Questions tagged with IAM Policies
Content language: English
Sort by most recent
I'm unable to use AWS Lambda and to find a reasonable explanation.
- Dashboard shows error box with empty message
- Create form shows a spinner for 10 seconds and then stops and nothing happens
- API returns `{"message": null}`
- The user has enough permissions to use Lambda
I can just ask if someone faced something similar, since support doesn't want to answer my ticket.
Thanks
I used to have access to WorkDocs files that were shared with me, but now I don't. I requested permission but I have no idea where the request goes. How do I get access back?
The error message I'm getting:
Error message not found: ATHENA_CLIENT_ERROR. Can't find bundle for base name com.simba.athena.athena.jdbc42.messages, locale en_US
We have a datalake architecture which we stood up on AWS s3. When I'm trying to run queries against the tables in the Curated db, in Athena, I'm getting results. When I copy the same query and paste it in the custom SQL funtion in Tableau it gives me an error. This issue is affecting our business and needs to resolve as soon as possible.
Please send me an answer if you have previously dealt with this kind of issue.
Other stuff:
I have * access meaning I have all access in AWS.
Hi,
I am migrating dashboard from one aws account to another aws account. In the target account , i want user to have access so that they can copy the dashboard to create new one.
But i am not able to do this via API. Is there any api which can provide save As Previlages?
I have a lambda function with python code that connects to my opensearch service. Now when i test the code in lambda i get this error:
`"body": "{\"Message\":\"User: arn:aws:sts::700875800956:assumed-role/lambdaRole/testFunction is not authorized to perform: es:ESHttpGet because no identity-based policy allows the es:ESHttpGet action\"}"`
But the lambdaRole has all this permissions, so i dont know what i'm doing wrong:
This is the json of the opensearchservice policy:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"es:DeleteOutboundConnection",
"es:UpdateVpcEndpoint",
"es:DeletePackage",
"es:ListVpcEndpoints",
"es:ListVpcEndpointsForDomain",
"es:ListElasticsearchInstanceTypeDetails",
"es:ListDomainsForPackage",
"es:ListInstanceTypeDetails",
"es:AuthorizeVpcEndpointAccess",
"es:AcceptInboundConnection",
"es:DeleteElasticsearchServiceRole",
"es:DescribeInboundConnections",
"es:DescribeOutboundConnections",
"es:DescribeReservedInstances",
"es:AcceptInboundCrossClusterSearchConnection",
"es:DescribeReservedInstanceOfferings",
"es:DescribeInstanceTypeLimits",
"es:DescribeVpcEndpoints",
"es:ListVpcEndpointAccess",
"es:DeleteInboundCrossClusterSearchConnection",
"es:DescribeOutboundCrossClusterSearchConnections",
"es:DeleteOutboundCrossClusterSearchConnection",
"es:DescribeReservedElasticsearchInstanceOfferings",
"es:CreateServiceRole",
"es:CreateElasticsearchServiceRole",
"es:UpdatePackage",
"es:RejectInboundCrossClusterSearchConnection",
"es:DeleteInboundConnection",
"es:GetPackageVersionHistory",
"es:RejectInboundConnection",
"es:PurchaseReservedElasticsearchInstanceOffering",
"es:CreateVpcEndpoint",
"es:DescribeInboundCrossClusterSearchConnections",
"es:ListVersions",
"es:DescribeReservedElasticsearchInstances",
"es:ListDomainNames",
"es:PurchaseReservedInstanceOffering",
"es:CreatePackage",
"es:DeleteVpcEndpoint",
"es:DescribePackages",
"es:ListElasticsearchInstanceTypes",
"es:ListElasticsearchVersions",
"es:DescribeElasticsearchInstanceTypeLimits",
"es:RevokeVpcEndpointAccess"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "es:*",
"Resource": "arn:aws:es:xxxx:domain/project"
}
]
}
```
When i'm testing my lambda function i get this error
```
"body": "{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:data/read/search] and User [name=arn:aws:iam::xxxxxx:role/service-role/testFunction-role-etjiy0ib
```
But if i go to IAM dashboard and go to the testFunction-role-etjiy0ib, this role has all this permissions:
What am i doing wrong?
Is there a way we can restrict the access to AWS resources for certain user ids through an assumed role session name ? Something like below ?
```
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "arn:aws:ec2:*:1234567890:*",
"Condition": {
"StringEquals": {
"aws:PrincipalArn": "arn:aws:sts::1234567890:assumed-role/accounting-role-name/kalmesh@xyz.com"
}
}
}
```
I tried multiple combinations for *StringEquals* and *aws:PrincipalArn* fields but didn't get it working.
I'm trying to use the AWS CLI to create a Lambda function from an ECR image but no matter what permissions I give my IAM user, I keep getting this error. I pasted the permissions my IAM user has below, as well as the AWS CLI command I'm using. I even checked with the policy simulator which says I should be able to call the CreateFunction function. I'm not sure what policies I'm missing or what is causing this error. Any help would be great!
IAM Policies:
* IAMReadOnlyAccess
* AmazonS3FullAccess
* AmazonEC2ContainerRegistryPowerUser
* AmazonDynamoDBFullAccess
Actions on Custom Policies with resource defined as "*":
* lambda:CreateFunction
* lambda:UpdateFunctionCode
* iam:PassRole
* lambda:GetFunction
* lambda:UpdateFunctionConfiguration
* logs:CreateLogGroup
* logs:CreateLogStream
* logs:PutLogEvents
* ecr:GetAuthorizationToken
Actions on Custom Policies with resource defined as the ARN of the ECR image:
* ecr:GetDownloadUrlForLayer
* ecr:BatchGetImage
* ecr:CompleteLayerUploadecr:UploadLayerPart
* ecr:InitiateLayerUpload
* ecr:BatchCheckLayerAvailability
* ecr:PutImage
Running the following ECR Command:
`aws lambda create-function --function-name guest-registration --handler app.handler --package-type Image --role **** --runtime python3.7 --code 'ImageUri=<link-to-ecr-image>' --region us-east-1`
Hi,
We are looking to implement AWK Rekognition for specific use cases. Please find below the use-cases for your reference:
1. Half Image Ban: We are looking to conduct facial recognition and ban all half images uploaded in our application by end-users while creating their profiles. Kindly provide required code-snippets to enable this feature of AWS Rekognition in our application
2. Memes and GIFs Ban: Our application aims to create genuine profile of users. As a part of the same, we are looking to enable image of face of end users. We request to dis-allow all users from uploading memes and gifs while uploading their photograph in the account creation section. Kindly provide required code-snippets to enable this feature of AWS Rekognition to dis-allow Memes and GIFs upload in the application.
Hello,
I am trying to create a new elasticbeanstalk application in us-east-1 region. using eb create command
**eb create optimization-app**
I have also tried to specify a service-role
**eb create optimization-app --service-role aws-elasticbeanstalk-service-role**
I am getting an exception **ERROR: AlreadyExistsError - Cannot exceed quota for PoliciesPerRole: 10**
I have tried creating a new service role with only 2 policies on that role and tried to create the application but i still get the same error.
This used to work till a few days ago. I am not sure what is the reason. I am not getting any other message to check the reason for this.
Any help is appriciated.
Best,
Pavan
Below is the cloud formation template that I am using to create an EC2, IAM Roles to access S3 bucket.
```
AWSTemplateFormatVersion: '2010-09-09'
Description: Attach IAM Role to an EC2
Parameters:
S3KeyId:
Description: S3 KMS custom key ID
Type : 'AWS::SSM::Parameter::Value<String>'
Default: /CNS/resources/s3_key_id
SecretsmanagerKeyId:
Description: ID of Secretsmanager KMS custom key
Type : 'AWS::SSM::Parameter::Value<String>'
Default: /CNS/resources/secretsmanager_key_id
# BUCKET_NAME:
# Type: String
# Description: Name of the S3 Bucket Name
# Default: "sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0"
Resources:
Test:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.micro
ImageId: ami-0661da39e6a5cdXXX
SubnetId: subnet-0061b7c02f9a07XXX
IamInstanceProfile:
Ref: ListS3BucketsInstanceProfile
ListS3BucketsInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Path: "/"
Roles:
- Ref: ListS3BucketsRole
ListS3BucketsPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: ListS3BucketsPolicy
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:List
- s3:GetObject
- s3:GetObjectAcl
- s3:ListObjectsV2
- s3:PutObjectAcl
- s3:PutObject
- s3:ListObjects
Resource: "arn:aws:s3:::sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0"
Roles:
- Ref: ListS3BucketsRole
ListS3BucketsRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- sts:AssumeRole
Path: "/"
```
When I ssh to the VM, I get error as like below:
*Copy* Contents from S3 to EC2, Access Denied
```
aws s3 cp s3://sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0/* . --request-payer requester --recursive
fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
aws s3 ls s3://sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0/*
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
```
Listing files in that S3 bucket... Access Denied
```
aws s3 ls s3://sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0/
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
```
Any lead shall be greatly appreciated!
Thank you.
I am trying to launch a spot fleet request via a clouldformation yaml. During this process, I keep getting an error "#/SpotFleetRequestConfigData/LaunchSpecifications/0/IamInstanceProfile: expected type: JSONObject, found: String"
For some reason, I am unable to pass the role to the spot instance getting created. the script works fine without this particular line. the failiing line is the first one in LaunchSpecifications. i tried to pipe in the raw json too, but that gives the same error. My guess is this is just a bad error message. How do i resolve this? Is there a way to check if this is a permissions issue? Also, this config works with launching a plain old ec2 instance. Just fails in the case of a SpotFleet request.
```
AWSTemplateFormatVersion: 2010-09-09
Description: >-
AWS CloudFormation template for launching a spot ec2-instance
Resources:
SpotInstance:
Type: "AWS::EC2::SpotFleet"
Properties:
SpotFleetRequestConfigData:
IamFleetRole: arn:aws:iam::773057xxxxxx:role/aws-ec2-spot-fleet-tagging-role
TargetCapacity: 1
LaunchSpecifications:
- IamInstanceProfile: arn:aws:iam::773057xxxxxx:instance-profile/EC2_Role_R53
KeyName: xxxxxxxxxxxxxx
NetworkInterfaces:
- AssociatePublicIpAddress: true
DeleteOnTermination: true
DeviceIndex: '0'
SubnetId: subnet-e18921ca
Groups:
- sg-cfa4c3ab
- sg-01d9bd3d67ed8a312
ImageId: ami-0574da719dca65348 #generic ubuntu ami 22.04
InstanceType: t2.medium
```