By using AWS re:Post, you agree to the Terms of Use

Questions tagged with IAM Policies

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Authoriztion failure when publishing to IoT Core MQTT topic

Hello, I'm currently running into some trouble setting up an IoT Core MQTT broker. I am able to connect to my broker using my terminal and mosquitto, but when I try to publish a message to any topic, the mosquitto client disconnects and reconnects without being able to publish. I have validated this connect/disconnect behaviour through the `$aws/events/presence/# topic` and the mosquitto client in debug mode for which I can provide a sample output : ``` Client william_terminal sending CONNECT Client william_terminal received CONNACK (0) HELLO Client william_terminal sending PUBLISH (d0, q0, r0, m1, 'test', ... (5 bytes)) Client william_terminal sending CONNECT Client william_terminal received CONNACK (0) ``` Using the AWSIotLogs set at debug level, I was able to find out that this behaviour is caused by an authorization problem happening at publish time. Here are consecutively sampled logs for the stream : ``` { "timestamp": "2022-09-29 15:16:55.406", "logLevel": "INFO", "traceId": "5697ba84-38f7-eefc-08e9-b6dd00096727", "accountId": "673559919736", "status": "Success", "eventType": "Connect", "protocol": "MQTT", "clientId": "$GEN/af403525-5e3b-4f81-9888-a31f16e300f0", "principalId": "49964471e92f354742f5394e648c97d9ac3aa940081cccf0962918bf97fcdf09", "sourceIp": "10.240.100.18", "sourcePort": 46898 } { "timestamp": "2022-09-29 15:16:59.554", "logLevel": "ERROR", "traceId": "067b15e5-9bcb-5c6d-2061-9bbefbccb3d0", "accountId": "673559919736", "status": "Failure", "eventType": "Publish-In", "protocol": "MQTT", "topicName": "sim/2", "clientId": "$GEN/af403525-5e3b-4f81-9888-a31f16e300f0", "principalId": "49964471e92f354742f5394e648c97d9ac3aa940081cccf0962918bf97fcdf09", "sourceIp": "10.240.100.18", "sourcePort": 46898, "reason": "AUTHORIZATION_FAILURE", "details": "Authorization Failure" } ``` The certificates I use to authenticate to my account have the following policy attached : ``` { "Statement": [ { "Action": [ "iot:Connect" ], "Condition": { "Bool": { "iot:Connection.Thing.IsAttached": [ "true" ] } }, "Effect": "Allow", "Resource": "*" }, { "Action": [ "iot:Publish" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "iot:Subscribe" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "iot:Receive" ], "Effect": "Allow", "Resource": "*" } ], "Version": "2012-10-17" } ``` The only restrictive part of this permissions being set on the connection action, I don't understand how it is possible to have a publication authorization failure. I will deeply appreciate any help on this topic. Cheers, William Didier
2
answers
0
votes
27
views
asked a day ago

DMSStack-DMSRole-xxxx/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue

I'm trying to test endpoint connection from DMS Replication Instance, DMS (3.4.7) RI instance (running in Acnt A) is attempting to get a secret from SecretsManager (running in Acnt B) using VPC Interface endpoint, but errors out with the following. Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to retrieve secret. Unable to find Secrets Manager secret, Application-Detailed-Message: Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/dmsdemo/aaaaa-<erandomStrng>' The secrets_manager get secret value failed: User: arn:aws:sts::acntAaaaa:assumed-role/DMSStack-DMSRole-zzzzzzz/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/aaaaa-<randomStrng> because no session policy allows the secretsmanager:GetSecretValue action Not retriable error: <AccessDeniedException> User: arn:aws:sts::acntAaaaa:assumed-role/DMSStack-DMSRole-zzzzzzz/dms-session-for-replication-engine is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-east-1:acntBbbbbb:secret:/dmsdemo/aaaaa-<randomStrng>' because no session policy allows the secrets DMSRole { "Version": "2012-10-17", "Statement": [ { "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": "arn:aws:secretsmanager:us-east-1:acntAaaaa:secret:/dmsdemo/aaaaa-<randomStrng>", "Effect": "Allow" }, { "Action": "kms:Decrypt", "Resource": "arn:aws:kms:us-east-1:acnt:key/ddddddddddd", "Effect": "Allow" } ] } Resource Policy on Secret { "Version" : "2012-10-17", "Statement" : [ { "Effect" : "Allow", "Principal" : { "AWS" : [ "arn:aws:iam::acntAaaaaa:root", "arn:aws:iam::acntBbbbbbb:root" ] }, "Action" : [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource" : "*" } ] } Any thoughts on what was missing in permissions that is restricting the access to secret
1
answers
0
votes
17
views
asked 6 days ago

Removed wrong IAM roles

I destroyed some IAM roles since they did not display a "last active" attribute. Now I cannot access my data properly. When I try to reset my auth settings, I cannot: ``` NoSuchEntity - An error occurred while processing your request: The role with name us-east-1_g9F10WnFw_Manage-only cannot be found. ``` I'm struggling to figure out what Roles to recreate what access to give them to access my amplify environment Not sure if this helps but here is my aws-export.js: ``` /* eslint-disable */ // WARNING: DO NOT EDIT. This file is automatically generated by AWS Amplify. It will be overwritten. const awsmobile = { "aws_project_region": "us-east-1", "aws_appsync_graphqlEndpoint": "https://iai3fj7vd5hgjc22z4m7kj5tn4.appsync-api.us-east-1.amazonaws.com/graphql", "aws_appsync_region": "us-east-1", "aws_appsync_authenticationType": "API_KEY", "aws_appsync_apiKey": "da2-****", "aws_cognito_identity_pool_id": "us-east-1:0afc5fb7-9bb5-45a0-ad98-50a9a38491c0", "aws_cognito_region": "us-east-1", "aws_user_pools_id": "us-east-1_eW3yGAOvZ", "aws_user_pools_web_client_id": "7al4qgvvsu8qkicdsqtl9n4stv", "oauth": {}, "aws_cognito_username_attributes": [ "EMAIL" ], "aws_cognito_social_providers": [], "aws_cognito_signup_attributes": [], "aws_cognito_mfa_configuration": "OFF", "aws_cognito_mfa_types": [ "SMS" ], "aws_cognito_password_protection_settings": { "passwordPolicyMinLength": 8, "passwordPolicyCharacters": [ "REQUIRES_LOWERCASE", "REQUIRES_NUMBERS", "REQUIRES_SYMBOLS", "REQUIRES_UPPERCASE" ] }, "aws_cognito_verification_mechanisms": [ "EMAIL" ], "aws_user_files_s3_bucket": "gr-movement-storage-e48b8b36191308-staging", "aws_user_files_s3_bucket_region": "us-east-1" }; export default awsmobile; ```
1
answers
0
votes
23
views
asked 7 days ago

How do I create an RDS option group then reference that group for the RDS instance in Cloud Formation?

I am creating a cloud formation script that creates a ec2 instance as a bastion host, a RDS option group to allow for S3 backup and restoring, and a RDS db instance. In that script, I want to make an option group then immediately use it on the RDS instance. However, I get this error ` "Specified OptionGroupName: rdsoptiongrouprestore not found.` The formation template looks likes this: ``` "RdsDbCcw": { "Type": "AWS::RDS::DBInstance", "Properties": { "DBInstanceClass": { "Ref": "DBInstanceClass" }, "Engine": { "Ref": "DBEngine" }, "MasterUserPassword": { "Ref": "DBAdminPassword" }, "MasterUsername": "admin", "MultiAZ": false, "PubliclyAccessible": false, "StorageType": "gp2", "DBSubnetGroupName": { "Ref": "SubnetGroupID" }, "AllocatedStorage": 20, "OptionGroupName": "RDSoptiongroupRestore" }, "Metadata": { "AWS::CloudFormation::Designer": { "id": "e52423ae-26df-4293-b4d3-073271c85ec0" } }, "DependsOn": [ "ec2Bastion", "appServer", "RDSoptiongroupRestore" ] }, "RDSoptiongroupRestore": { "Type": "AWS::RDS::OptionGroup", "Properties": { "EngineName": { "Ref": "DBEngine" }, "MajorEngineVersion": "15.00", "OptionConfigurations": [ { "OptionName": "SQLSERVER_BACKUP_RESTORE", "OptionSettings": [ { "Name": "IAM_ROLE_ARN", "Value": "arn....." } ] } ], "OptionGroupDescription": "For Restoring bakups from s3 bucket" }, "Metadata": { "AWS::CloudFormation::Designer": { "id": "ce0de1d7-6e19-43c0-9df9-230562178612" } } } } ``` Do I need to create a delay or way to say to cloud formation that I just made this option group, so that that?
1
answers
0
votes
14
views
asked 8 days ago