Questions tagged with IAM Policies

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

DMS Test Endpoint failed

I am trying to create a DMS replication task with an RDS Postgresql source. The endpoint connection is failing with the following message: ``` Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to build connection string Unable to find Secrets Manager secret, Application-Detailed-Message: Failed to retrieve secret. Unable to find AWS Secrets Manager secret Arn 'arn:aws:secretsmanager:<region>:<account>:secret:<secret>' The secrets_manager get secret value failed: curlCode: 28, Timeout was reached Too many retries: curlCode: 28, Timeout was reached ``` I checked that the secret ARN is correct. I have also set `"SecretsManagerAccessRoleArn"` for the endpoint, which I double-checked. This role has the following policy: ``` { "Version": "2012-10-17", "Statement": [ { "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ], "Resource": [ "arn:aws:secretsmanager:<region>:<account>:secret:<friendly-name>-??????" ], "Effect": "Allow" }, { "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Resource": [ "arn:aws:kms:<region>:<account>:key/*" ], "Effect": "Allow" } ] } ``` The secretsmanager resource matches the secret ARN. I am using the default encryption key, so I believe explicit kms permission is not necessary. I just added it out of desperation. Here is the role trust policy: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "dms.amazonaws.com", "dms.<region>.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } ``` According to the documentation, the region-specific principle should be used; I tried adding `dms.amazonaws.com` when it didn’t work. The replication instance is on a public subnet. I tried `aws secretsmanager get-secret-value` from another instance on the same subnet using the SecretsManagerAccessRole as assumed-role and it works. The roles, policies, and dms resources are all instantiated via cloudformation. Any help getting this to work would be much appreciated.
1
answers
0
votes
140
views
asked a month ago

Missing (resource) permission in AWSAppRunnerFullAccess causes failure when calling the CreateVpcConnector operation

Not really a question, more of a 'bug report'. Solution is provided in this post. `arn:aws:iam::aws:policy/AWSAppRunnerFullAccess` is missing permission to create `AWSServiceRoleForAppRunnerNetworking` service role. That makes it impossible to create vpc connector despite using `FullAccess` policy. Error message doesn't really help, as pointed by it policy is in fact attached. Steps to reproduce: 1. Use user or assume role with `AWSAppRunnerFullAccess` permissions. 2. Run ```shell aws apprunner create-vpc-connector --vpc-connector-name test-vpc-connector --subnets <subnets> --security-groups <security-groups> ``` Command produces following error: "An error occurred (InvalidRequestException) when calling the CreateVpcConnector operation: AccessDenied. Couldn't create a service-linked role for App Runner. When creating the first vpc connector in the account, caller must have the 'iam:CreateServiceLinkedRole' permission. Use the 'AWSAppRunnerFullAccess' managed user policy to ensure users have all required permissions." Temporary solution: add additional policy with `Allow` `iam:CreateServiceLinkedRole` on resource `arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner`. Long term, I believe it should be added to AWSAppRunnerFullAccess.
1
answers
0
votes
41
views
Pszem
asked a month ago