Questions tagged with IAM Policies

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

0
answers
0
votes
18
views
asked 9 days ago

AWS Elastic beanstalk

I am facing an error "Service:AmazonCloudFormation, Message:Template error: instance of Fn::GetAtt references undefined resource AWSEBLoadBalancer" in AWS Elastic beanstalk. **Scenario:** * To implement CI/CD, I am using multiple services: Bitbucket, Codepipeline, codebuild. * In Codebuild, I have been using AWS CLI command to deploy the artifact from S3 bucket to one of the beanstalk environment. * As AWS elastic beanstalk uses different Cloudformation Template for every environment to update it, this error log which i am getting in beanstalk environment is related to Cloudformation. * I prefer experimenting new things in my personal account rather than company's account, keeping that in context here, I created the IAM user and provided the required permissions to run the whole architecture, and its running successfully using that account. *I faced this error in my company's IAM Account for the first time, so i created this same error in my personal Account's IAM account. * As the error log in newly created beanstalk environment was related to Cloudformation template, so i checked the logs in environment and got to know the status for this template was *"CREATE_COMPLETE"*. * So I then checked out the status of Cloudformation template of old environment in which the whole CI/CD was working absolutely fine, and I found that status was *"UPDATE_COMPLETE"*. * In order to make the status of newly created beanstalk environment as "UPDATE_COMPLETE", I manually uploaded an artifact to this environment which changed the status of cloudformation template as "UPDATE_COMPLETE". * And then when I ran the CI/CD, whole architecture worked very well. * So this worked in my personal account's IAM account, but when I am trying to do the same in my Company's account IAM account(account provided to me by them), its showing the same error in beanstalk evironment even after providing the same IAM permissions and following the same drill. *Can someone help me to figure out this scenario that what could be the possible reasons?* ![Please refer this image for the exact error](/media/postImages/original/IMB4vvrfujRyy6ILN8KpTt8A)
0
answers
0
votes
18
views
asked 12 days ago

S3 Bucket Object Lock - Deleting an object version with no retention settings requires 'BypassGovernanceRetention' permissions

**Scenario:** An S3 Bucket has 'Object Lock' Enabled. Default retention is, and always has been - 'Disabled' An S3 Object in the bucket has multiple versions. Object Lock (Legal Hold & Retention) are both 'Disabled' for all versions of the object. Object Lock (Legal Hold & Retention) settings have never been enabled for the object or any of its previous versions **Issue:** An IAM User with 'DeleteObjectVersion' permission receives 'access denied' when attempting to perform 'version delete' on a version of the object. The delete succeeds with the additional 'BypassGovernanceRetention' allowed for the same user **Question:** Is this the expected behavior? It seems like a bug to me! I understood the purpose of the 'BypassGovernanceRetention' is to allow changes to objects where 'governance mode' retention is enabled for the object. But it appears 'BypassGovernanceRetention' is required to delete a version in the bucket, even if the version does not have 'governance mode' enabled. I can find no reference in documentation for this behavior I have confirmed this behavior occurs only for objects in buckets where object lock is enabled. For objects in buckets with versioning only (object lock disabled) - the behavior is as expected. Only the 'DeleteObjectVersion' permission is required to delete object versions. Please advise Regards Jason
1
answers
0
votes
33
views
asked 13 days ago