (UnauthorizedOperation) when calling the ImportImage operation: You are not authorized to perform this operation.
Could you please let me know if I am missing any policy for this operation?
Related
I'm trying to run this command on my AWS cli:
aws s3 ls s3://BUCKET_NAME
But it throws this error:
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
Here are my authorizations, settings and steps I have tried:
I'm an IAM user with administrator privileges.
I've set this policy on my IAM account:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "s3permission",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}
I've set this policy on the BUCKET_NAME.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "s3permission",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/MY_USERNAME"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKET_NAME",
"arn:aws:s3:::BUCKET_NAME/*"
]
}
]
}
I've run aws configure and configured my profile.
We're not using VPN.
But it doesn't work. What am I missing?
I am trying to assume a role (in Account B) from inside of an EKS Pod (in Account A). When running aws sts get-caller-identity from inside of the pod, I get:
/app # aws sts get-caller-identity
{
"UserId": "AROAXXXXXXXXXXXCQLF:botocore-session-1659114796",
"Account": "00ACCOUNTA00",
"Arn": "arn:aws:sts::00ACCOUNTA00:assumed-role/my-pod-role/botocore-session-1659114796"
}
The Trust Relationship configs I have tried in arn:aws:iam::00ACCOUNTB00:role/yolo-test-role (In Account B) which are not working:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::00ACCOUNTA00:role/my-pod-role"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
and
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::00ACCOUNTA00:root"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Condition": {
"StringLike": {
"aws:userId": "AROAXXXXXXXXXXXCQLF:*"
}
}
}
]
}
and
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "00ACCOUNTA00"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Condition": {
"StringLike": {
"aws:userId": "AROAXXXXXXXXXXXCQLF:*"
}
}
}
]
}
When I try to run a aws sts assume-role --role-arn 'arn:aws:iam::00ACCOUNTB00:role/yolo-test-role' --role-session-name metesting from the pod, I get:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::00ACCOUNTA00:assumed-role/my-pod-role/botocore-session-1659114796 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::00ACCOUNTB00:role/yolo-test-role
I've created a role with an attached Policy "AmazonSSMManagedInstanceCore":
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
}
]
}
And Trust relationships:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I've then attached the IAM role to the instance. When I start the SSM agent in the instance I get the following error:
2022-03-16 23:14:49 ERROR [HandleAwsError # awserr.go.49] [ssm-agent-worker] [MessageService] [MDSInteractor] error when calling AWS APIs. error details - GetMessages Error: AccessDeniedException: User: arn:aws:sts::XXXX:assumed-role/SSMandCloudWatch/i-YYYYY is not authorized to perform: ec2messages:GetMessages on resource: arn:aws:ssm:eu-central-1:XXXX:* with an explicit deny in a service control policy
status code: 400, request id: zzzz
The call it's complaining about is explicitly allowed in the policy. I've tried restarting the agent but didn't make any difference.
AWS permission evaluation can be complex. I like this AWS diagram below, so it is a good one to follow to track down permissions issues.
So there are a few other things to check or be aware of that could still be limiting access.
I am a beginner studying AWS.
I'd like to give a role external account B so that It can access my account A.
I want to use Session Manager(System Manager) to record commands for external accounts.
My Account ID : A
External Account ID : B
So, In my Account A, I made ssm-accoutB-role.
connected policy is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2:REGION:ACCOUNT-ID_A:instance/*"
],
"Condition": {
"StringLike": {
"ssm:resourceTag/ssm": [
"true"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:ResumeSession"
],
"Resource": [
"arn:aws:ssm:*:*:session/${aws:username}-*"
]
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"*"
]
}
]
}
and set the trust relationship with AccountB
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-ID_B:user/IAM-USER"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
and I attached Role for AmazonSSMManagedInstanceCore policy with Instance.
Using AWS-CLI, I send commands aws sts get-caller-identity, and export AWS_ACCESS_KEY_ID and so on...
success to assume Role.
and aws ssm start-session \ --target instance-id
// This instance in private subnet connected NAT Gateway
It appears error "An error occurred (AccessDeniedException) when calling the TerminateSession operation: User~~"
How to set the IAM ROLE for ssm...
Please help me!
What I Want To Achieve
I am trying to grant an IAM user with a REST API token permission to described environment health on a specific elastic beanstalk application via the AWS CLI.
The Problem
When I run with the CLI command:
aws elasticbeanstalk describe-environment-health --environment-name my-env-name --attribute-names "Status" "Color" "Causes" "InstancesHealth" "HealthStatus" "RefreshedAt" --profile my-profile
I get the error: A client error (AccessDenied) occurred when calling the DescribeEnvironmentHealth operation: User: arn:aws:iam::myaccountid:user/myuser is not authorized to perform: elasticbeanstalk:DescribeEnvironmentHealth
with the --debug flag I can see a HTTP 403 response.
Extra Details
The IAM policy has the action "elasticbeanstalk:DescribeEnvironmentHealth" on the resource:
"arn:aws:elasticbeanstalk:eu-west-1:myaccountid:environment/my-app-name/my-env-name*"
I have double checked the account id, app and env name.
I can perform other actions just fine such as DescribeEnvironments when I add this action instead.
I have verified on the particular resource ARN with this policy using the IAM simulator when selecting the user and it says access is granted.
The version of the CLI is aws-cli/1.10.6 Python/2.7.11 Darwin/15.3.0 botocore/1.3.28
As a test I temporarily relaxed the policy to have the action elasticbeanstalk:* and it still doesn't work.
Questions
How can I further debug this issue?
Why does the IAM policy simulator say the policy does grant access but access is denied viu the CLI?
Full Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1455880772092",
"Action": [
"ec2:*",
"s3:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"rds:*",
"cloudformation:*",
"elasticbeanstalk:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:application/app-name",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1::solutionstack/*",
"arn:aws:s3:::elasticbeanstalk-eu-west-1-{accountId}*"
]
},
{
"Sid": "Stmt1455891876139",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:Get*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elasticbeanstalk-eu-west-1-{bucketId}*"
}
]
}
For some reason elasticbeanstalk:DescribeEnvironmentHealth worked for me only with "Resource": "*".
So I've separated write/read permissions, allowing "Resource": "*" only for read. Here is my full policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:UpdateEnvironment"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-central-1:[account-id]:application/[application-name]",
"arn:aws:elasticbeanstalk:*:*:environment/*/*",
"arn:aws:elasticbeanstalk:*:*:applicationversion/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:ListPlatformVersions",
"elasticbeanstalk:DescribeEnvironmentManagedActions",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Resource": "*"
}
]
}