What permission am I missing for AWS Glue and Development Endpoint? - amazon-web-services

I'm getting the following error when I try to create a development endpoint for AWS Glue.
{ "service":"AWSGlue",
"statusCode":400,
"errorCode":"ValidationException",
"requestId":"<here goes an UUID>",
"errorMessage":"Role arn:aws:iam::<IAM ID>:role/AWSGlueServiceRole-DefaultRole
should be given assume role permissions for Glue Service.\n",
"type":"AwsServiceError" }
And my role has the following permissions.
AmazonS3FullAccess
AWSGlueServiceNotebookRole
AmazonAthenaFullAccess
AWSGlueServiceRole
CloudWatchLogsReadOnlyAccess
AWSGlueConsoleFullAccess
AWSCloudFormationReadOnlyAccess
Any clues on what am I missing?

In your trust relationship, the trust should be established with glue.amazonaws.com. Your role (AWSGlueServiceRole-DefaultRole) may not have this. To confirm, go to the IAM roles console, select the IAM role: AWSGlueServiceRole-DefaultRole and click on the Trust Relationship tab.
The json for this should look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "glue.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Example screenshot for the Trust relationship:

I was tripped up by this as well; the problem is that when you use the console to create a default glue service role it ends up creating the IAM role like this:
arn:aws:iam:::role/service-role/AWSGlueServiceRole-DefaultRole
Make note of the "service-role" in the path.
But then when choosing that role as the role you want to use in the console wizard for setting up a new dev endpoint it doesn't include the "service-role" in the path and looks for a role named like this:
arn:aws:iam:::role/AWSGlueServiceRole-DefaultRole
I think this is just a bug in the console wizard for creating dev endpoints. I got around it by creating a new role that doesn't have "service-role" in the path and then chose that role in the console wizard and was able to successfully create a dev endpoint.

The problem was somehow related to an old Role that I already messed up with. Created a brand new role just for development following this link and this link, worked like a charm.

Related

Permission problem accessing CodeCommit repository during build phase

I am struggling trying to create my first React app. I have connected the app to the CodeCommit repository but the build on the Amplify console fails with this message:
2020-12-14T09:25:04.155Z [ERROR]: !!! Unable to assume specified IAM Role. Please ensure the selected IAM Role has sufficient permissions and the Trust Relationship is configured correctly.
The provision phase works perfectly:
I have created the service role AmplifyConsoleServiceRole-AmplifyRole as suggested on this guide and I am logged in as a user with AdministratorAccess authorization. Git commits to the repository from my PC console works perfectly.
It is not clear to me what IAM role the AWS Amplify Console is unable to assume. The AmplifyConsoleServiceRole-AmplifyRole which I have selected as Service role during the App creation I think. The permissions of this role are AdministratorAccess, as well. How can I check if the Trust Relationship is configured correctly?
I've contacted Amazon support. They answered that something is not working on their side using eu-south-1.
I've just tried on eu-central-1 and the build process worked as expected. So no there were no permissions problems but simply a bug. They told me that it will be addressed soon.
Edit: Amazon support team found the problem in the trust relationship to be used with the eu-south-1 region. It must be defined in the following way:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["amplify.eu-south-1.amazonaws.com","amplify.amazonaws.com"]
},
"Action": "sts:AssumeRole"
}
]
}

AWS IAM Role permission issue

We have just built a new Things Enterprise server hosted at AWS on an EC2 instance and created an application to use AWS IOT. We are getting the following error
“message”: “User: arn:aws:sts::446971925991:assumed-role/Things-Enterprise-Stack-Srv-StackIAMRole-DBHBSMSY05AQ/i-095895d605fab3fa4 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::446971925991:role/Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93”
I have been told
What is the execution role of the TTES instance that is trying to assume the role? The role TTES needs to be able to assume that role. That will give the right permissions.
But I'm not sure what that means, i'm presuming i need to add / alter some permissions within an IAM role. Can someone point me in the right direction Pls.
From the error message it seems that your IAM role for Amazon EC2 has no permissions to assume a role Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93.
To add such permissions manually you can do the following:
Go to IAM Console->Roles.
In the Roles window, you can use Search bar to locate Things-Enterprise-Stack-Srv-StackIAMRole-DBHBSMSY05AQ role.
Once you find the role, you click on Add inline policy.
Once Create policy window shows, you can go to JSON tab and add the following JSON policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::446971925991:role/Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93"
}
]
}
Then click Review Policy, name the policy (e.g. PolicyToAssumeRole) and Create policy
However, based on your policy names (e.g. Stack-Srv-StackIAMRole) it is possible that they have been create by CloudFormation. If this is the case, then manually changing the roles as described above is a bad practice and will lead to drift. Any changes to resources created by CloudFormation should be done using CloudFormation. Sadly, your question does not provide any details about CloudFormation templates used, therefore its difficult to comment on that more.

AWS Interactive Video Service - ivs.AccessDeniedException

I am following the AWS tutorial on how to set up the new video streaming product IVC https://docs.aws.amazon.com/ivs/latest/userguide/GSIVS.html
I set up a IAM user with the following permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ivs:CreateChannel"
],
"Resource": "*"
}
]
}
But when I try to create a channel with logged in as the above mentioned IAM user I get the error
ivs.AccessDeniedException:
User: arn:aws:iam::532654645459:user/alex-iam is not authorized to perform:
ivs:CreateChannel on resource: *
Am I missing something? Here are is screenshots for the policy setup.
(OP here) The solution that worked for me was to change the policy to grant all permissions to IVS for IAM user as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ivs:*"
],
"Resource": "*"
}
]
}
Everything worked fine afterward (create channels, list channels, view channels details).
To deal with this issue, best is to reach out to AWS Support Center via “Account and billing support”. For details about the case, select “Account” for the Type and “Other Account Issues” for the Category. As for the subject and description, please provide as many details about the error as possible, such as the error code above.
What could also be helpful is to (especially on a fresh AWS account) is to spin up p/ launch an EC2 instance (Micro or whatever) and spin it back down. Try using IVS after that and see if that helped.
What type of account are you using ( free tier, educate account)?
In educate account IAM users do no have access to some services. This might be on of the issues.
I have solved the problem by add policy to the lambda function
Go to the AWS IAM page and navigate to Role.
And then find the role for your lambda function and click add permission button
and create inline policy
There, you can create and attach policy to role.
as you written on above.
After that, your functions will work well

IAM Role for an IAM User within same account for Console Access

I am trying to create an IAM user and I want to assign the user for Full S3 Access using IAM role (via console access). I know I can do that using Group or attaching the S3FullAccessPolicy directly to the user. I am unable to do this and could not find any help regarding this. The articles I come across describes how you can attach IAM policies to EC2 instance etc.
I managed to create a role and attached a trust policy as below. I also attached the policy "AmazonS3FullAccess" to the role.
But it never worked if I login using AWS management console (browser). It still denies all permission to the user for S3 access. The trusted entities policy looks like below - the IAM username I am trying to use is s3AdminUserWithRole. Th eAWS account id is 6XXXXXXXXXXX0
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::6XXXXXXXXXXX0:user/s3AdminUserWithRole",
"arn:aws:iam::6XXXXXXXXXXX0:root"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Is it not possible to do like this for AWS Management console for a user? We have to use only Groups /managed policies/ inline policies and NOT roles for this? Confused about the AWS documentation then.
Based on the comments, the solution is to use sts service and its assume-role API.
For Console there is Switch Role option.

Why do I get 'execution role must be assumable' error when trying to deploy to Lambda#Edge?

I am trying to deploy to Lambda#Edge within AWS, but when I click on 'Deploy' I get this error message:
Correct the errors below and try again.
Your function's execution role must be assumable by the edgelambda.amazonaws.com service principal.
From the Lambda#Edge IAM Role documentation:
You must create an IAM role that can be assumed by the service
principals lambda.amazonaws.com and edgelambda.amazonaws.com. This
role is assumed by the service principals when they execute your
function. For more information, see Creating the Roles and Attaching
the Policies (Console) in the topic "AWS Managed Policies for Job
Functions" in the IAM User Guide.
You add this role under the Trust Relationship tab in IAM (do not add
it under the Permissions tab).
Here's an example role trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com",
"edgelambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
Note : If you're doing this via the AWS Console then you have to refresh the browser after you update your IAM Role
Credits: from comments #AJB
Just go to your lambda function, Click the configuration tab -> then the permission tab (from the left menu) -> Click on your role name
Then it will navigate to the relevant IAM role page.
Click Trust Relationships Tab
Click on the Edit policy button and add the content that #Mark mentioned.
This video https://www.youtube.com/watch?v=BZzEXVkVOM8 explains the issue.
Issue: 5:39
And the resolution 6:33