AWS API Gateway. Update existing API from github. add new route - amazon-web-services

I am going to Update existing Api gateway through aws cli commands (https://docs.aws.amazon.com/cli/latest/reference/apigateway/put-rest-api.html) from AWS CodePipeline and meet problem that CodeBuild has
An error occurred (AccessDeniedException) when calling the GetRestApis operation: User: arn:aws:sts:<skipped_text> is not authorized to perform: apigateway:GET on resource: arn:aws:apigateway:us-west-2::/restapis
Is it possible to update Api gateway through code using CodePipeline and aws cli?
Or What do you use as a tool for updating apigateway?

Make sure to add following policy to the IAM user in order to allow admin access (CREATE, READ, UPDATE, DELETE) to API gateway,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": "arn:aws:apigateway:*::/*"
}
]
}
which also exists under amazon managed policies, AmazonAPIGatewayAdministrator,

1) Please check your credential working properly or not ,It appears that the credentials used in your AWS SDK do not have valid permissions on the API Gateway API.
You will need to define a policy for the user/role similar to below.
http://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html
2) When using CloudFormation with CodePipeline, need to create a role that can be assumed by CloudFormation,CodePipeline moves releases through a pipeline using the role you specify for a pipeline. CloudFormation needs permission to assume a separate role that you create for the CloudFormation action (it's not enough to create a role with permission to access other resources).
References
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline-basic-walkthrough.html
https://s3.amazonaws.com/cloudformation-examples/user-guide/continuous-deployment/basic-pipeline.yml
aws forums

Related

AWS MSK Connectors for Debezium IAM Role Problem

I want creat a connector for Debezium. I am unable to create a kafka connector using the AWSServiceRoleForKafkaConnect role. Here is the error I get when clicking Create Connector on the last page in the form:
Error creating connector There was a problem creating a connector. If the problem persists, contact AWS Support. API response Invalid parameter serviceExecutionRoleArn: A service linked role ARN cannot be provided as service execution role ARN.
Here is the document which I am following:
https://aws.amazon.com/tr/blogs/aws/introducing-amazon-msk-connect-stream-data-to-and-from-your-apache-kafka-clusters-using-managed-connectors/
How Can I fix this problem ? Thanks!
I'm having the same issue in the last few days. I have created Kafka connectors in early Jan and December with no issues using the provided AWSServiceRoleForKafkaConnect role.
I tried creating the new connectors with the same config on the same cluster using the same role that worked before and now I'm also getting the same error:
Invalid parameter serviceExecutionRoleArn: A service linked role ARN cannot be provided as service execution role ARN.
I think this may be due to an update on the AWS side.
Update from AWS****
Hi there, there were some recent changes made to the use of Service Linked Roles (SLR) as an execution role for Amazon MSK Connect Connectors. SLRs are no longer allowed to be used as the execution role. This may not affect Connectors which do not interact with Amazon MSK clusters or other resources using IAM authentication, but will affect any interaction with IAM controlled resources. It is recommend that all connector execution roles use customer managed roles with Trust Relationships including kafkaconnect.amazonaws.com. See the documentation on Service Execution Roles (1) for more details.
Currently the console allows the selection of an SLR (AWSServiceRoleForKafkaConnect) as the execution role, this will be removed in future updates and should not be used when creating connectors.
(1) https://docs.aws.amazon.com/msk/latest/developerguide/msk-connect-service-execution-role.html
I had a similar problem while creating MSK Connector to S3 bucket. You can solve it using instructions from this tutorial:
https://docs.aws.amazon.com/msk/latest/developerguide/mkc-tutorial-setup.html
You have to create new IAM Role and edit Trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "kafkaconnect.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}

AccessDeniedException on sagemaker:CreateDomain in AWS SageMaker Studio, despite having SageMakerFullAccess

I am trying to use the AWS SageMaker Studio > Get Started > Quick Start, as an IAM user with the AmazonSageMakerFullAccess policy attached, but I am getting the following error:
User: arn:aws:iam::<user-id>:user/<username> is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker:us-west-1:<user-id>:domain/d-<domain-id>
I looked up some documentation on the CreateDomain command, and it looks like it involves EFS storage and VPC configuration, so I have also added the FullAccess policies for these services to my IAM user, but am still getting the same error.
I also tried adding a custom policy as shown here: https://docs.aws.amazon.com/sagemaker/latest/dg/sagemaker-roles.html#sagemaker-roles-createdomain-perms which also seemed to have no effect.
What am I doing wrong here?
AmazonSageMakerFullAccess policy gives the user access to perform actions such as start training jobs, deploy endpoints, along with limited access on other services such as ECR, Glue etc. This is generally attached to a SageMaker notebook instance or Studio.
The user creating the SageMaker domain needs sagemaker:CreateDomain permission, i.e., to your IAM user, add:
{
"Sid": "AllowCreateDomain",
"Effect": "Allow",
"Action": "sagemaker:CreateDomain",
"Resource": "*"
}
I work at AWS and my opinions are my own.

AWS secretsmanager, lambda, access denied even with admin permissions

I am stuck configuring my AWS Lambda to access a secret. I have done it many times, all the existing resources works properly, but now a new one does not want to.
Stack:
I have a secret in secretsmanager and a lambda (in vpc)
What I want: read the secret from lambda.
Role of the lambda has the following policy:
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": "arn:aws:secretsmanager:us-east-1:xxxxxxxxx:secret:xxxxxxxxxxxx",
"Effect": "Allow"
}
]
}
But even if I give full admin permission for this role, I am not allowed to read the secret from lambda. I get the following error message:
User: arn:aws:sts::xxxxxxxxx:assumed-role/xxxxxxx/yyyyyyyy is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:xxxxxxxxx:secret:xxxxxxxxxxxx
I have other lambdas that work, but it is a bit terrifying that re-deploying my cloudformation stack could break the whole application due to this.
I assume there was some change at AWS side, existing resources got changed to be compatible, but now I am not able to access any new or already existing secrets, even if I can see at the lambda configuration that I have permission.
Does anyone have any idea what is missing? Thanks!
Turned out that I missed one place to check. When I dig deeper, I found that this whole thing happens only when the Lambda is tied to a VPC, but removing the VPC config made it work.
For me the missing piece was the endpoint policy for the secretsmanager (that allows me to access secretsmanager from VPC)

AWS IAM Role permission issue

We have just built a new Things Enterprise server hosted at AWS on an EC2 instance and created an application to use AWS IOT. We are getting the following error
“message”: “User: arn:aws:sts::446971925991:assumed-role/Things-Enterprise-Stack-Srv-StackIAMRole-DBHBSMSY05AQ/i-095895d605fab3fa4 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::446971925991:role/Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93”
I have been told
What is the execution role of the TTES instance that is trying to assume the role? The role TTES needs to be able to assume that role. That will give the right permissions.
But I'm not sure what that means, i'm presuming i need to add / alter some permissions within an IAM role. Can someone point me in the right direction Pls.
From the error message it seems that your IAM role for Amazon EC2 has no permissions to assume a role Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93.
To add such permissions manually you can do the following:
Go to IAM Console->Roles.
In the Roles window, you can use Search bar to locate Things-Enterprise-Stack-Srv-StackIAMRole-DBHBSMSY05AQ role.
Once you find the role, you click on Add inline policy.
Once Create policy window shows, you can go to JSON tab and add the following JSON policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::446971925991:role/Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93"
}
]
}
Then click Review Policy, name the policy (e.g. PolicyToAssumeRole) and Create policy
However, based on your policy names (e.g. Stack-Srv-StackIAMRole) it is possible that they have been create by CloudFormation. If this is the case, then manually changing the roles as described above is a bad practice and will lead to drift. Any changes to resources created by CloudFormation should be done using CloudFormation. Sadly, your question does not provide any details about CloudFormation templates used, therefore its difficult to comment on that more.

Issue binding API Gateway to DynamoDB

I'm trying to create a simple ApiGateway on top of a DynamoDB to add a endpoint for users to access the data trough this.
Integration type AWS Service
AWS Region eu-west-1
AWS Service DynamoDB
AWS Subdomain
HTTP method GET
Action ListResources
Execution role [iam arn]
Credentials cache Do not add caller credentials to cache key
Content Handling Passthrough
When I click the test Button i get :
Execution failed due to configuration error: API Gateway does not have permission to assume the provided role
Checked here and there but have no clue on the problem. I tried changing the permissions of the IAM user and gave him all Dynamo and APIGateway rights, but no change.
It seems the issue is linked to the fact that I used a IAM user instead of an IAM Role. I'll leave that here, maybe that will help.
First, update the execution role to use a role rather than an IAM user. Then, ensure that the role has permissions for all of the DynamoDB operations and resources that you want to access. Finally, grant API Gateway permissions to assume that role by adding an IAM trust policy as shown below.
From section "API Gateway Permissions Model for Invoking an API" on documentation page here
When an API is integrated with an AWS service (for example, AWS Lambda) in the back end, API Gateway must also have permissions to access integrated AWS resources (for example, invoking a Lambda function) on behalf of the API caller. To grant these permissions, create an IAM role of the Amazon API Gateway type. This role contains the following IAM trust policy that declares API Gateway as a trusted entity that is permitted to assume the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}