I am trying to access S3 bucket from a Camel Router running in docker container deployed in ECS.
Host EC2 instance has IAM policies which provide access to S3 bucket and I have verified this by running a standalone router directly in EC2. But when I tried the program inside a container it is throwing an exception stating that "Access Denied" to S3 bucket.
After this, I tried providing a Task IAM Role by adding TaskRoleArn in my Cloudformation but that didn't help, still the same exception.
Not sure if I am missing anything here, any suggestions?
[Edit, adding the IAM policy here]
This is my IAM policy for host, similar one I created for Task Role as well with the trust relationship to ‘ecs-tasks.amazonaws.com’
This is my IAM policy for host, similar one I created for Task Role as well with the trust relationship to ‘ecs-tasks.amazonaws.com’
EC2Role:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
- ecs.amazonaws.com
Action:
- sts:AssumeRole
Path: /Developer/
Policies:
- PolicyName: ecs-service
PolicyDocument:
Statement:
- Effect: Allow
Action:
- logs:CreateLogStream
- logs:CreateLogGroup
- logs:DescribeLogGroups
- logs:DescribeLogStreams
- logs:PutLogEvents
- logs:GetLogEvents
- logs:FilterLogEvents
Resource: '*'
- PolicyName: ep-bucket-policy
PolicyDocument:
Statement:
- Sid: bucket1
Effect: Allow
Action:
- s3:GetObject
- s3:GetObjectAcl
- s3:AbortMultipartUpload
- s3:GetObjectTagging
- s3:DeleteObject
- s3:ListMultipartUploadParts
Resource: *
- Sid: bucket2
Effect: Allow
Action: s3:ListObjects
Resource: "*"
- PolicyName: ep-ecr-policy
PolicyDocument:
Statement:
- Sid: ecr1
Effect: Allow
Action:
- ecr:BatchCheckLayerAvailability
- ecr:GetDownloadUrlForLayer
- ecr:GetRepositoryPolicy
- ecr:DescribeRepositories
- ecr:ListImages
- ecr:BatchGetImage
Resource:
- !Sub 'arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/*’
- Sid: ecr2
Effect: Allow
Action:
- ecr:GetAuthorizationToken
Resource: '*'
- PolicyName: ep-ecs-policy
PolicyDocument:
Statement:
- Sid: ecs1
Effect: Allow
Action:
- ecs:SubmitTaskStateChange
- ecs:RegisterContainerInstance
- ecs:SubmitContainerStateChange
- ecs:DeregisterContainerInstance
Resource: !Sub 'arn:aws:ecs:${AWS::Region}:${AWS::AccountId}:cluster/Custom-*’
- Sid: ecs2
Effect: Allow
Action:
- ecs:Poll
- ecs:DiscoverPollEndpoint
- ecs:StartTelemetrySession
- ecs:CreateCluster
Resource: "*"
Related
I have a some Dynamo DB tables, and a DAX cluster sitting above this to cache queries and results. It works great except for when I use BatchGetItem.
[ERROR] DaxServiceError: An error occurred (Unknown) when calling the BatchGetItem operation: Client does not have permission to invoke BatchGetItem
I have granted both Lambda and the Cluster an IAM role with a wildcard, ie:
dynamodb:*
dax:*
Previously I tried setting these to the specific permission:
dax:BatchGetItem
But neither make a difference.
Googling returns ZERO results for "Client does not have permission to invoke BatchGetItem"
https://www.google.com/search?q=%22Client+does+not+have+permission+to+invoke+BatchGetItem%22&rlz=1C1YTUH_en-GBGB1008GB1008&oq=%22Client+does+not+have+permission+to+invoke+BatchGetItem%22&aqs=chrome..69i57.2944j0j7&sourceid=chrome&ie=UTF-8
In general there seems to be very little around about DAX. I haven't seen anything yet to imply this feature is not supported by AWS. In fact - if there is a permission for it, then it must be implemented in some capacity.
I'm quite stumped and would be every grateful to anyone who has any ideas.
[EDIT] Here is the IAM definition:
DynamoDAXCacheClusterIamRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Action:
- sts:AssumeRole
Effect: Allow
Principal:
Service:
- dax.amazonaws.com
Version: '2012-10-17'
RoleName: ${file(env.yml):${opt:stage}.DAX_CLUSTER_ROLE}
Policies:
-
PolicyName: ${file(env.yml):${opt:stage}.DAX_POLICY_NAME}-dax
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: '*'
Action:
- 'dax:*'
-
PolicyName: ${file(env.yml):${opt:stage}.DAX_POLICY_NAME}-dynamo
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Resource: '*'
Action:
- 'dynamodb:*'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
I know it's probably too open but this is just whilst I work out the issue
[EDIT2] Here is the policy that the Lambda's have:
- Effect: Allow
Action:
- dynamodb:DescribeTable
- dynamodb:Query
- dynamodb:Scan
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:UpdateItem
- dynamodb:DeleteItem
- dynamodb:BatchGetItem
Resource: "arn:aws:dynamodb:us-east-1:*:*"
- Effect: Allow
Action:
- sqs:SendMessage
- sqs:PurgeQueue
- sqs:ListQueues
Resource: "arn:aws:sqs:us-east-1:*:*"
- Effect: "Allow"
Action:
- "execute-api:Invoke"
Resource: ["arn:aws:execute-api:*:*:**/#connections/*"]
- Effect: "Allow"
Resource: "arn:aws:sns:us-east-1:*:*"
Action:
- "sns:*"
- Effect: Allow
Resource: "arn:aws:ses:us-east-1:*:*/*"
Action:
- SES:SendEmail
- SES:SendRawEmail
- SES:SendTemplatedEmail
- SES:SendBulkTemplatedEmail
- SES:UpdateEmailTemplate
- SES:UpdateTemplate
- Effect: Allow
Resource: "arn:aws:dax:us-east-1:*:*/*"
Action:
- 'dax:*'
I am a complete duff.
There was two stacks sharing the same DAX and one was missing the permission
I added this under properties
Statement:
- Effect: Allow
Action:
- 'ses:SendEmail'
- 'ses:SendRawEmail'
Resource: '*'
It works, but i also want to add - AWSLambdaBasicExecutionRole but i get an error if i add it under Policies at the same level with Statement, before or after
Is there a way to have both?
Here is an example of an IAM role that includes specific SES permissions and also leverages the AWSLambdaBasicExecutionRole managed policy.
MyLambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: ses-access
PolicyDocument:
Statement:
Effect: Allow
Action:
- ses:SendEmail
- ses:SendRawEmail
Resource: *
I am trying to create an admin role for my MSK cluster on AWS using cloud formation. I am using below role policies but not sure why I am not able to list cluster, describe cluster or create MSK connector for my cluster.
can someone please help to identify what is wrong with my role policies.
RolePolicies:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: msk-role-policy
Roles:
- !Ref AdminRole
PolicyDocument:
Version: '2012-10-17'
Statement:
-
Sid: PassRole
Action:
- iam:PassRole
Resource:
- !Join [ ":", ["arn:aws:iam:", !Ref "AWS::AccountId", "role/app/*"] ]
Effect: Allow
-
Sid: MSKstackCreationPermissionsKafka
Action:
- kafka:*
Resource:
- !Join [ ":", ["arn:aws:kafka:us-east-1", !Ref "AWS::AccountId", "cluster/demo*"] ]
Effect: Allow
-
Sid: MSKstackCreationPermissionsEc2
Action:
- ec2:Describe*
- ec2:*Address
- ec2:*SecurityGroup
- ec2:RunInstances
- ec2:*Tags
- ec2:AuthorizeSecurityGroupIngress
- kms:DescribeKey
- kms:CreateGrant
- logs:CreateLogDelivery
- logs:GetLogDelivery
- logs:UpdateLogDelivery
- logs:DeleteLogDelivery
- logs:ListLogDeliveries
- logs:PutResourcePolicy
- logs:DescribeResourcePolicies
- logs:DescribeLogGroups
- S3:GetBucketPolicy
- S3:List*
- S3:CreateBucket
Resource: '*'
Effect: Allow
-
Sid: MSKstackCreationPermissionsS3
Action:
- S3:*
Resource: 'arn:aws:s3:::cf-templates*/*'
Effect: Allow
I am trying to access an IAM role which I created using aws console. The role was simple as I had to give in ecs taskexcutionrole so that it has the permission to pull the image from ECR. I have come up with this code what am I missing in this code?
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::02004621356:role/ecs-ec2-task
2- What if I want to create a new task execution role and give only permission to pull the image from ECR what changes I should make?
The trust principle should be ecs-tasks.amazonaws.com:
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::02004621356:role/ecs-ec2-task
Policies:
- PolicyName: AccessECR
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- ecr:BatchGetImage
- ecr:GetAuthorizationToken
- ecr:GetDownloadUrlForLayer
Resource: '*'
I've been developing an aws lambda function with python and serverless. It reads files from a s3 bucket and stores data from it in another bucket as a csv. The code works perfectly with invoke local but after deploying I get:
An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
This is the function:
s3_client.put_object(Body=data, Bucket=bucket_name, Key=key_name)
and part of the serverless yml
iamRoleStatements:
- Effect: Allow
Action:
- KMS:Decrypt
Resource: '*'
- Effect: Allow
Action:
- 's3:*'
Resource:
- 'arn:aws:s3:::output_bucket'
- 'arn:aws:s3:::output_bucket/*'
- Effect: Allow
Action:
- 's3:ListBucket'
Resource:
- 'arn:aws:s3:::input_bucket'
- 'arn:aws:s3:::input_bucket/*'
- Effect: Allow
Action:
- 's3:GetObject'
Resource:
- 'arn:aws:s3:::input_bucket'
- 'arn:aws:s3:::input_bucket/*'
Is there any other configuration I need? Am I missing something obvious?
For me the indent looks wrong. Please make sure to use it right.
iamRoleStatements:
- Effect: Allow
Action:
- 'kms:Decrypt'
Resource: '*'
- Effect: Allow
Action:
- 's3:*'
Resource:
- 'arn:aws:s3:::output_bucket'
- 'arn:aws:s3:::output_bucket/*'
- Effect: Allow
Action:
- 's3:ListBucket'
- 's3:GetObject'
Resource:
- 'arn:aws:s3:::input_bucket'
- 'arn:aws:s3:::input_bucket/*'
FYI: I merged s3:ListBucket and s3:GetObject into one statement.