I've tried to follow AWS instructions on setting ECR authorization to my user by giving the AmazonEC2ContainerRegistryFullAccess policy to my user.
However when I try to run on my PC the aws ecr get-login I get an error that I don't have permission.
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::ACCOUNT_NUMBER:user/MY_USER is not authorized to perform: ecr:GetAuthorizationToken on resource: *
What have I done wrong ?
You must attach a policy to your IAM role.
I attached AmazonEC2ContainerRegistryFullAccess and it worked.
Here is a full answer, after I followed all steps - I was able to use ECR
The error can have a few meanings:
You are not authorized because you do not have ECR policy attached to your user
You are not authorized because you are using 2FA and using cli is not secure unless you set a temporary session token
You provided invalid credentials
Here is a list of all steps to get access (including handling 2FA)
First of all, you have to create a policy that gives you access to GetAuthorizationToken action in ECR.
Attach this policy either to a user or a group (groups/roles are IMHO always better approach, my vote to roles, e.g. DevOps)
Make sure you have AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY set in your environment. I recommend to use aws folder with credentials and profiles separated.
If you have 2FA enabled
You need to generate session token using this command
aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token. arn-of-the-mfa-device can be found in your profile, 2FA section. Token, is generated token from the device.
Update aws credentails with received AccessKeyId, SecretAccessKey, and SessionToken. AWS recommends having either cron job to refresh token, which means if you are doing it you are testing things, your prod resources most likely do not have 2FA enabled. You can increase session by providing --duration-seconds but only up to 36 hours. A good explanation can be found at authenticate-mfa-cli
This should do the job
I ended up using AmazonEC2ContainerRegistryPowerUser as seemed a better option than Full Access. Here are the policies I found as of June 2019:
The user must have GetAuthorizationToken for all resources on ECR. To make the policy tight, you can grant all actions only to the desired registry and only the ecr:GetAuthorizationToken to all resources. Here is an example policy to attach to your user:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Effect": "Allow",
"Resource": "<REPOSITORY_ARN_HERE>"
},
{
"Action": [
"ecr:GetAuthorizationToken",
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Just as it appears in the error description, I have to allow action "GetAuthorizationToken" in my policy.
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "ecr:GetAuthorizationToken",
"Resource": "*"
}
Note: This is not my full policy but a subsection of Statement.
I've found out that when 2FA is enabled there is no option to use the aws ecr get-login, once I've removed the 2FA from my account I got the authorization token
This was my guy EC2InstanceProfileForImageBuilderECRContainerBuilds
I had the same problem with ECS when I tried to push my container in the repository.
To solve it, I attached to my IAM role this : AmazonECS_FullAccess
In case you are trying to pull images from a PUBLIC AWS repository, you must add the following user permissions to your policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr-public:GetAuthorizationToken",
"sts:GetServiceBearerToken"
],
"Resource": "*"
}
]
}
Please see the full documentation here.
I have the same problem, but I have set the permission boundary only to s3 previously that causes the issue.
Removed the permission boundary ,it worked like a charm
For me:
- Effect: Allow
Sid: VisualEditor2
Action:
- ecr:GetAuthorizationToken
- ecr:BatchGetImage
- ecr:GetDownloadUrlForLayer
Resource: "*"
Related
I'm trying to create an invalidation using both the aws cli and the PHP SDK, using an administrator IAM (full rights).
Here's the command line
aws cloudfront create-invalidation --distribution-id=E2NYX13BG????? --paths "/*"
But I always get this error message:
Error: User: arn:aws:iam::5253618?????:user/algo is not authorized to perform:
cloudfront:CreateInvalidation on resource:
arn:aws:cloudfront::5253618?????:distribution/E2NYX13BG?????
EDIT ---
To clarify my doubt about this. There are two other questions one and two, as pasted in comments by #amitd. Both questions are referencing possible non-admin rights, and also possible restricted CloudFront resources.
BY "administrator" I mean that the the IAM account has these rights to the my whole AWS services:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
As can be seen above, resources are not being restricted, so must I still create a different Statement item to add "Resource": "*", to CloudFront? Because it would make not sense at all.
I created a rotation function manually and linked it to Secret Manager, I've managed to enable the rotation but when I checked the logs in CloudWatch for this rotation lambda, it showing me error:
[ERROR] ClientError: An error occurred (AccessDeniedException)
when calling the DescribeSecret operation:
User: arn:awsxxxxxxx:assumed-role/xxxxx-lambda-exec-role/
MyLambdaName is not authorized to perform: secretsmanager:DescribeSecret
on resource: MysecretARN
I know something is wrong with my execution role, so I checked my policy attached to this role, it has:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"lambda:InvokeFunction",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecretVersionStage",
"secretsmanager:RotateSecret"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:xxx",
"arn:aws:lambda:us-east-1:xxx"
]
}
]
}
I also attached 'AWSLambdaBasicExecutionRole` to my exec role,am I missing something else? Why I kept getting that error, I've been messing around with this whole rotation thing, exhausted! please help
I also tried to add a few KMS actions but still getting the same error...I've been working on this for a couple of days now and the AWS documents are very confusing and some are even misleading me to a completely different direction... Why it's so complicated to configure a bloody rotation....(crying)
Make sure that secret arn is present in the Resources section of the policy. The error message mentions - 'MyLambdaName is not authorized to perform: secretsmanager:DescribeSecret on resource: MysecretARN'
but I don't see MysecretARN in the list of resources you allow the lambda to access
All secrets in Secrete manager are encrypted with a key(AWS KMS). Please ensure that your lambda has permission to read the needed key.
UPD: I mean that the logic is following - The
Lambda must have the permission to read the Secret and to use key (KMS) to decrypt the value of Secret.
I'm trying to lock down a user to a specific VPC in AWS and following How to Help Lock Down a User’s Amazon EC2 Capabilities to a Single VPC | AWS Security Blog.
It is mentioned that we need to create an IAM role with name VPCLockDown of type AWS Service
and add the services for which the role needs access to. like ec2, lambda etc.
I was trying to create this role programatically using boto3.
I checked the create_role documentation for creating a role using boto3.
However, they haven't mentioned anything to specify the type of role and the services that I can specify that the role should have access to.
Is there any way to specify these items while creation of the IAM role using boto3
Edit1:
I tried creating a service_linked_role as per Sudarshan Rampuria's answer like
response = iam.create_service_linked_role(
AWSServiceName='ec2.amazonaws.com',
)
But getting the following error:
An error occurred (AccessDenied) when calling the
CreateServiceLinkedRole operation: Cannot find Service Linked Role
template for ec2.amazonaws.com
You can use create_service_linked_role() function boto3 to link a role to a service.
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_service_linked_role
Here is a policy that allows a specific IAM User to launch an instance (RunInstances), but only in a given VPC:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2RunInstancesVPC",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:ap-southeast-2:111111111111:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:ap-southeast-2:111111111111:vpc/vpc-abcd1234" <--- Change this
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:ap-southeast-2:111111111111:instance/*",
"arn:aws:ec2:ap-southeast-2:111111111111:volume/*",
"arn:aws:ec2:ap-southeast-2::image/*",
"arn:aws:ec2:ap-southeast-2::snapshot/*",
"arn:aws:ec2:ap-southeast-2:111111111111:network-interface/*",
"arn:aws:ec2:ap-southeast-2:111111111111:key-pair/*",
"arn:aws:ec2:ap-southeast-2:111111111111:security-group/*"
]
}
]
}
You might need to change the Region. (I tested it in the Sydney region.)
For anyone trying to do this for Lambda, we get the similar error mentioned by the question author under "Edit". Lambda doesn't have a service linked role. You can see from the AWS Lambda documentation that "create-role" is used for creating lambda execution role.
You can also see here that only Lambda#Edge has service linked role.
One just needs to use use boto3 create-role with a policy document
response = iam_client.create_role(
RoleName="some-role-name",
AssumeRolePolicyDocument='{"Version": "2012-10-17","Statement": [{ "Effect": "Allow", "Principal": {"Service": "lambda.amazonaws.com"}, "Action": "sts:AssumeRole"}]}',
Description='Lambda role'
)
I suspect this has to more to do with IAM roles than Sagemaker.
I'm following the example here
Specifically, when it makes this call
tf_estimator.fit('s3://bucket/path/to/training/data')
I get this error
ClientError: An error occurred (AccessDenied) when calling the GetRole operation: User: arn:aws:sts::013772784144:assumed-role/AmazonSageMaker-ExecutionRole-20181022T195630/SageMaker is not authorized to perform: iam:GetRole on resource: role SageMakerRole
My notebook instance has an IAM role attached to it.
That role has the AmazonSageMakerFullAccess policy. It also has a custom policy that looks like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
My input files and .py script is in an s3 bucket with the phrase sagemaker in it.
What else am I missing?
If you're running the example code on a SageMaker notebook instance, you can use the execution_role which has the AmazonSageMakerFullAccess attached.
from sagemaker import get_execution_role
sagemaker_session = sagemaker.Session()
role = get_execution_role()
And you can pass this role when initializing tf_estimator.
You can check out the example here for using execution_role with S3 on notebook instance.
This is not an issue with S3 Bucket policy but for IAM, The user role that you're choosing has a policy attached that doesn't give it permissions to manage other IAM roles. You'll need to make sure the role you're using can manage (create, read, update) IAM roles.
Hope this helps !
Try using aws configure and make sure you are the expected user. If not, change / update your credentials.This worked for me.
I am trying to launch an AWS EMR Cluster from the AWS Console, and am getting the following error:
Failed to provision ec2 instances because 'IAM Instance Profile "arn:aws:iam::553706642095:instance-profile/EMR_EC2_DefaultRole" has no associated IAM Roles
Any one know what this means and how to resolve it?
The following is the role policy:
{
"Statement": [
{
"Action": [
"cloudwatch:*",
"dynamodb:*",
"ec2:Describe*",
"elasticmapreduce:Describe*",
"rds:Describe*",
"s3:*",
"sdb:*",
"sns:*",
"sqs:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Its trust policy document is:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I finally resolved this issue. This was confusing because the instance-profile and the role use the same name by default. Full steps outline below, but you may be able to skip various steps.
Create default roles (if error, downgrade to awscli version 1.10.30)
aws emr create-default-roles
Create instance profile if it doesn't already exist:
aws iam create-instance-profile --instance-profile-name EMR_EC2_DefaultRole
Verify that instance profile exists but doesn't have any roles:
aws iam get-instance-profile --instance-profile-name EMR_EC2_DefaultRole
Add the role using:
aws iam add-role-to-instance-profile --instance-profile-name EMR_EC2_DefaultRole --role-name EMR_EC2_DefaultRole
You have only readonly permission for EMR
"elasticmapreduce:Describe*",
You need to give full access to elastic map reduce so that you can launch cluster/terminate
once you give this access role policy will look like
"elasticmapreduce:*",
I tried around and could get it to work without the tool using my own Cloudformation stack.
The key you have to have a InstanceProfile for the flow role and both flow and service role have to be provided as ARN.
That's how I got it to work for me!
Hope that helps someone else as well.
I got the same issue. Instead of giving new cluster name, i just kept the same default cluster name 'My Cluster' and clicked on 'Create cluster' again. It created without this error.