Questions tagged with IAM Policies

I faced a problem with Secrets deploying docker-compose.yml to ECS. I don't understand why. The policy by itself seems working, but it doesn't work here. **ERROR TEXT** ``` HasuraService TaskFailedToStart: ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secret from asm: service call has been retried 1 time(s): failed to fetch secret *[HERE WAS ARN]/username* from secrets manager: AccessDeniedException: User: arn:aws:sts::925578195865:assumed-role/gochi-HasuraTaskExecutionRole-17C7ELVZK3HX2/50f19aa9ec5f44e6ae7b95ded3bb4a3f is not authorized to perform: secretsmanager:GetSecretValue on resource: *[HERE WAS ARN]/username* because no identity-based policy allows the secretsmanager:GetSecretValue action status code: 400, request id: ab2d966b-9e00-433a-89d3-804b52dfe39f ``` **DOCKER-COMPOSE.YML** ``` version: '3.9' x-aws-vpc: [VPC-HERE] x-aws-load-balancer: [LOAD-BALANCER-HERE] services: hasura: image: hasura/graphql-engine:latest ports: - '8080:8080' environment: HASURA_GRAPHQL_DATABASE_URL: postgres://${RDS_USERNAME}:${RDS_PASSWORD}@*[RDS_URL_HERE]*:5432/gochi HASURA_GRAPHQL_ENABLE_CONSOLE: true HASURA_GRAPHQL_ADMIN_SECRET: ${HASURA_PASSWORD} secrets: - RDS_USERNAME - RDS_PASSWORD - HASURA_PASSWORD x-aws-policies: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy - arn:aws:iam::925578195865:policy/GochiHasuraTaskExecution secrets: RDS_USERNAME: name: *[HERE WAS ARN]/username* external: true RDS_PASSWORD: name: *[HERE WAS ARN]/password* external: true HASURA_PASSWORD: name: *[HERE WAS ARN]/password* external: true ``` **arn:aws:iam::925578195865:policy/GochiHasuraTaskExecution** ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": [ *[HERE WAS ARN]/username*, *[HERE WAS ARN]/password*, *[HERE WAS ARN]/password*, *[HERE WAS ARN]*, *[HERE WAS ARN]*, ] } ] } ``` **CLODUD FORMATION CONFIG** ``` AWSTemplateFormatVersion: 2010-09-09 Resources: CloudMap: Properties: Description: Service Map for Docker Compose project gochi Name: gochi.local Vpc: vpc-00ba3cc7fea7e3a72 Type: AWS::ServiceDiscovery::PrivateDnsNamespace Cluster: Properties: ClusterName: gochi Tags: - Key: com.docker.compose.project Value: gochi Type: AWS::ECS::Cluster Default8080Ingress: Properties: CidrIp: 0.0.0.0/0 Description: hasura:8080/tcp on default network FromPort: 8080 GroupId: Ref: DefaultNetwork IpProtocol: TCP ToPort: 8080 Type: AWS::EC2::SecurityGroupIngress DefaultNetwork: Properties: GroupDescription: gochi Security Group for default network Tags: - Key: com.docker.compose.project Value: gochi - Key: com.docker.compose.network Value: gochi_default VpcId: vpc-00ba3cc7fea7e3a72 Type: AWS::EC2::SecurityGroup DefaultNetworkIngress: Properties: Description: Allow communication within network default GroupId: Ref: DefaultNetwork IpProtocol: "-1" SourceSecurityGroupId: Ref: DefaultNetwork Type: AWS::EC2::SecurityGroupIngress HasuraService: DependsOn: - HasuraTCP8080Listener Properties: Cluster: Fn::GetAtt: - Cluster - Arn DeploymentConfiguration: MaximumPercent: 200 MinimumHealthyPercent: 100 DeploymentController: Type: ECS DesiredCount: 1 LaunchType: FARGATE LoadBalancers: - ContainerName: hasura ContainerPort: 8080 TargetGroupArn: Ref: HasuraTCP8080TargetGroup NetworkConfiguration: AwsvpcConfiguration: AssignPublicIp: ENABLED SecurityGroups: - Ref: DefaultNetwork Subnets: - subnet-0cde4d8ffd50e8f32 - subnet-0e11aed9fd537388d - subnet-00e18e2b59a78ac21 PlatformVersion: 1.4.0 PropagateTags: SERVICE SchedulingStrategy: REPLICA ServiceRegistries: - RegistryArn: Fn::GetAtt: - HasuraServiceDiscoveryEntry - Arn Tags: - Key: com.docker.compose.project Value: gochi - Key: com.docker.compose.service Value: hasura TaskDefinition: Ref: HasuraTaskDefinition Type: AWS::ECS::Service HasuraServiceDiscoveryEntry: Properties: Description: '"hasura" service discovery entry in Cloud Map' DnsConfig: DnsRecords: - TTL: 60 Type: A RoutingPolicy: MULTIVALUE HealthCheckCustomConfig: FailureThreshold: 1 Name: hasura NamespaceId: Ref: CloudMap Type: AWS::ServiceDiscovery::Service HasuraTCP8080Listener: Properties: DefaultActions: - ForwardConfig: TargetGroups: - TargetGroupArn: Ref: HasuraTCP8080TargetGroup Type: forward LoadBalancerArn: Ref: LoadBalancer Port: 8080 Protocol: TCP Type: AWS::ElasticLoadBalancingV2::Listener HasuraTCP8080TargetGroup: Properties: Port: 8080 Protocol: TCP Tags: - Key: com.docker.compose.project Value: gochi TargetType: ip VpcId: vpc-00ba3cc7fea7e3a72 Type: AWS::ElasticLoadBalancingV2::TargetGroup HasuraTaskDefinition: Properties: ContainerDefinitions: - Command: - '[{"Name":"RDS_USERNAME","Keys":null},{"Name":"RDS_PASSWORD","Keys":null},{"Name":"HASURA_PASSWORD","Keys":null}]' Essential: false Image: docker/ecs-secrets-sidecar:1.0 LogConfiguration: LogDriver: awslogs Options: awslogs-group: Ref: LogGroup awslogs-region: Ref: AWS::Region awslogs-stream-prefix: gochi MountPoints: - ContainerPath: /run/secrets/ SourceVolume: secrets Name: Hasura_Secrets_InitContainer Secrets: - Name: RDS_USERNAME ValueFrom: [HERE WAS ARN] - Name: RDS_PASSWORD ValueFrom: [HERE WAS ARN] - Name: HASURA_PASSWORD ValueFrom: [HERE WAS ARN] - Command: - eu-central-1.compute.internal - gochi.local Essential: false Image: docker/ecs-searchdomain-sidecar:1.0 LogConfiguration: LogDriver: awslogs Options: awslogs-group: Ref: LogGroup awslogs-region: Ref: AWS::Region awslogs-stream-prefix: gochi Name: Hasura_ResolvConf_InitContainer - DependsOn: - Condition: SUCCESS ContainerName: Hasura_Secrets_InitContainer - Condition: SUCCESS ContainerName: Hasura_ResolvConf_InitContainer Environment: - Name: HASURA_GRAPHQL_ADMIN_SECRET Value: three - Name: HASURA_GRAPHQL_DATABASE_URL Value: [SOME ENV VARS] - Name: HASURA_GRAPHQL_ENABLE_CONSOLE Value: "true" Essential: true Image: docker.io/hasura/graphql-engine:latest@sha256:5f10837a829cbc70f87fffb9168003026343ed1c6c8a0a69104642637a21076e LinuxParameters: {} LogConfiguration: LogDriver: awslogs Options: awslogs-group: Ref: LogGroup awslogs-region: Ref: AWS::Region awslogs-stream-prefix: gochi MountPoints: - ContainerPath: /run/secrets/ ReadOnly: true SourceVolume: secrets Name: hasura PortMappings: - ContainerPort: 8080 HostPort: 8080 Protocol: tcp Cpu: "256" ExecutionRoleArn: Ref: HasuraTaskExecutionRole Family: gochi-hasura Memory: "512" NetworkMode: awsvpc RequiresCompatibilities: - FARGATE TaskRoleArn: Ref: HasuraTaskRole Volumes: - Name: secrets Type: AWS::ECS::TaskDefinition HasuraTaskExecutionRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Condition: {} Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Version: 2012-10-17 ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly Policies: - PolicyDocument: Statement: - Action: - secretsmanager:GetSecretValue - ssm:GetParameters - kms:Decrypt Condition: {} Effect: Allow Principal: {} Resource: - [ARN1]/username - [ARN1]/password - [ARN2]/password PolicyName: hasuraGrantAccessToSecrets Tags: - Key: com.docker.compose.project Value: gochi - Key: com.docker.compose.service Value: hasura Type: AWS::IAM::Role HasuraTaskRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Condition: {} Effect: Allow Principal: Service: ecs-tasks.amazonaws.com Version: 2012-10-17 ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy - arn:aws:iam::925578195865:policy/GochiHasuraTaskExecution Tags: - Key: com.docker.compose.project Value: gochi - Key: com.docker.compose.service Value: hasura Type: AWS::IAM::Role LoadBalancer: Properties: LoadBalancerAttributes: - Key: load_balancing.cross_zone.enabled Value: "true" Scheme: internet-facing Subnets: - subnet-0cde4d8ffd50e8f32 - subnet-0e11aed9fd537388d - subnet-00e18e2b59a78ac21 Tags: - Key: com.docker.compose.project Value: gochi Type: network Type: AWS::ElasticLoadBalancingV2::LoadBalancer LogGroup: Properties: LogGroupName: /docker-compose/gochi Type: AWS::Logs::LogGroup ```lg...

Hi With freetier I created iam roles under my root user, logged on to iam roles,created EC2, security group for the same. Created dynamodb too..but I copied the public ipv4 url on chrome/mozilla browser ,I'm getting reload error. What might be wrong, provide solution???? Note: Operating system I selected is windows server free tier fyilg...

HI, Anyone faced this problem while learning AWS Terraform ? I am following the Book to practice the Terraform I am getting below error. url: (7) Failed to connect to <<<removed Public IP Address of EC2 >> port 8080 after 49 ms: Couldn't connect to server Please advise if there is any recent upgrade ? My Code is below provider "aws" { region="us-east-2" } resource "aws_security_group" "instance" { name="terraform-example-instance" ingress { from_port=8080 to_port=8080 protocol="tcp" cidr_blocks=["0.0.0.0/0"] } } resource "aws_instance" "example" { ami="ami-0a695f0d95cefc163" instance_type="t2.micro" vpc_security_group_ids=[aws_security_group.instance.id] user_data=<<-EOF #!/bin/bash echo "Hello, World" > index.html nohup busybox httpd -f -p 8080 & EOF tags={ "Name" = "terraform-example" } }lg...

Hello there AWS team! I'm currently working with the ESP32 platform to create a device that connects to AWS and sends/receives data. The idea is that I will have multiple ESP32 devices. At this moment what I'm doing is that I create a Thing per each device. So, if I have 3 devices, I need to create 3 Things, with their respective certificate and key. JITP helped me but I noticed each firmware will be different for each device. For example, device 1 will have firmware 1 with certificate 1 and key 1. The same thing will happen for devices 2, 3, and so on. I'm doing OTA with these devices and since every firmware needs to be different due to the certificates, keys, and thingname... I'm facing an unscalable wall. Is there any option that helps with this? The only option I can think of right now is to use 1 Thing in AWS IoT Core, and all my devices in the field will have the same certificate and key. I feel that is not a good practice, but the other option seems way worse. Thanks a lot in advancelg...

Hello, required: Enable s3 bucket access for a specific permission set 1.I have an SSO role in IAM for Billing. This is an AWS managed SSO Role and gives access to Billing Actions in its policy. AWSReservedSSO_BillingReadOnly_tagnumber. 2.Have an IAM Identity Center Group, AWS-acctnum-BillingReaders-Prod, that has 4 SSO users. 3. The above group has been assigned to permission sets below, user is able to see the permission sets on his login page, under the account. 4. Also Have a permission set(BillingReadOnly) that has the AWS managed Billing policy- AWSBillingReadOnlyAccess and also an inline policy that allows access to s3 bucket, (ListBucket, GetObject) The SSO user who is part of group 2, sees this permission set on his login screen. But he does not see any buckets listed on s3. Note, anything that is AWS managed, cannot be altered, hence the addition of custom inline policy on the permission set. Any idea what's wrong here? Thanks in advance.lg...

`{ "Version": "2012-10-17", "Id": "PersonalizeS3BucketAccessPolicy", "Statement": [ { "Sid": "PersonalizeS3BucketAccessPolicy", "Effect": "Allow", "Principal": { "Service": "personalize.amazonaws.com" }, "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::fashionrecommendationsystem", "arn:aws:s3:::fashionrecommendationsystem/*" ] } ] } ` This is the bucket policy I have attached to my S3 bucket. lg...

Template format error: Unresolved resource dependencies [VpcFlowLogBucket] in the Resources block of the template I am getting the above error in my cloudformation template when i use conditions while creating resources. I have a usecase where if user enters a specific parameter then i will apply a particular condition to avoid creating an s3 bucket and use the one that user has given the arn to. ``` AWSTemplateFormatVersion: "2010-09-09" Description: CloudFormation stack for relaying AWS VPC flow logs for security analysis and storage. Outputs: StackName: Description: The name of the stack deployed by this CloudFormation template. Value: !Ref "AWS::StackName" Parameters: VpcIds: Description: The IDs of the VPCs for which flow logs will be relayed. VPC Flow Logs will be enabled for these VPCs. Type: List<AWS::EC2::VPC::Id> VpcFlowLogBucketArn: Type: String Description: (Optional) The ARN of an existing S3 bucket to use for VPC flow logs. If specified, VpcFlowLogDestination will be ignored. TrafficType: AllowedValues: - ACCEPT - REJECT - ALL Default: ALL Description: Whether to log only rejected or accepted traffic, or log all traffic. Logging all traffic (default) enables more security outcomes. Type: String OrgId: Description: Your account number. Type: Number RetentionInDays: Description: The number of days to retain AWS VPC Flow Logs in the S3 bucket. This is effectively the size of your recovery window if the flow of logs is interrupted. Type: Number Default: 3 Conditions: HasExpirationInDays: !Not [!Equals [!Ref RetentionInDays, 0]] UseExistingS3Bucket: !Equals [!Ref VpcFlowLogBucketArn, ""] Resources: VpcFlowLogBucket: Type: "AWS::S3::Bucket" Condition: UseExistingS3Bucket Properties: BucketName: !Join - "-" - - aarmo-vpc-flow-bucket - !Ref OrgId - !Ref "AWS::StackName" - !Ref "AWS::Region" LifecycleConfiguration: Rules: - ExpirationInDays: !If [HasExpirationInDays, !Ref RetentionInDays, 1] Status: !If [HasExpirationInDays, Enabled, Disabled] NotificationConfiguration: QueueConfigurations: - Event: "s3:ObjectCreated:*" Queue: !GetAtt [MyQueue, Arn] DependsOn: - MyQueue VpcFlowLogBucketPolicy: Type: "AWS::S3::BucketPolicy" Condition: UseExistingS3Bucket DependsOn: - VpcFlowLogBucket Properties: Bucket: !Ref VpcFlowLogBucket PolicyDocument: Version: "2012-10-17" Statement: # https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html#flow-logs-s3-permissions - Sid: AWSLogDeliveryWrite Effect: Allow Principal: Service: "delivery.logs.amazonaws.com" Action: "s3:PutObject" Resource: !Sub "${VpcFlowLogBucket.Arn}/AWSLogs/${AWS::AccountId}/*" Condition: StringEquals: "s3:x-amz-acl": "bucket-owner-full-control" - Sid: AWSLogDeliveryAclCheck Effect: Allow Principal: Service: "delivery.logs.amazonaws.com" Action: "s3:GetBucketAcl" Resource: !GetAtt "VpcFlowLogBucket.Arn" MyQueue: Type: AWS::SQS::Queue Properties: QueueName: "SampleQueue12345128" MyQueuePolicy: Type: AWS::SQS::QueuePolicy Properties: PolicyDocument: Statement: - Effect: Allow Principal: Service: sns.amazonaws.com Action: - sqs:SendMessage - sqs:DeleteMessage - sqs:RecieveMessage Resource: "*" Queues: - Ref: MyQueue ``` What is the issue with the above cloudformation template? I have tried debugging the template multiple times but still getting nowhere. any help would be greatly appretiated!lg...

I have the IAM role and policy setup per https://eksctl.io/usage/minimum-iam-policies/. When I create the cluster all the CF stacks complete with no errors at all. But I am getting this on the screen. The acutal error is at the very bottom. ``` 2023-03-30 11:51:22 [▶] completed task: create IAM role for serviceaccount "kube-system/aws-node" 2023-03-30 11:51:22 [▶] started task: create serviceaccount "kube-system/aws-node" 2023-03-30 11:51:22 [ℹ] waiting for CloudFormation stack "eksctl-tmdev-us1-pipe-prod-addon-iamserviceaccount-kube-system-AS-cluster-autoscaler" 2023-03-30 11:51:52 [▶] failed task: create serviceaccount "kube-system/aws-node" (will not run other sequential tasks) 2023-03-30 11:51:52 [▶] failed task: 2 sequential sub-tasks: { create IAM role for serviceaccount "kube-system/aws-node", create serviceaccount "kube-system/aws-node", } (will continue until other parallel tasks are completed) 2023-03-30 11:51:52 [▶] failed task: 4 parallel sub-tasks: { 2 sequential sub-tasks: { create IAM role for serviceaccount "kube-system-LB/aws-lb-controller", create serviceaccount "kube-system-LB/aws-lb-controller", }, 2 sequential sub-tasks: { create IAM role for serviceaccount "kube-system-DNS/external-dns", create serviceaccount "kube-system-DNS/external-dns", }, create IAM role for serviceaccount "kube-system-AS/cluster-autoscaler", 2 sequential sub-tasks: { create IAM role for serviceaccount "kube-system/aws-node", create serviceaccount "kube-system/aws-node", }, } (will not run other sequential tasks) 2023-03-30 11:51:52 [▶] failed task: 2 sequential sub-tasks: { 4 sequential sub-tasks: { wait for control plane to become ready, associate IAM OIDC provider, 4 parallel sub-tasks: { 2 sequential sub-tasks: { create IAM role for serviceaccount "kube-system-LB/aws-lb-controller", create serviceaccount "kube-system-LB/aws-lb-controller", }, 2 sequential sub-tasks: { create IAM role for serviceaccount "kube-system-DNS/external-dns", create serviceaccount "kube-system-DNS/external-dns", }, create IAM role for serviceaccount "kube-system-AS/cluster-autoscaler", 2 sequential sub-tasks: { create IAM role for serviceaccount "kube-system/aws-node", create serviceaccount "kube-system/aws-node", }, }, restart daemonset "kube-system/aws-node", }, create managed nodegroup "jenkins-pipeline-nodegroup", } (will not run other sequential tasks) 2023-03-30 11:51:52 [!] 1 error(s) occurred and cluster hasn't been created properly, you may wish to check CloudFormation console 2023-03-30 11:51:52 [ℹ] to cleanup resources, run 'eksctl delete cluster --region=us-east-1 --name=tmdev-us1-pipe-prod' 2023-03-30 11:51:52 [✖] failed to create service account kube-system/aws-node: checking whether namespace "kube-system" exists: Get "https://XXXXXXXXXXB2A140B1DB492834D6A69A.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system": dial tcp 172.11.111.111:443: i/o timeout Error: failed to create cluster "tmdev-us1-pipe-prod" ``` When I go to EKS in the AWS Console and click on this cluster I do see a strange error at the top. Not sure if its related or not. ``` Error loading GenericResourceCollection/namespaces ```lg...

My client is not able to access ALB URL, but I am able to access the same. ALB URL's security group has "All Traffic" rule in both inbound and outbound rules. Also my EC2 instance is windows and I have deactivated its firewall to not block any incoming IP addresses. How to solve this issue.lg...

Hi Guys, I deployed my java app on EC2 and here I am doing call to Amazon Cognito in order to push user data. So I am getting below error, `Profile file contained no credentials for profile 'default': ProfileFile(profiles=[])". When you are trying the same on your local machine its working fine` My understanding was If I gave IAM role(CognitoSuperUser) which has permission for Cognito to Ec2, I don't have to put credentials in EC2 profile file. Am I wrong? will not EC2 be able to allow calling to Cognito without any configuration? Like I do call to S3 from Ec2 by allowing permission in the IAM role that assigned Ec2. This is the way I create client to call. is there any other way to make call instead of **ProfileCredentialsProvider** ``` this.cognitoClient = CognitoIdentityProviderClient.builder() .region(Region.US_EAST_2) .credentialsProvider(ProfileCredentialsProvider.create()) .build(); ``` Thankslg...

I am trying to create and EC2 instance and in Network settings I am supposed to pick the default VPC selection but there no VPC onthe drop down, it was blank. I decided to create a default VPC but now I also have no subnet in the dropdown but cannot create one. How do I rectify this?lg...

I want create a architecture, inside to Learner Lab, but I don't know what police use, because inside of Learned Lab, I can't create role. I'm try do this my thing(temperature) send a message to IoT core and save IoT data inside to dynamoDB if temperature > 30 send a message from iot to snslg...