Error: "no identity-based policy allows the ec2:AuthorizeSecurityGroupIngress action"

0

When trying to deploy the resources below, I am getting the following error for Custom::VpcRestrictDefaultSG resource:

Message returned: UnauthorizedOperation: You are not authorized to perform this operation. User:
arn:aws:sts::<account number>:assumed-role/MyStack-CustomVpcRestrictDefaultSGCustomRe-asdfasdf/MyStack-CustomVpcRestrictDefaultSGCustomR-asdfasdf 
is not authorized to perform: ec2:AuthorizeSecurityGroupIngress 
on resource: arn:aws:ec2:us-east-1:<account number>:security-group/sg-123412341234  
because no identity-based policy allows the ec2:AuthorizeSecurityGroupIngress action.

Please let me know how to fix this.

// Role 
    const lambdaRole = new iam.Role(this, 'lambda_role', {
      roleName: "lambdaRole",
      assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com')
    })

    const trustedRole = new iam.Role(this, 'trusted_role', {
      roleName: "trustedRole",
      assumedBy: new iam.ArnPrincipal(lambdaRole.roleArn)
    })

    lambdaRole.addToPolicy(
      new iam.PolicyStatement({
        resources: [trustedRole.roleArn],
        actions: ['sts:AssumeRole']
      })
    )

    lambdaRole.addToPolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        resources: ['*'],
        actions: [
          "ec2:AuthorizeSecurityGroupIngress",
          "ec2:AuthorizeSecurityGroupEgress",
          "ec2:RevokeSecurityGroupIngress",
          "ec2:RevokeSecurityGroupEgress"
        ]
      })
    )

    trustedRole.addToPolicy(
      new iam.PolicyStatement({
        effect: iam.Effect.ALLOW,
        resources: ['*'],
        actions: [
          "ec2:AuthorizeSecurityGroupIngress",
          "ec2:AuthorizeSecurityGroupEgress",
          "ec2:RevokeSecurityGroupIngress",
          "ec2:RevokeSecurityGroupEgress"
        ]
      })
    )
    
    const vpc = new ec2.Vpc(this, "vpc", {
      ipAddresses: ec2.IpAddresses.cidr('10.0.0.0/20'),
      natGateways: 1,
      maxAzs: 2,
      subnetConfiguration: [
        {
          name: 'private-subnet-1',
          subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
          cidrMask: 26
        },
        {
          name: 'public-subnet-1',
          subnetType: ec2.SubnetType.PUBLIC,
          cidrMask: 26
        }
      ]
    })

    // vpc SecurityGroup
    const securityGroup = new ec2.SecurityGroup(this, 'security_group', {
      vpc: vpc,
      allowAllOutbound: true  
    })


    // Get lists of Subnets by type
    var privateSubnets = vpc.privateSubnets;

    // Create Subnet group list to be used with Neptune.
    const neptuneSubnets: ec2.SubnetSelection = { subnets: privateSubnets };
    console.log(neptuneSubnets)

    const subnetGroup = new neptune.SubnetGroup(this, 'subnet_group', {
      vpc: vpc,
      vpcSubnets: {
        subnets: privateSubnets
      }
    })

1 Answer
0

Hello.

I think this error is caused by the "ec2:AuthorizeSecurityGroupIngress" permission for your IAM user used to deploy the CDK.
What kind of IAM policy is set for "assumed-role/MyStack-CustomVpcRestrictDefaultSGCustomRe-asdfasdf/MyStack-CustomVpcRestrictDefaultSGCustomR-asdfasdf" in the Assume Role destination?
I think you can probably deploy it by setting this IAM role to allow "ec2:AuthorizeSecurityGroupIngress".

profile picture
EXPERT
answered 4 months ago
  • Where can I edit the permissions for the IAM role that is used to cdk-deploy?

    To address your question: I'm not sure, but I think the principal that assumes the role (assumed-role/MyStack-CustomVpcRestrictDefaultSGCustomRe-asdfasdf/MyStack-CustomVpcRestrictDefaultSGCustomR-asdfasdf) is the lambda role.

    Do you happen to know how to interpret the structure of "assumed-role/MyStack-CustomVpcRestrictDefaultSGCustomRe-asdfasdf/MyStack-CustomVpcRestrictDefaultSGCustomR-asdfasdf" ? The first part "MyStack-CustomVpcRestrictDefaultSGCustomRe-asdfasdf" is likely the 'lambdaRole', but not sure why there is a second part "MyStack-CustomVpcRestrictDefaultSGCustomR-asdfasdf"

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions