Questions tagged with IAM Policies

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

1
answers
0
votes
29
views
asked a month ago

Failed to pull and unpack image with status code [manifests v1.1]: 401 Unauthorized

Hi, I created an ec2 instance and installed microk8s. Now, I am trying to pull the image from ecr. I have attached IAM role to the ec2 instance with AmazonEC2ContainerRegistryReadOnly policy attached. I have also downloaded and configure iam-authenticator but still I am getting the following events ``` Normal Scheduled 32s default-scheduler Successfully assigned k8ssandra-operator/soap-deployment-5785fdcbb6-psvml to ip-192-168-81-119 Normal Pulling 18s (x2 over 32s) kubelet Pulling image "782534010321.dkr.ecr.eu-west-2.amazonaws.com/soap:v1.1" Warning Failed 18s (x2 over 31s) kubelet Failed to pull image "782534010321.dkr.ecr.eu-west-2.amazonaws.com/soap:v1.1": rpc error: code = Unknown desc = failed to pull and unpack image "782534010321.dkr.ecr.eu-west-2.amazonaws.com/soap:v1.1": failed to resolve reference "782534010321.dkr.ecr.eu-west-2.amazonaws.com/soap:v1.1": pulling from host 782534010321.dkr.ecr.eu-west-2.amazonaws.com failed with status code [manifests v1.1]: 401 Unauthorized Warning Failed 18s (x2 over 31s) kubelet Error: ErrImagePull Warning MissingClusterDNS 5s (x6 over 32s) kubelet pod: "soap-deployment-5785fdcbb6-psvml_k8ssandra-operator(5f1750ed-8316-48c0-869f-9fa4b0870d22)". kubelet does not have ClusterDNS IP configured and cannot create Pod using "ClusterFirst" policy. Falling back to "Default" policy. Normal BackOff 5s (x3 over 31s) kubelet Back-off pulling image "782534010321.dkr.ecr.eu-west-2.amazonaws.com/soap:v1.1" Warning Failed 5s (x3 over 31s) kubelet Error: ImagePullBackOff ``` my .kube/config is as following ``` apiVersion: v1 clusters: - cluster: server: https://192.168.81.119:16443 certificate-authority-data: my-ca name: kubernetes contexts: - context: cluster: kubernetes user: aws name: aws current-context: aws kind: Config preferences: {} users: - name: aws user: exec: apiVersion: client.authentication.k8s.io/v1beta1 command: /home/ubuntu/aws-iam-authenticator args: - "token" - "-i" - "aws-cluster-123456" - "-r" - "<role-arn>" ```
1
answers
0
votes
26
views
asked a month ago

Why is my EFS File system policy blocking Fargate from mounting the EFS even though it includes the Task Execution Role arn?

I'm currently using an EFS mounted on a Fargate task. The task uses roles CustomECSTaskExecutionAgent for task execution and CustomECSTaskAgent for the task. With no file system policy in place, Fargate mounts fine and my task is able to read/write to the EFS. However, my company requires a File System Policy for each EFS so I added the following ``` { "Version": "2012-10-17", "Id": "efs-statement-8e30733a-a93f-414f-b5b6-284bd5a02c0a", "Statement": [ { "Sid": "efs-statement-7c9d03e6-379b-422e-afe6-4d92e7ff4303", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<accountid>:role/CustomECSTaskAgent", "arn:aws:iam::<accountid>:role/CustomECSTaskExecutionAgent", "arn:aws:iam::<accountid>:role/CustomEC2Agent" ] }, "Action": "elasticfilesystem:*", "Resource": "arn:aws:elasticfilesystem:us-east-1:<accountid>:file-system/fs-id" } ] } ``` With this policy Fargate is not able to mount the drive, I get the following error: `ResourceInitializationError: failed to invoke EFS utils commands to set up EFS volumes: stderr: b'mount.nfs4: access denied by server while mounting fs-id.efs.us-east-1.amazonaws.com:/' : unsuccessful EFS utils command execution; code: 32` If I add the following statement to the policy then Fargate is able to mount the drive but the task fails immediately because it is not able to read/write. I cannot keep the below statement because it is too permissive and I'd like to know what Principal I need for 1. Fargate to mount successfully 2. For my task to read/write ``` { "Sid": "efs-statement-7c9d03e6-379b-422e-afe6-4d92e7ff4303", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "elasticfilesystem:ClientMount", "Resource": "arn:aws:elasticfilesystem:us-east-1:<accountid>:file-system/fs-id" } ```
1
answers
0
votes
42
views
Olly
asked a month ago

How to Parametrize Mappings and PermissionBoundary with aws cloudformation template effictively

I have below CFN template which is working fine, however as i am stiull learning and want my `Mappings` to be parametrized that's i'm not getting the way to do it. Secondly, the `PermissionBoundary` parameter i am not able to use it like `Default: !Sub arn:aws:iam::${AWS::AccountId}:policy/CCoEPermissionBoundary` as it probably doesn't like the `!Sub` function to be called and then referenced in the `AWS::IAM::Role` hence i am for now directly using it like `PermissionsBoundary: !Sub 'arn:aws:iam::${AWS::AccountId}:policy/CCoEPermissionBoundary' which indeed works well. Can someone please help me on .. 1) get the `Mapping` to be parametrized and 2) How to to use `PermissionBoundary` parameter as a reference while using `${AWS::AccountId}` in it. below is the working code and commented portion is the one which doesn't work. ``` AWSTemplateFormatVersion: "2010-09-09" Description: > This AWS Backup template deploys AWS backup-Plan for the FSx cloud resources. Parameters: FsxIAMBackupRole: Type: String Default: 'test-fsx-backup-role' Description: 'IAM Role for FsxN backup Service.' FsxBackupVaultName: Type: String Default: 'test-fsx-backup-vault' Description: 'Provide the name of the backup-vault.' FsxBackupPlanName: Type: String Default: 'test-fsx-backup-plan' Description: 'Provide the name of the backup-plan.' FsxBackupRuleName: Type: String Default: 'test-fsx-backup-rule' Description: 'Provide the name of the backup-rule.' FsxBackupSelectionName: Type: String Default: 'test-fsx-backup-selection' Description: 'Provide the name of the backup-selection.' FsxBackupDeleteAfterDays: Type: Number Default: 22 Description: 'Days to expire backups from vault.' FsxVaultMinRetentionDays: Type: Number Default: 21 Description: 'Retention period in days that the vault retains backup data.' FsxVaultChangeableForDays: Type: Number Default: 3 Description: 'Number of days before the vault lock. After this period, Vault Lock becomes immutable and cannot be changed or deleted.' # PermissionBoundary: # Type: String # #Default: !Sub arn:aws:iam::${AWS::AccountId}:policy/CCoEPermissionBoundary # Description: 'Provide Permission Boundary Name' # Mappings: RegionMap: us-east-1: schedulexpr: "cron(00 19 * * ? *)" us-west-1: schedulexpr: "cron(00 18 * * ? *)" eu-west-1: schedulexpr: "cron(00 17 * * ? *)" ap-southeast-1: schedulexpr: "cron(00 16 * * ? *)" ap-northeast-1: schedulexpr: "cron(00 15 * * ? *)" Resources: FSxBackupIAMRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - backup.amazonaws.com Action: - 'sts:AssumeRole' Description: Create IAM role for backup service ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup - arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores Path: "/" PermissionsBoundary: !Sub 'arn:aws:iam::${AWS::AccountId}:policy/CCoEPermissionBoundary' RoleName: !Ref FsxIAMBackupRole FSxBackupsVault: Type: "AWS::Backup::BackupVault" Properties: BackupVaultName: !Ref FsxBackupVaultName FSxBackupPlan: Type: "AWS::Backup::BackupPlan" Properties: BackupPlan: BackupPlanName: !Ref FsxBackupPlanName BackupPlanRule: - RuleName: !Ref FsxBackupRuleName TargetBackupVault: !Ref FSxBackupsVault ScheduleExpression: !Ref FsxBackupScheduleExpression StartWindowMinutes: 240 ScheduleExpression: !FindInMap - RegionMap - !Ref 'AWS::Region' - schedulexpr Lifecycle: DeleteAfterDays: !Ref FsxBackupDeleteAfterDays FsxTagBasedBackupSelection: Type: AWS::Backup::BackupSelection Properties: BackupPlanId: Fn::GetAtt: - FSxBackupPlan - BackupPlanId BackupSelection: IamRoleArn: Fn::GetAtt: - FSxBackupIAMRole - Arn Conditions: StringEquals: - ConditionKey: aws:ResourceTag/storage ConditionValue: backup-production Resources: - arn:aws:fsx:* SelectionName: !Ref FsxBackupSelectionName ```
1
answers
0
votes
57
views
Karn
asked a month ago