So I am following this Tutorial
I have created a role and attached the AmazonDynamoDBFullAccess policy to it ...
When I assign this role to Gateway API .... like this
I keep getting this error ...
Execution failed due to configuration error: API Gateway does not have
permission to assume the provided role
Isn't the "AmazonDynamoDBFullAccess" policy that I have applied to my role "MyDynamoRole" enough to give Gateway API necessary permissions ?
Found a solution ....
Under "Role --> Trust Relationship", I have added another service i.e. API Gateway ...
"apigateway.amazonaws.com"
and all good now ...
For people that might be struggling to create a role via the console, the hack is to use EC2 or Lambda based IAM roles to create a generic role and then edit the Trust Relationships to have the service.
"apigateway.amazonaws.com"
Related
I have one problem I want to create VPN Endpoint in AWS but it seem message error permission deny and I try to take root account to create role also not possible.
Please read AWS docs on what are and how to use trust policies:
How to use trust policies with IAM roles
Trust policies do not have resource and they use sts:AssumeRole in Actions.
I have a problem when creating a Role I am getting an error that says “Cannot attach a Service Role Policy to a Customer Role”
In fact, there is something called Customer Managed Role, which the above error seems to display as 'Customer Role'.
From AWS documentation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-role)
A role that a service assumes to perform actions in your account on your behalf. When you set up some AWS service environments, you must define a role for the service to assume. This service role must include all the permissions required for the service to access the AWS resources that it needs.
Now if you create a role, which isn't a service role, and attach permissions yourself, it appears under what AWS shows as Customer Managed Role (Screenshot below). If you look carefully, the service roles in AWS show the AWS box icon and the Customer Managed ones don't.
Reason: I was facing the above error as well and the reason was that my Role had custom inlined policies attached. If a Role has custom attached policies (inlined), AWS doesn't let you attach the Service Roles to it. You can filter the roles and find out what's causing the issue.
I hope this is documented somewhere as I was scratching my head for quite some time on this.
I've tried to connect a simple db in DynamoDB with a basic API in API Gateway that I've built. I followed this guide: https://www.youtube.com/watch?v=TuGyyTXPQ-U and after creating the DB, generating the role with the appropriate permissions and generating a simple get request in the API gateway I keep running into this error:
{
"message": "AWS ARN for integration contains invalid action"
}
I get this with both post/get request in my API. Pretty new to AWS so anything would help. Thanks!
You can get that error if the action on the integration is blank or missing. On the integration page, ensure that "Action type" is set to "Use action name" and ensure that "Action" is set to "PutItem".
This error related with ARN Role. Check the IAM role, and check its have dynamoDb full access permission.
NB :
Use IAM Role insteadof IAM User
I have policy: AmazonAPIGatewayInvokeFullAccess
and user is associate with this policy but when I simulate action to invoke API it says access denied, can anyone help me understand what is the problem here??
Find simulator image here
The IAM policy simulator covers resource based permissions. Please make sure that you specify a resource ARN to test against since this is '*' by default (which doesn't work with API Gateway). You can enter the resource ARN by clicking on that service row.
Please use the following format for your resource ARN:
arn:aws:execute-api:us-west-1:YOUR-ACCOUNT:YOUR-REST-API-ID/YOUR-STAGE/GET/YOUR-RESOURCE-PATH
Hope this helps,
Jurgen, API Gateway
I have a group of aws api gateways which I am trying to restrict access to them through only one internal lambda function. I created a role, added the AmazonAPIGatewayInvokeFullAccess policy to it and assigned this role to the lambda function. However, I am still not able to access the APIs from the lambda and getting 403s. Thanks for your help.
Under IAM you need to add trust relationship with apigateway.amazonaws.com