I am using AWS Educate Starter account but their user account policy don't allow to have Iam GetRole. So I am having this kind off errors in both Serverless framework and Zappa -
An error occurred: IamRoleLambdaExecution - API: iam:GetRole
User: arn:aws:iam::XXXXXXXXXXX:user/awsstudent is not authorized to perform:
iam:GetRole on resource: role hello-world-dev-us-west-2-lambdaRole.
Is there any way to get the job done without this authorization. I know that my access key has the full access to AWS lamda, S3, Api Gateway etc.
The issue is you seem to be locked out of IAM. No amount of permission on Lambda/S3/API Gateway is going to get you to where you need to go.
Related
botocore.exceptions.ClientError:
An error occurred (AccessDeniedException) when calling the CreateFunction operation: Lambda was unable to encrypt your environment variables because the KMS access was denied. Please check your KMS permissions.
KMS Exception: AccessDeniedException KMS Message:
User: arn:aws:iam::816087693535:user/pj#123.com is not authorized to perform: kms:Encrypt on resource: arn:aws:kms:us-east-1:816087693535:key/22a02ce6-2afe-4184-bfbf-18d72d238bdd with an explicit deny in a service control policy.
Also we tried to read and write kms policies but it did not work out.
You need to allow the IAM user pj#123.com to perform kms:Encrypt on the resource arn:aws:kms:us-east-1:816087693535:key/22a02ce6-2afe-4184-bfbf-18d72d238bdd If you have already tried that but it still doesn't work my next question would be if you are using AWS Organizations. If you do, I would visit AWS Organizations on the Management Account and check for any Service Control Policies (SCPs) which explicitly deny this action. If you follow these steps the resolution of your issue should be straightforward. Kindly let me know if not.
I need to access a DynamoDB in AWS on my computer, where I have set up my credentials in AWS CLI. ALthough my provided user has the appropriate access authorization I get this error message, always when I have to get an Item from my database-table:
User: arn:aws:iam::[user-number]:user/[username] is not authorized to perform: dynamodb:GetItem on resource: arn:aws:dynamodb:eu-west-1:[user-number]:table/data_table_1 with an explicit deny
As already said, this user is authorized by the administrator to perform this request.
Maybe I am overseeing something or it has to do sth. with this "explicit deny".
I appreciate your help. Thanks
**For the Policies MFA must be present. So maybe I have to authorize myself with MFA device? How do I do that (if I am correct) via the AWS CLI?
I logged into AWS console as DEV-OPS-ENGINEER and created ROLE-1 with aws managed policy attached. I attached this role to ECS tasks.
Now from my machine I logged into aws cli as DEVELOPER and ran aws ecs update-service command but i am getting below mentioned error:
"An error occurred (AccessDeniedException) when calling the UpdateService operation: User: arn:aws:sts:::assumed-role/DEVELOPER is not authorized to perform: iam:PassRole on resource: arn:aws:iam:::role/ROLE-1"
My idea was all logged in user (with different roles) should be able to use ROLE-1.
Any idea why it is throwing me this error and how can I resolve it ?
To pass a role (and its permissions) to an AWS service, a user must have permissions to pass the role to the service. This helps administrators ensure that only approved users can configure a service with a role that grants permissions. To allow a user to pass a role to an AWS service, you must grant the PassRole permission to the user's IAM user, role, or group.
Find out more, including examples, in the AWS User Guide: Granting a user permissions to pass a role to an AWS service
I started to work with AWS SageMaker. I have an AWS Starter Account. I have been trying to deploy a built-in algorithm for 2 days but I always get AccessDeniedException despite the fact that I created IAM role according to https://aws.amazon.com/tr/getting-started/tutorials/build-train-deploy-machine-learning-model-sagemaker/
ClientError: An error occurred (AccessDeniedException) when calling the CreateTrainingJob operation: User: arn:aws:sts::161745376217:assumed-role/AmazonSageMaker-ExecutionRole-20200203T194557/SageMaker is not authorized to perform: sagemaker:CreateTrainingJob on resource: arn:aws:sagemaker:us-east-1:161745376217:training-job/blazingtext-2020-02-03-18-12-14-017 with an explicit deny
Could you help me to solve this problem ?
Thank you so much
You have created a role for SageMaker to access S3 bucket, but it seems your IAM user doesn't have access to SageMaker service. Please make sure your IAM user has permission to SageMaker.
This error usually occurs, if you have an AWS Educate account. It restricts you to take full control of the Sagemaker service. In this case, I'd recommend you to access AWS using regular AWS account.
In my AWS project, I use API Gateway to create APIs that call lambda functions. The APIs are called by an Android application. I use a Cognito user pool and a Cognito Identity pool to manage my users (authenticated and unauthenticated).
In my lambda functions, I need to get the identity ID of the users. After some research, I saw that to achieve that, I need to check Invoke with caller credentials in the Integration Request of my API.
Unfortunately, when I call my API, I got an error 500, with the following log: Execution failed due to configuration error: Invalid permissions on Lambda function. Apparently, it's because the Cognito identity pool role doesn't have the lambda invoke permissions for the backend lambda.
So in order to be able to get the identity id in my lambda function, how can I add those permissions and, if possible, what is the CloudFormation syntax to add those permissions?
Thanks for your help.
Select the AWS Lambda (in AWS UI) which you are trying to fix and scroll down to the Execution role part. You need to create a new role that has permission to access the Cognito Identity pool and sett that role for Lambda and save it.
In AWS API, have you added the authorizer which sets permission (allow/deny) to access the API.
If your users are in Cognito User Pool, there is no need of API gateway, Lambda, etc. Simply use AWS Amplify and everything is baked into the framework.
https://aws-amplify.github.io/docs/js/authentication
Robin
Here is what was missing in my CloudFormation template, just add it in the Cognito Identity Pool policy (or policies if you're dealing with unauthenticated users):
- Effect: 'Allow'
Action:
- 'lambda:InvokeFunction'
Resource:
Fn::Join:
- ''
-
- 'arn:aws:lambda:'
- Ref: AWS::Region
- ':'
- Ref: AWS::AccountId
- ':function:*'