No permission to assume role when auto deploying dax - amazon-web-services

I am attempting to auto-deploy DAX for DynamoDB, but keep getting the following error from both python and CLI:
An error occurred (InvalidParameterValueException) when calling the CreateCluster operation: No permission to assume role: arn:aws:iam::xxxxxxxxxxxx:role/service-role/230e772f-DAXServiceRole
The CLI command i use is:
aws dax create-cluster --region some.region --cluster-name some.dax_name --node-type some.node_type --replication-factor 1 --subnet-group-name some.subnet_group_name --security-group-ids some.security_group_id --iam-role-arn some.iam_role_arn
Running this directly from the cli, works fine, running it manually through console also works fine. Anyone else had this issue?

OK, looks like my script was attempting to create the DAX cluster too soon after it created the role. This caused it to not be able to find it. I added time between and it was able to find the role.

The IAM role needs to be created with service or else you will face the same error, for example I have created role with below policy and I faced the same issue.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "some role arn"
},
"Action": "sts:AssumeRole"
}
]
}
Basically the above policy will add trust entities under Principal.
Dax IAM role need to create with below policy method to avoid above error.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "dax.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
For more details please check aws doc https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.create-cluster.cli.create-service-role.html

Related

Cannot access s3 from application running on EKS EC2 instance, IAM assume role permissions issue

NOTE: similar question asked here, but no proper solution provided.
I setted up an EKS cluster via eksctl tool with single EC2 node. Deploy a Pod inside the EC2 node, this Pod writes the logs into s3 bucket. All worked fine when I used IAM user with key and secret. But now I want this Pod to use IAM Role instead. This Pod uses a newly created role with AmazonS3FullAccess permissions named prod-airflow-logs. According to the Docs, I also added "ec2.amazonaws.com" in this role's trust Relationship as follows;
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"s3.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
EC2 Node has its own Role named eksctl-prod-eks-nod-NodeInstanceRole-D4JQ2Q6D9GDA. If I understand correct, this role has to assume role prod-airflow-logs in order to allow container Pod to access and store logs in s3. According to the same Docs, I attached an in-line policy in this Node Role as follows;
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole",
"ec2:*",
"iam:ListInstanceProfiles",
"iam:GetRolePolicy"
],
"Resource": "*"
}
]
}
But I still get following error in kubernetes pod when it tried to store logs on s3;
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::XXXXXXX:assumed-role/eksctl-prod-eks-nod-NodeInstanceRole-D4JQ2Q6D9GDA/i-0254e5b5b36e58f79 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXX:role/prod-airflow-logs
The only thing I don't understand from this error is, which user is it referring to ?
Where on earth is this user User: arn:aws:sts::XXXXXXX:assumed-role/eksctl-prod-eks-nod-NodeInstanceRole-D4JQ2Q6D9GDA/i-0254e5b5b36e58f79 ? Would appreciate if someone could point out what exactly I am missing here.
No answer yet... Here is how I made this work, I had to add the arn of Node Role into the trust policy of Pod Execution role.
In my case, the Pod execution role is prod-airflow-logs and the Node Role is eksctl-prod-eks-nod-NodeInstanceRole-D4JQ2Q6D9GDA.
The trust relationship of Pod execution has to be as follows;
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXX:role/eksctl-prod-eks-nod-NodeInstanceRole-D4JQ2Q6D9GDA"
},
"Action": "sts:AssumeRole"
}
]
}

AWS DMS - Database Migration Service SYSTEM ERROR MESSAGE:The IAM Role arn:aws:iam::<account_id>:role/dms-vpc-role is not configured properly

I am trying to create a a DMS (Database Migration Service) Instance but I am getting the following error:
SYSTEM ERROR MESSAGE:The IAM Role arn:aws:iam::<account_id>:role/dms-vpc-role is not configured properly
What role should I create and to what I should assign it to?
Seems like they changed the IAM roles, if anyone is trying to do this now, the simplest solution is to create a replication instance in the AWS console and the dms-vpc-role will be automatically created.
Then you can delete that 'temporal' instance and run the cloudformation/aws cli to create the instance that you want.
If you want to create the role by hand, the policy attached has to be AmazonDMSVPCManagementRole
And contains the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": "*"
}
]
}
You will need to allow DMS to assume a role:
create a file dmsAssumeRolePolicyDocument.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "dms.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Create the Role:
aws iam create-role --role-name dms-vpc-role --assume-role-policy-document file:///tmp/dmsAssumeRolePolicyDocument.json
Attach the role:
aws iam attach-role-policy --role-name dms-vpc-role --policy-arn arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole
Now you can go ahead and create the DMS instance in the console or using the awscli

Simple IAM Issue with CodeDeploy

I'm having an issue with a seemingly trivial task of getting CodeDeploy to deploy Github code to an AutoScaling Group in a Blue/Green Deployment.
I have a Pipeline setup, a Deployment Group setup, and the AutoScaling Group, but it fails when it gets to the actual deployment:
I went to my role and it seems like it has sufficient policies for it to go through with the blue/green deployment:
Is there a policy that I'm not considering that needs to be attached to this role?
I found the answer in this link:
https://h2ik.co/2019/02/28/aws-codedeploy-blue-green/
Without wanting to take the credit, only one statement was missing from #PeskyGnat :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"ec2:CreateTags",
"ec2:RunInstances"
],
"Resource": "*"
}
]
}
I was also getting the error:
"The IAM role does not give you permission to perform operations in the following AWS service: AmazonAutoScaling. Contact your AWS administrator if you need help. If you are an AWS administrator, you can grant permissions to your users or groups by creating IAM policies."
I figured out the 2 permissions needed to get past this error, I created the policy below and attached it to the Code Deploy role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:PassRole",
"ec2:RunInstances",
"ec2:CreateTags"
],
"Resource": "*"
}
]
}

API Gateway does not have permission to assume the provided role DynamoDB

I'm trying to follow this tutorial, but when I try to test the API I've created, I get the following message:
API Gateway does not have permission to assume the provided role
The API request should be posting to a DynamoDB table I've created.
I've created an IAM Role and attached the policy AmazonDynamoDBFullAccess. I've also tried attaching this policy to my administrator user.
Here is the integration request in my API:
Any help is much appreciated.
Below worked for me
Go to IAM > Roles > whateverRole > Trust Relationships > Edit Trust Relationship and add apigateway under Statements
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Assisted by this guy https://histerr.blogspot.com/2016/06/api-gateway-does-not-have-permission-to.html?showComment=1549214559316#c3046645274286738526
The ARN you have provided for the IAM Role is a policy. It needs to be a role. Please go to your generated role and update your ARN to that. It should look something like this *:role/AmazonDynamoDBFullAccess-201709151726

Service Role ARN blank in CodeDeploy

I am trying to setup the CodeDeploy service with one of my ec2 instances. On the form to do this, everything works properly until I reach the "Service Role" section.
This field does not display any possible ARNs.
This is what I see:
I created an IAM user and gave them Admin privileges and pasted their ARN into this field and got the error message
Cannot assume role provided.
Does anyone know the reason this is happening?
I had to add "codedeploy.amazonaws.com" to the Role Trust Relationships:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
You skipped step 3 in the Getting Started guide: Create a Service Role.