I'd like to install thhe AWS SSM agent to my server to be monitored by CloudWatch and found that I have to create a managed-instance activation first as this article, Create a Managed-Instance Activation for a Hybrid Environment.
It always shows an error message:
"Not existing role: arn:aws:iam::75....:role/service-role/AmazonEC2RunCommandRoleForManagedInstances".
It has the same error even I use my existing IAM role.
Anything I need to do before creating activation? Or do I have to create a special role for this?
It's because this role didn't add "ssm.amazonaws.com" in its "Trust Relationship". After adding ssm in trust relationship, it works. refer this
If you ran the command line example you can solve it by adding the IAM role parameter with "service-role" prepended, as following:
--iam-role "service-role/AmazonEC2RunCommandRoleForManagedInstances"
Related
I am trying to upload a new AWS GameLift Linux server using the AWS CLI but I get the following error:
An error occurred (AccessDeniedException) when calling the CreateBuild operation: User: arn:aws:iam::------:user/----- is not authorized to perform: gamelift:CreateBuild because no identity-based policy allows the gamelift:CreateBuild action
I added the arn:aws:iam::aws:policy/GameLiftGameServerGroupPolicy to my group permissions. I can see in the policy json that there isn't a CreateBuild action. It either needs to be added or you can't do it this way.
The AWS documentation is useless and on this page: https://docs.aws.amazon.com/gamelift/latest/developerguide/security_iam_troubleshoot.html#security_iam_troubleshoot-no-permissions
it helpfully advises: ... asks his administrator to update his policies
My user is the main root user for my AWS account but I have no idea how to resolve this. Any ideas?
I worked out how to create a new Policy and add the service permissions. You click on 'create policy' and then choose the 'GameLift' service. I added all the available actions. Seemed to do the trick.
Why did AWS miss this out of the documentation?
I am trying to edit an existing CodeBuild project's source. I have added an Actor ID in the filter group. When I try to save, I receive:
The trusted principals don't belong to the service.
I have tried other changes as well - I always receive the same error. I am an admin with full access to the project. What am I missing?
I was seeing the same error, in my case unchecking the checkbox:
"Allow AWS CodeBuild to modify this service role so it can be used with this build project"
under "Service role permissions" allowed me to complete the edit from within the management console.
I ended up using the CLI. The command I used was aws codebuild update-webhook. It worked fine, don't know why it didn't using the console.
How can I reference an existing IAM role in Terraform without getting the "Reference to undeclared resource" error message? There are some service roles that come "built-in" with every AWS environment AWSBackupDefaultServiceRole and thus should not be re-dcleared in Terraform. How do I attach policies and do mote role operations on that role without declaring it?
Terraform may be complaining because the role does not exist yet. Some service-linked roles do not come with your account by default. Instead you have to trigger the creation of the role(s) or create it yourself.
"When using the AWS Backup console for the first time, you can choose to have AWS Backup create a default service role for you." [1]
"You must create the default role using the AWS Management Console. You cannot create the default role using the AWS Command Line Interface (AWS CLI)." [1]
[1] https://docs.aws.amazon.com/aws-backup/latest/devguide/iam-service-roles.html
I'm working on an AWS account managed by another team which use it only for S3 storage. We have authorization to use sagemaker, and administartor said “AmazonSageMakerFullAccess” have been given to me.
I'm trying to access sagemaker studio, for that I'm ask to "Setup SageMaker Domain" by aws.
I then need a "Default execution role"
If I try to create one, I got error "User ... is not authorized to perform: iam:CreateRole on resource: ..."
There is an option to use a custom exiting one with the format
"arn:aws:iam::YourAccountID:role/yourRole"
but while I have an account Id, I don't know what role to use.
I don't have permission to create role, and the ones I see in IAM service doesn't seem to be related to sagemaker (also I don't have permission to see the details of those roles).
Should the sagemaker setup be done by the administrator who can create a new role ? Or is there a way for me to do it, and if so where can I find the role I need ?
If you don't attach any role to AWS SageMaker, and when you try to create SageMaker resource the very first time it will create a default execution role for the service. Either get the permission to create a role or ask your administrator to create a execution role for your SageMaker so that next time when you create one you can use the same role.
I am having trouble creating ec2 instances with my IAM role.
The permissions I gave are
List
DescribeInstances
DescribeKeyPairs
Read
DescribeTags
Tagging
CreateTags
Write
CreateKeyPair
DeleteKeyPair
ImportKeyPair
RunInstances
TerminateInstances
The error is
error while describing instance(...) attribute (instanceInitiatedShutdownBehaviour): UnnauthorizedOperation: You are no authorized to perform this operation.
However, on the AWS console, the ec2 instance is created. I am unable to terraform destroy it due to the same error.
It works if I give full ec2 access (ec2:*) so it has nothing to do with my terraform code.
Thank you.
I went through the same error and it is because of lack of permission. In the error:
error while describing instance(...) attribute (instanceInitiatedShutdownBehaviour): UnnauthorizedOperation: You are no authorized to perform this operation.
the UnnauthorizedOperation is trying to describe an instance attribute since you do not have the ec2:DescribeInstanceAttribute permission.
Depending on how your terraform config looks like for the instances, you may require more permissions. You can enable debug logs in your apply command to get more information:
TF_LOG=DEBUG terraform apply
Use the visual policy editor to add permissions to your IAM role and look out for
Action Warnings. It will tell you if you are missing any permissions required by the existing permission.