Questions tagged with IAM Policies

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

I'm unable to use AWS Lambda and to find a reasonable explanation. - Dashboard shows error box with empty message - Create form shows a spinner for 10 seconds and then stops and nothing happens - API returns `{"message": null}` - The user has enough permissions to use Lambda ![AWS Lambda dashboard error](/media/postImages/original/IM_s3FBKPBRRm6boEVBcldQA) I can just ask if someone faced something similar, since support doesn't want to answer my ticket. Thanks
0
answers
0
votes
23
views
asked 5 hours ago
I used to have access to WorkDocs files that were shared with me, but now I don't. I requested permission but I have no idea where the request goes. How do I get access back?
1
answers
0
votes
6
views
asked 2 days ago
The error message I'm getting: Error message not found: ATHENA_CLIENT_ERROR. Can't find bundle for base name com.simba.athena.athena.jdbc42.messages, locale en_US We have a datalake architecture which we stood up on AWS s3. When I'm trying to run queries against the tables in the Curated db, in Athena, I'm getting results. When I copy the same query and paste it in the custom SQL funtion in Tableau it gives me an error. This issue is affecting our business and needs to resolve as soon as possible. Please send me an answer if you have previously dealt with this kind of issue. Other stuff: I have * access meaning I have all access in AWS.
0
answers
0
votes
5
views
asked 3 days ago
Hi, I am migrating dashboard from one aws account to another aws account. In the target account , i want user to have access so that they can copy the dashboard to create new one. But i am not able to do this via API. Is there any api which can provide save As Previlages?
0
answers
0
votes
3
views
asked 3 days ago
I have a lambda function with python code that connects to my opensearch service. Now when i test the code in lambda i get this error: `"body": "{\"Message\":\"User: arn:aws:sts::700875800956:assumed-role/lambdaRole/testFunction is not authorized to perform: es:ESHttpGet because no identity-based policy allows the es:ESHttpGet action\"}"` But the lambdaRole has all this permissions, so i dont know what i'm doing wrong: ![Enter image description here](/media/postImages/original/IM637BIv-9T9alKXk0aVPK7g) This is the json of the opensearchservice policy: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "es:DeleteOutboundConnection", "es:UpdateVpcEndpoint", "es:DeletePackage", "es:ListVpcEndpoints", "es:ListVpcEndpointsForDomain", "es:ListElasticsearchInstanceTypeDetails", "es:ListDomainsForPackage", "es:ListInstanceTypeDetails", "es:AuthorizeVpcEndpointAccess", "es:AcceptInboundConnection", "es:DeleteElasticsearchServiceRole", "es:DescribeInboundConnections", "es:DescribeOutboundConnections", "es:DescribeReservedInstances", "es:AcceptInboundCrossClusterSearchConnection", "es:DescribeReservedInstanceOfferings", "es:DescribeInstanceTypeLimits", "es:DescribeVpcEndpoints", "es:ListVpcEndpointAccess", "es:DeleteInboundCrossClusterSearchConnection", "es:DescribeOutboundCrossClusterSearchConnections", "es:DeleteOutboundCrossClusterSearchConnection", "es:DescribeReservedElasticsearchInstanceOfferings", "es:CreateServiceRole", "es:CreateElasticsearchServiceRole", "es:UpdatePackage", "es:RejectInboundCrossClusterSearchConnection", "es:DeleteInboundConnection", "es:GetPackageVersionHistory", "es:RejectInboundConnection", "es:PurchaseReservedElasticsearchInstanceOffering", "es:CreateVpcEndpoint", "es:DescribeInboundCrossClusterSearchConnections", "es:ListVersions", "es:DescribeReservedElasticsearchInstances", "es:ListDomainNames", "es:PurchaseReservedInstanceOffering", "es:CreatePackage", "es:DeleteVpcEndpoint", "es:DescribePackages", "es:ListElasticsearchInstanceTypes", "es:ListElasticsearchVersions", "es:DescribeElasticsearchInstanceTypeLimits", "es:RevokeVpcEndpointAccess" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "es:*", "Resource": "arn:aws:es:xxxx:domain/project" } ] } ```
1
answers
0
votes
31
views
robbe
asked 3 days ago
When i'm testing my lambda function i get this error ``` "body": "{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"no permissions for [indices:data/read/search] and User [name=arn:aws:iam::xxxxxx:role/service-role/testFunction-role-etjiy0ib ``` But if i go to IAM dashboard and go to the testFunction-role-etjiy0ib, this role has all this permissions: ![Enter image description here](/media/postImages/original/IMEJSmYP8JR-SJ-tEq2od1AQ) What am i doing wrong?
1
answers
0
votes
25
views
robbe
asked 4 days ago
Is there a way we can restrict the access to AWS resources for certain user ids through an assumed role session name ? Something like below ? ``` { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "ec2:*" ], "Resource": "arn:aws:ec2:*:1234567890:*", "Condition": { "StringEquals": { "aws:PrincipalArn": "arn:aws:sts::1234567890:assumed-role/accounting-role-name/kalmesh@xyz.com" } } } ``` I tried multiple combinations for *StringEquals* and *aws:PrincipalArn* fields but didn't get it working.
1
answers
0
votes
50
views
kalmesh
asked 4 days ago
I'm trying to use the AWS CLI to create a Lambda function from an ECR image but no matter what permissions I give my IAM user, I keep getting this error. I pasted the permissions my IAM user has below, as well as the AWS CLI command I'm using. I even checked with the policy simulator which says I should be able to call the CreateFunction function. I'm not sure what policies I'm missing or what is causing this error. Any help would be great! IAM Policies: * IAMReadOnlyAccess * AmazonS3FullAccess * AmazonEC2ContainerRegistryPowerUser * AmazonDynamoDBFullAccess Actions on Custom Policies with resource defined as "*": * lambda:CreateFunction * lambda:UpdateFunctionCode * iam:PassRole * lambda:GetFunction * lambda:UpdateFunctionConfiguration * logs:CreateLogGroup * logs:CreateLogStream * logs:PutLogEvents * ecr:GetAuthorizationToken Actions on Custom Policies with resource defined as the ARN of the ECR image: * ecr:GetDownloadUrlForLayer * ecr:BatchGetImage * ecr:CompleteLayerUploadecr:UploadLayerPart * ecr:InitiateLayerUpload * ecr:BatchCheckLayerAvailability * ecr:PutImage Running the following ECR Command: `aws lambda create-function --function-name guest-registration --handler app.handler --package-type Image --role **** --runtime python3.7 --code 'ImageUri=<link-to-ecr-image>' --region us-east-1`
1
answers
0
votes
31
views
asked 5 days ago
Hi, We are looking to implement AWK Rekognition for specific use cases. Please find below the use-cases for your reference: 1. Half Image Ban: We are looking to conduct facial recognition and ban all half images uploaded in our application by end-users while creating their profiles. Kindly provide required code-snippets to enable this feature of AWS Rekognition in our application 2. Memes and GIFs Ban: Our application aims to create genuine profile of users. As a part of the same, we are looking to enable image of face of end users. We request to dis-allow all users from uploading memes and gifs while uploading their photograph in the account creation section. Kindly provide required code-snippets to enable this feature of AWS Rekognition to dis-allow Memes and GIFs upload in the application.
0
answers
0
votes
9
views
asked 5 days ago
Hello, I am trying to create a new elasticbeanstalk application in us-east-1 region. using eb create command **eb create optimization-app** I have also tried to specify a service-role **eb create optimization-app --service-role aws-elasticbeanstalk-service-role** I am getting an exception **ERROR: AlreadyExistsError - Cannot exceed quota for PoliciesPerRole: 10** I have tried creating a new service role with only 2 policies on that role and tried to create the application but i still get the same error. This used to work till a few days ago. I am not sure what is the reason. I am not getting any other message to check the reason for this. Any help is appriciated. Best, Pavan
1
answers
0
votes
11
views
asked 6 days ago
Below is the cloud formation template that I am using to create an EC2, IAM Roles to access S3 bucket. ``` AWSTemplateFormatVersion: '2010-09-09' Description: Attach IAM Role to an EC2 Parameters: S3KeyId: Description: S3 KMS custom key ID Type : 'AWS::SSM::Parameter::Value<String>' Default: /CNS/resources/s3_key_id SecretsmanagerKeyId: Description: ID of Secretsmanager KMS custom key Type : 'AWS::SSM::Parameter::Value<String>' Default: /CNS/resources/secretsmanager_key_id # BUCKET_NAME: # Type: String # Description: Name of the S3 Bucket Name # Default: "sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0" Resources: Test: Type: AWS::EC2::Instance Properties: InstanceType: t2.micro ImageId: ami-0661da39e6a5cdXXX SubnetId: subnet-0061b7c02f9a07XXX IamInstanceProfile: Ref: ListS3BucketsInstanceProfile ListS3BucketsInstanceProfile: Type: AWS::IAM::InstanceProfile Properties: Path: "/" Roles: - Ref: ListS3BucketsRole ListS3BucketsPolicy: Type: AWS::IAM::Policy Properties: PolicyName: ListS3BucketsPolicy PolicyDocument: Statement: - Effect: Allow Action: - s3:List - s3:GetObject - s3:GetObjectAcl - s3:ListObjectsV2 - s3:PutObjectAcl - s3:PutObject - s3:ListObjects Resource: "arn:aws:s3:::sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0" Roles: - Ref: ListS3BucketsRole ListS3BucketsRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - ec2.amazonaws.com Action: - sts:AssumeRole Path: "/" ``` When I ssh to the VM, I get error as like below: *Copy* Contents from S3 to EC2, Access Denied ``` aws s3 cp s3://sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0/* . --request-payer requester --recursive fatal error: An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied aws s3 ls s3://sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0/* An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied ``` Listing files in that S3 bucket... Access Denied ``` aws s3 ls s3://sc-xxxxxxxxxxxxxxx-pp-o7dyvm3xd-configurestorebucket-4vtqanfcbcl0/ An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied ``` Any lead shall be greatly appreciated! Thank you.
2
answers
0
votes
24
views
asked 6 days ago
I am trying to launch a spot fleet request via a clouldformation yaml. During this process, I keep getting an error "#/SpotFleetRequestConfigData/LaunchSpecifications/0/IamInstanceProfile: expected type: JSONObject, found: String" For some reason, I am unable to pass the role to the spot instance getting created. the script works fine without this particular line. the failiing line is the first one in LaunchSpecifications. i tried to pipe in the raw json too, but that gives the same error. My guess is this is just a bad error message. How do i resolve this? Is there a way to check if this is a permissions issue? Also, this config works with launching a plain old ec2 instance. Just fails in the case of a SpotFleet request. ``` AWSTemplateFormatVersion: 2010-09-09 Description: >- AWS CloudFormation template for launching a spot ec2-instance Resources: SpotInstance: Type: "AWS::EC2::SpotFleet" Properties: SpotFleetRequestConfigData: IamFleetRole: arn:aws:iam::773057xxxxxx:role/aws-ec2-spot-fleet-tagging-role TargetCapacity: 1 LaunchSpecifications: - IamInstanceProfile: arn:aws:iam::773057xxxxxx:instance-profile/EC2_Role_R53 KeyName: xxxxxxxxxxxxxx NetworkInterfaces: - AssociatePublicIpAddress: true DeleteOnTermination: true DeviceIndex: '0' SubnetId: subnet-e18921ca Groups: - sg-cfa4c3ab - sg-01d9bd3d67ed8a312 ImageId: ami-0574da719dca65348 #generic ubuntu ami 22.04 InstanceType: t2.medium ```
1
answers
0
votes
18
views
asked 6 days ago