I've tried to connect a simple db in DynamoDB with a basic API in API Gateway that I've built. I followed this guide: https://www.youtube.com/watch?v=TuGyyTXPQ-U and after creating the DB, generating the role with the appropriate permissions and generating a simple get request in the API gateway I keep running into this error:
{
"message": "AWS ARN for integration contains invalid action"
}
I get this with both post/get request in my API. Pretty new to AWS so anything would help. Thanks!
You can get that error if the action on the integration is blank or missing. On the integration page, ensure that "Action type" is set to "Use action name" and ensure that "Action" is set to "PutItem".
This error related with ARN Role. Check the IAM role, and check its have dynamoDb full access permission.
NB :
Use IAM Role insteadof IAM User
Related
I am trying to upload a new AWS GameLift Linux server using the AWS CLI but I get the following error:
An error occurred (AccessDeniedException) when calling the CreateBuild operation: User: arn:aws:iam::------:user/----- is not authorized to perform: gamelift:CreateBuild because no identity-based policy allows the gamelift:CreateBuild action
I added the arn:aws:iam::aws:policy/GameLiftGameServerGroupPolicy to my group permissions. I can see in the policy json that there isn't a CreateBuild action. It either needs to be added or you can't do it this way.
The AWS documentation is useless and on this page: https://docs.aws.amazon.com/gamelift/latest/developerguide/security_iam_troubleshoot.html#security_iam_troubleshoot-no-permissions
it helpfully advises: ... asks his administrator to update his policies
My user is the main root user for my AWS account but I have no idea how to resolve this. Any ideas?
I worked out how to create a new Policy and add the service permissions. You click on 'create policy' and then choose the 'GameLift' service. I added all the available actions. Seemed to do the trick.
Why did AWS miss this out of the documentation?
As mentioned in step-3 of this blog by AWS, I have created a role to invoke sagemaker endpoint. But, when I deploy the API to a stage, I get "AWS ARN for integration contains invalid action" and I can't deploy the stage.
blog suggested to select API Gateway under services and to keep on next, but didn't mention which policy will be attached. and also that another inline policy to invoke a specific sagemaker endpoint to be created and attached.
and as mentioned in AWS Docs:
It must also have API Gateway declared (in the role's trust
relationship) as a trusted entity to assume the role.
my role also have the trust-relationshp:
What's missing in my role that led to the error?
Check in all your API methods that you haven't specified "Use Action Name" for any integration request, and then left the "Action" field blank. If you do the "AWS ARN for integration contains invalid action" error message will be shown.
I am trying to follow this job aid to create an API gateway rest endpiont with an s3 integration.
https://docs.aws.amazon.com/apigateway/latest/developerguide/integrating-api-with-aws-services-s3.html
However, when I try to create my execution role in IAM, there is only one use case at the bottom for API gateway. "Allows API Gateway to push logs to CloudWatch Logs." I am unable to attach an s3 policy the the API gateway role. Is this documentation out of date? How do I add the execution role for s3?
enter image description here
First you create the role with the cloudwatch policy,
then you go in your role list in IAM and find the role you just created ,
inside the role you can click on "attach policy" button and add any policies.
cheers
So I am following this Tutorial
I have created a role and attached the AmazonDynamoDBFullAccess policy to it ...
When I assign this role to Gateway API .... like this
I keep getting this error ...
Execution failed due to configuration error: API Gateway does not have
permission to assume the provided role
Isn't the "AmazonDynamoDBFullAccess" policy that I have applied to my role "MyDynamoRole" enough to give Gateway API necessary permissions ?
Found a solution ....
Under "Role --> Trust Relationship", I have added another service i.e. API Gateway ...
"apigateway.amazonaws.com"
and all good now ...
For people that might be struggling to create a role via the console, the hack is to use EC2 or Lambda based IAM roles to create a generic role and then edit the Trust Relationships to have the service.
"apigateway.amazonaws.com"
I have policy: AmazonAPIGatewayInvokeFullAccess
and user is associate with this policy but when I simulate action to invoke API it says access denied, can anyone help me understand what is the problem here??
Find simulator image here
The IAM policy simulator covers resource based permissions. Please make sure that you specify a resource ARN to test against since this is '*' by default (which doesn't work with API Gateway). You can enter the resource ARN by clicking on that service row.
Please use the following format for your resource ARN:
arn:aws:execute-api:us-west-1:YOUR-ACCOUNT:YOUR-REST-API-ID/YOUR-STAGE/GET/YOUR-RESOURCE-PATH
Hope this helps,
Jurgen, API Gateway