What is the right policy i have to attach to an iam user to use CloudWatchEvents.putRule() ?
i tryed CloudWatchFullAccess and CloudWatchEventsFullAccess, both give me an AccessDeniedException for my webclient.
Just ran into this. If your policy does not have a region set for the arn allowing PutRule, you will get this 400 Access Exception. Set region to '*' or your specific region.
Related
I am trying to create aws eks cluster with terraform. I want to use an existing iam role. I won't be creating a new role. I tried this.
module 'eks' {
...
iam_role_arn = "arn:aws:iam::11111111:role/cluster-role"
...
}
But I get 403 permission denied. How can I this? Thanks.
Edit: added error.
failed creating IAM Role (green-eks-node-group): AccessDenied: User: arn:aws:iam::*******:user/****** is not authorized to perform: iam:TagRole on resource: arn:aws:iam::*******:role/green-eks-node
First for good measure: Please do not post pictures here of either code or error messages. Just copy paste the stuff and format it.
That said: I think the error tells you exactly what is wrong (or at least what the first error is, because in my experience it takes a few iterations of this to get your IAM permissions straight).
The role that you use you execute terraform does not have the permission:
iam:TagRole
on the resource:
arn:aws:iam:xxxxxxxxxxx:role/eks-cluster
So you will need to add it to it's policy.
I am trying to create a destination in AWS DMS for an S3 and I am getting this message "AWS Account owning the Role must match the caller of the API", I searched for this error and could not find what it refers to. Any idea what I have to do?
double check if you have the correct service_access_role_arn set.
,I got this error too, and the mistake I made was to add the s3 bucket arn into the Service Role ARN rather than the IAM role ARN. See the AWS docs below to create a policy, attach it to a role, and use the role ARN. This worked for me.
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-dms-target/#:~:text=1.%20Open%20the%20AWS%20DMS%20console%2C%20and%20then,copied%20into%20the%20Service%20Access%20Role%20ARN%20field
Is there any way to get AWS permissions attached with a policy.
Currently, I am getting a list of attached policies through boto3 "list_policies."
My target is to get permissions attached with each policy.
Using boto3 you can get access to the policy document, which you can parse to get the permissions.
So, iterate the list_policies response and call get_policy_version with the Arn and DefaultVersionId to get the policy document.
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.list_policies
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.get_policy_version
AmazonIdentityManagementClient identityManagementClient = new AmazonIdentityManagementClient();
System.out.println("This is the role");
GetRoleResult roleResult = identityManagementClient.getRole(new GetRoleRequest().withRoleName("myRole"));
System.out.println(roleResult.getRole().toString());
System.out.println("This is the Policy");
GetRolePolicyResult rolePolicyResult = identityManagementClient.getRolePolicy(new GetRolePolicyRequest()
.withRoleName("myRole").withPolicyName("AmazonS3FullAccess"));
System.out.println(rolePolicyResult.getPolicyDocument());
System.out.println(rolePolicyResult.getPolicyName());
I have attached IAM role to my instance - myRole. I have attached it AmazonS3FullAccess policy to myRole. The above code I am using to fetch the policies associated with myRole using SDK but I am facing NoSuchEntity Exception when I try to fetch Policy. I am able to get Role name and my output is myRole but I am facing error when I try to fetch Policy details.
I don't know why.
What I am doing wrong here?
I only managed to get the policy document in an alternative way (AWS Java SDK v.1x) - by using getPolicyVersion method of the AmazonIdentityManagementClient.
The GetPolicyVersionRequest for this is for the policyArn (which you can get from the policy details of the listAttachedRolePolicies result for your role name) and the versionId is from calling the getDefaultVersionId() on the policy returned by the AmazonIdentityManagementClient 's getPolicy for your policyArn.
I have policy: AmazonAPIGatewayInvokeFullAccess
and user is associate with this policy but when I simulate action to invoke API it says access denied, can anyone help me understand what is the problem here??
Find simulator image here
The IAM policy simulator covers resource based permissions. Please make sure that you specify a resource ARN to test against since this is '*' by default (which doesn't work with API Gateway). You can enter the resource ARN by clicking on that service row.
Please use the following format for your resource ARN:
arn:aws:execute-api:us-west-1:YOUR-ACCOUNT:YOUR-REST-API-ID/YOUR-STAGE/GET/YOUR-RESOURCE-PATH
Hope this helps,
Jurgen, API Gateway