ecr token error for amazon aws docker registry - amazon-web-services

Here is my registry policy for my user :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1494526914000",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": [
"*"
]
}
]
}
I have no MFA auth
but when i try :
bussiere#kusanagi:~/Workspace/*****$ aws ecr get-login
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::*******:user/bussiere is not authorized to perform: ecr:GetAuthorizationToken on resource: *
bussiere#kusanagi:~/Workspace/*****$
thanks a lot and regards


Maybe unhelpful considering you seem to have the right policy, but the permissions aren't correct somehow. Do you have the region set and are you using the keys for that user in the cli? Also as a test, does it work using the managed policy AmazonEC2ContainerRegistryPowerUser?
http://docs.aws.amazon.com/AmazonECR/latest/userguide/common-errors.html#error-unauthorized

Related

AWS group user not allowed to assume role - access denied

I have a user and I'm trying to impersonate a role for running a service on Kubernetes. However, when I tried using STS to assume the role, I get the following error:
$ aws sts assume-role --role-arn "arn:aws:iam::{ACCOUNT_ID}:role/service-myservice" --role-session-name AWSCLI-Session
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::{ACCOUNT_ID}:user/me is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{ACCOUNT_ID}:role/service-myservice
I find this odd because this user belongs to a user group with the AdministratorAccess permission attached to it, which should give it access to anything on AWS. This is it:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
So, what am I doing wrong here?

What you have here is the IAM policy attached to this User, aka - what is this user is able to do.
You need to set the Trust Relationship as well. This defines which resources or principals is able to use this role/user. Could be Lambda, EC2 or in your case: an IAM User.
See here for example.
The IAM User/Role (in that case, role) you want to assume must have the Trust Relationship as follow:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:role/<role_name>
},
"Action": "sts:AssumeRole"
}
]
}

AWS CodeDeploy is not authorized to perform: codedeploy:CreateDeployment

I'm trying to do CI/CD with aws CodeDeployand and GitHub Actions from , following this tutorial.
but the following error appears when trying to create the deploy:
An error occurred (AccessDeniedException) when calling the CreateDeployment operation: User: arn:aws:iam::***:user/church-managment-bff-s3 is not authorized to perform: codedeploy:CreateDeployment on resource: arn:aws:codedeploy:sa-east-1:***:deploymentgroup:church-managment-bff/church-managment-bff-deploy-group because no identity-based policy allows the codedeploy:CreateDeployment action
Error: Process completed with exit code 254.
I believe it's a permission problem, but I'm not able to solve it, can someone please help

You have to add codedeploy:CreateDeployment permissions for church-managment-bff-s3 user. You can do this as an inline policy for the user in aws console:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "codedeploy:CreateDeployment",
"Resource": "*"
}
]
}

ClientError: (AccessDenied) when calling the sts:AssumeRole operation for the AWS account used to connect Amazon SP-API

I want to connect to the Amazon SP-API. It says in the documentation that I need to create an AWS account and add the necessary permissions so I can use it to connect the Amazon SP-API. Our developer profile is approved and we have registered our application. I have attempted to connect with these credentials using this python SP-API library .
However, I have an error which says:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::<account_id>:user/username is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<account_id>:user/username
I think the cause of my error is my permission policy. Is there something wrong with the following policies on how it was declared?
//STS-POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect" : "Allow",
"Action": "sts:*",
"Resource": "arn:aws:iam::<account_id>:user/<username>"
}
]
}
//EXECUTE-API-POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect" : "Allow",
"Action": "execute-api:*",
"Resource": "arn:aws:execute-api::<account_id>:*/*/*/*"
}
]
}

As you are tring to use AssumeRole with STS-Policy, Rosource should be role instead of user.
Change this line in STS-Policy
"Resource": "arn:aws:iam::<account_id>:user/<username>"
to like this.
Resource": "arn:aws:iam::<account_id>:role/<rolename>"
See the section "Example policy that grants permission to assume a role" of this aws doc.

AWS cognito access denied exception

I am trying to view an AWS kinesis video stream on a local web page. However, I keep getting this error.
AccessDeniedException: User: arn:aws:sts::XXXXXXXXX:assumed-role/XXXXXXXX/CognitoIdentityCredentials is not authorized to perform: kinesisvideo:GetDataEndpoint on resource: XXXX
Here is the policy used for the associated IAM role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*",
"kinesisvideo:*",
"sts:*"
],
"Resource": [
"*"
]
}
]
}
I am using an unauthenticated Cognito role.
I also get a similar exception for sts:assumeRole.
What am I doing wrong?

Not authorized to perform: sts:AssumeRole on resource

I'm trying to use kubectl to work on a EKS Cluster created from an other user.
I followed the different instructions from the documentation to create the kube config file with the command : aws eks --region eu-central-1 update-kubeconfig --name internal --role-arn arn:aws:iam::xxxxxxxxxx:role/eks_role_internal.
Then when i try to test the configuration (kubectl get svc), i'm getting the error :
could not get token: AccessDenied: User: arn:aws:iam::xxxxxxxxxxxx:user/me is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxxx:role/eks_role_internal
Here is the config for the Policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxxxxxxxxxx:role/eks_role_internal"
}
]
}
And the trust relationship of the role :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"eks.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}

The first reason getting this error message is misconfigured Trusted relationship on a role that is going to be assumed.
I also was seeing this error when the attached condition in the trusted relationship of having MFA wasn't met:
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
AWS cli isn't smart enough to see this case and ask for the MFA code, it just throws that error message.