I am trying to follow this otherwise excellent post to deploy a Java-based AWS lambda app. I'm scripting it out as instructed in that post. I receive the following error when calling aws apigateway put-integration:
An error occurred (BadRequestException) when calling the PutIntegration operation: Lambda function ARN must be in same account
I'm trying to script the creation of an API gateway to a lambda function. Here's the full deploy.sh script. I have on my local machine the requisite AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_ACCOUNT_ID environment variables.
I don't know enough to understand what that error is telling me. AFAIK, the access secret and id and account ID are all from the same IAM user.
Thank you very much in advance for any ideas/help.
Related
I have a ec2 instance with a role attached to it. The role is called webserver and has all the relevant policies attached to it.
I am trying to invoke my lambda function from my PHP code, but I get the following error:
Failed attempt at deleting data/ account: exception 'Aws\Lambda\Exception\LambdaException' with message 'Error executing "Invoke" on "https://lambda.eu-west-2.amazonaws.com/2015-03-31/functions/blahFunction/invocations"; AWS HTTP error: Client error: `POST https://lambda.eu-west-2.amazonaws.com/2015-03-31/functions/blahFunction/invocations` resulted in a `403 Forbidden` response:
{"Message":"User: arn:aws:iam::34234324324342:user/SecretGuy is not authorized to perform: lambda:InvokeFunction on resour (truncated...)
AccessDeniedException (client): User: arn:aws:iam::34234324324342:user/SecretGuy is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:eu-west-2:34234324324342:function:blahFunction because no identity-based policy allows the lambda:InvokeFunction action - {"Message":"User: arn:aws:iam::34234324324342:user/SecretGuy is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:eu-west-2:34234324324342:function:blahFunction because no identity-based policy allows the lambda:InvokeFunction action"}'
Now SecretGuy is a user I created a long time ago, and somehow my ec2 is trying to use that.
I am wondering if anyone can help with this?
Thanks
From my understanding, you are running PHP code on an EC2 instance, and your code invokes the Lambda function.
And this EC2 instance has attached IAM Role with proper permissions to invoke the Lambda function. Then you tried to run your code and faced that the EC2 instance is using an unexpected IAM identity(IAM User named SecretGuy here), not the role you attached.
There's a chance that you might have IAM credentials set by environment variables for that Linux user or static credentials set on your EC2 instance.
AWS SDK client has an order to retrieve credentials on the machine. The official docs of PHP AWS SDK say,
When you initialize a new service client without providing any credential arguments, the SDK uses the default credential provider chain to find AWS credentials. The SDK uses the first provider in the chain that returns credentials without an error.
The default provider chain looks for and uses credentials as follows, in this order:
Use credentials from environment variables.
Setting environment variables is useful if you're doing development work on a machine other than an Amazon EC2 instance.
Use the AWS shared credentials file and profiles.
This credentials file is the same one used by other SDKs and the AWS CLI. If you're already using a shared credentials file, you can use that file for this purpose.
We use this method in most of our PHP code examples.
Assume an IAM role.
IAM roles provide applications on the instance with temporary security credentials to make AWS calls. For example, IAM roles offer an easy way to distribute and manage credentials on multiple Amazon EC2 instances.
To retrieve IAM credentials from the role attached,
You can check which IAM Identity you are using to call AWS API with the below command on the EC2 instance. (as that Linux user, you are running PHP code)
aws sts get-caller-identity
Then it will show result as below,
{
"UserId": "ABCDEFGHIJKLMNOPQRSTU",
"Account": "34234324324342",
"Arn": "arn:aws:iam:: 34234324324342:user/SecretGuy"
}
Then you need to look for environment variables set or static credentials files on that EC2 instance.
My guess is maybe someone used aws CLI on that EC2 before, with SecretGuy credentials, So there would be a file $HOME/.aws/credentials.
If the file exists and is confirmed as a SecretGuy access key, you have to delete that file. (If EC2 runs some critical application, you might want to copy all permissions of SecretGuy to the IAM Role you attached before deleting it to avoid unexpected service outage)
Or, you can look for environment variables.
echo $AWS_ACCESS_KEY_ID
If the above commands return the access key id value, you might have to unset environment variables.
After that, your code will retrieve credentials from IAM Role.
This seems so simple. I have ONE account, and I am getting a "Cross-account pass role is not allowed"` error when trying to run a Cloud Formation stack.
I am using this guide:
https://github.com/aws-samples/amazon-eks-refarch-cloudformation
I have made just a couple of tweeks to the custom.mk (network, ec2 types etc).
To create the cluster, per the README, I am runing this command in my terminal, and my IAM user account is in the "admin" group with full access to CloudFormation:
ASGAutoAssignPublicIp=no make create-eks-cluster
This is the error:
An error occurred (AccessDenied) when calling the CreateStack operation: Cross-account pass role is not allowed. make: *** [create-eks-cluster] Error 254
Looking at the Makefile, it is using this get the account:
aws sts get-caller-identity --query 'Account' --output text
When I run that command from the same terminal it works fine --my account # is displayed.
Can anyone suggest what I might try here?
Verify that you are passing the ARN for the EKS Role (AmazonEKSAdminRole) that you created in the custom.mk
You should not need to perform cross-account role passing at all, but being that the Makefile passes a default EKS_ADMIN_ROLE here.
The role used to deploy these stack is that EKS_ADMIN_ROLE so if you are trying to utilize the defaulted role (within the accountId 903779448426), that implicitly doesnt have access to your AWS account and thus cannot create stacks within your account.
I tried to run aws lambda publish-layer-version command line in my local console using my personal aws credentials, but I've got an Amazon S3 Access Denied error for the bucket in which the zip layer is stored.
aws lambda publish-layer-version --layer-name layer_name --content S3Bucket=bucket_name,S3Key=layers/libs.zip
An error occurred (AccessDeniedException) when calling the PublishLayerVersion operation: Your access has been denied by S3, please make sure your request credentials have permission to GetObject for {URI of layer in my S3 bucket}. S3 Error Code: AccessDenied. S3 Error Message: Access Denied
When I'm running the aws cp command in the same bucket, it all works perfectly fine
aws s3 cp s3://bucket_name/layers/libs.zip libs.zip
So I assume that the aws lambda command line is using an other role than the one used when I'm running the aws cp command line ? Or maybe it uses another mecanism that I just don't know. But I couldn't find any thing about it in the AWS documentation.
I've just read that AWS can return a 403 it couldn't find the file. So maybe it could be an issue with the command syntax ?
Thank you for your help.
For your call to publish-layer-version you may need to specify the --content parameter with 3 parts:
S3Bucket=string,S3Key=string,S3ObjectVersion=string
It looks like you are missing S3ObjectVersion. I don't know what the AWS behavior is for evaluating and applying the parts of that parameter, but it could be attempting to do something more since the version is not specified and hence giving you that error. Or it could be returning an error code that is not quite right and is misleading. Try adding S3ObjectVersion and let me know what you get.
Otherwise, AWS permission evaluation can be complex. I like this AWS diagram below, so it is a good one to follow to track down permissions issues, but I suspect that AccessDenied is a bit of a red herring in this case:
Your Lambda does not have privileges (S3:GetObject).
Try running aws sts get-caller-identity. This will give you the IAM role your command line is using.
Go to IAM dashboard, check this role associated with your Lambda execution. If you use AWS wizard, it automatically creates a role called oneClick_lambda_s3_exec_role. Click on Show Policy. It will look something like attached image.Make sure S3:GetObject is listed.
Also, AWS returns 403 (access denied) when the file does not exist. Be sure the target file is in the S3 bucket.
I am trying to run the below command from lambda function but I keep getting the error AWS was not able to validate the provided access credentials. I am very sure that the credentials are correct because the access credentials are the set of credentials I use in my local AWS CLI. Does anyone have any idea?
ec2 = boto3.client('ec2', region_name=str(REGION_NAME), aws_access_key_id=str(ACCESS_KEY), aws_secret_access_key=str(SECRET_KEY))
When you are using lambda function, its permissions should be provided using AWS Lambda execution role:
An AWS Lambda function's execution role grants it permission to access AWS services and resources. You provide this role when you create a function, and Lambda assumes the role when your function is invoked.
I know it does not answer directly to your question, but this is good practice and you should not hard code any IAM credentials in your lambda function or its environmental variables.
I am trying to follow this otherwise excellent post to deploy a Java-based AWS lambda app. I'm scripting it out as instructed in that post. I receive the following error when calling aws apigateway put-integration:
An error occurred (BadRequestException) when calling the
PutIntegration operation: Lambda function ARN must be in same account
I'm trying to script the creation of an API gateway to a lambda function. Here's the full deploy.sh script. I have on my local machine the requisite AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_ACCOUNT_ID environment variables.
I don't know enough to understand what that error is telling me. AFAIK, the access secret and id and account ID are all from the same IAM user.
My AWS CLI Script
aws apigateway put-integration --region ap-south-1 --rest-api-id xxttj6inea --resource-id bgncc0 --http-method GET --type AWS --integration-http-method POST --uri arn:aws:apigateway:ap-south-1:lambda:path/2019-09-20/functions/arn:arn:aws:lambda:ap-south-1:***********:function:Hello/invocations
Thank you very much in advance for any ideas/help.
This error can happen because of two reasons:
Your AWS CLI settings are incorrect. I'll implore you to check the AWS CLI configuration file, and run test API calls for the same to verify if everything is set up appropriately.
Your Lambda function belongs in one account, and your REST API in API GW belongs in another account.