I am trying to setup the CodeDeploy service with one of my ec2 instances. On the form to do this, everything works properly until I reach the "Service Role" section.
This field does not display any possible ARNs.
This is what I see:
I created an IAM user and gave them Admin privileges and pasted their ARN into this field and got the error message
Cannot assume role provided.
Does anyone know the reason this is happening?
I had to add "codedeploy.amazonaws.com" to the Role Trust Relationships:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
You skipped step 3 in the Getting Started guide: Create a Service Role.
Related
I created an IAM role using the aws console and attached AmazonS3FullAccess policy. When I spun up an ec2 instance and tried to attach the profile, the profile does not show up in the list of available profile.
I have the following permissions:
"iam:PassRole",
"iam:ListInstanceProfiles"
What permissions do I need to list the profiles? Not sure what is missing, any help/guidance would be much appreciated.
Thank You!
You need the following as the Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I am planning to implement AssumeRole scenario so below is scenario
user will have ability to create/stop Ec2 instances but not terminate.
To terminate he has to assume role (role to be assumed Ec2FullAccess)
I have done the following
Create a user Test1 with permission to start/stop/launch Ec2 instance and have provided permission to assume role (EC2FullAccess) below is the Policy for user
{
"Version": "2012-10-17",
"Statement": [<br>
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:TerminateInstances",
"Resource": "*"
},
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::226904037275:role/EC2FullAccess"
}
]
}
Create a role in same account with name EC2FullAccess which would give permission to terminate Ec2 instance
Ec2FullAccess uses AmazonEC2FullAccess Permission Policy below is its Trust Policy
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Now when i login as IAM user Test1 and then click on switch role ,i provide below details
Account: 1234
Role: EC2FullAccess
When i click on Switch Role i get Below error
Invalid information in one or more fields. Check your information or contact your administrator.
What is that I am missing
You can create the Role this way:
Create Role
For Type of Trusted Entity, select Another AWS Account and enter the Account ID for the same account (it is displayed in the same menu as the 'Switch Role' command) -- This might seem odd, but it creates the correct principal in the Trust Policy.
Attach desired policies and Save
Then, use Switch Role.
By the way, assigning EC2FullAccess is probably overkill -- it gives permission to do anything in EC2, including deleting VPCs, deleting Amazon EBS volumes, changing network settings, etc. I suggest you create a specific policy that grants TerminateInstances permission, and possibly even reduce that down to specific instances (eg by tag or VPC).
I want to restrict access for a specific user to see just few EC2 instances. I created a new user in IAM Roles and I attached a new Policy to it. The content of that Policy is attached below. I tried to look over documentation and to do it myself like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": [
"arn:aws:ec2:eu-west-1:ACCOUNT_ID:instance/i-INSTANCE_ID1",
"arn:aws:ec2:eu-west-1:ACCOUNT_ID:instance/i-INSTANCE_ID2"
]
}
]
}
I placed my region,ACCOUNT_ID(the owner id, not of the new user created) and instance-id, but when I connect with that user and I go to list all Instances I got this An error occurred fetching instance data: You are not authorized to perform this operation..
After I placed the code in JSON editor, in Policy Review step I got this message:
This policy defines some actions, resources, or conditions that do not
provide permissions. To grant access, policies must have an action
that has an applicable resource or condition. For details, choose Show
remaining Learn more
The AWS documentation mention exactly the same configuration or these examples.
I assume you connect as that user in the console (but it would be the same with CLI) Here is what I think is happening:
To list all the instances, the console most probably calls the DescribeInstances API. As per the list of action/resources/tags that can be used in IAM policy, this API does not support the resource filter in IAM.
This means your user has no authorization to list instances and they will not be shown in the console. You can validate this theory by using the CLI to request the details of a specific instance id, if my hypothesis is correct, it will be authorized.
As DescribeInstances can not be restricted by resource or tags, I don't think it is possible to filter the instance list for a user.
To have the console working, you'll need to add the following statement in your IAM policy
"Statement": [
{ your existing statement },
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]
Please report if I was right :-) The example you mentioned in your question shows exactly that : Resources = * on DescribeInstances and Resources specific InstanceId on other operations.
The previous answer is wrong, you can Conditionally allow access to ec2:DescribeInstances by tag names. It's an AWS best practice as well. Also explicitly deny access to the ec2:CreateTags and ec2:DeleteTags actions to prevent users from creating or deleting tags to take control of the instance.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/UserName": "${aws:username}"
}
}
},
{
"Effect": "Deny",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*"
}
]
}
DescribeInstances action does not support condition.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html
I am attempting to auto-deploy DAX for DynamoDB, but keep getting the following error from both python and CLI:
An error occurred (InvalidParameterValueException) when calling the CreateCluster operation: No permission to assume role: arn:aws:iam::xxxxxxxxxxxx:role/service-role/230e772f-DAXServiceRole
The CLI command i use is:
aws dax create-cluster --region some.region --cluster-name some.dax_name --node-type some.node_type --replication-factor 1 --subnet-group-name some.subnet_group_name --security-group-ids some.security_group_id --iam-role-arn some.iam_role_arn
Running this directly from the cli, works fine, running it manually through console also works fine. Anyone else had this issue?
OK, looks like my script was attempting to create the DAX cluster too soon after it created the role. This caused it to not be able to find it. I added time between and it was able to find the role.
The IAM role needs to be created with service or else you will face the same error, for example I have created role with below policy and I faced the same issue.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "some role arn"
},
"Action": "sts:AssumeRole"
}
]
}
Basically the above policy will add trust entities under Principal.
Dax IAM role need to create with below policy method to avoid above error.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "dax.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
For more details please check aws doc https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.create-cluster.cli.create-service-role.html
I'm trying to follow this tutorial, but when I try to test the API I've created, I get the following message:
API Gateway does not have permission to assume the provided role
The API request should be posting to a DynamoDB table I've created.
I've created an IAM Role and attached the policy AmazonDynamoDBFullAccess. I've also tried attaching this policy to my administrator user.
Here is the integration request in my API:
Any help is much appreciated.
Below worked for me
Go to IAM > Roles > whateverRole > Trust Relationships > Edit Trust Relationship and add apigateway under Statements
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Assisted by this guy https://histerr.blogspot.com/2016/06/api-gateway-does-not-have-permission-to.html?showComment=1549214559316#c3046645274286738526
The ARN you have provided for the IAM Role is a policy. It needs to be a role. Please go to your generated role and update your ARN to that. It should look something like this *:role/AmazonDynamoDBFullAccess-201709151726