Questions tagged with IAM Policies
Content language: English
Sort by most recent
I've configured the Athena connection to a RDS SQL Server database using a JDBC driver. After choosing the Data Source the Database does not load and there is a "Network Failure" shown without any information. What might be the cause of such error or where I can find more information on how to solve such case?
Currently set of admin users can close the account. Trying to come up with a policy to prevent the users from doing it and this is the policy I wrote.
`{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": [
"account:CloseAccount"
],
"Resource": "*"
}
]
}`
Even after the above policy, I am able to see the Close Account action on the web page.
Hi,
I'm trying to run this command in powershell in my Microsoft EC2 instance:
aws ssm put-parameter --name "WindowsAgentConfig" --type "String" --value file://C:\ProgramData\Amazon\AmazonCloudWatchAgent\amazon-cloudwatch-agent.json --overwrite --tier Intelligent-Tiering
However I'm getting the following error:
An error occurred (AccessDeniedException) when calling the PutParameter operation: User: arn:aws:sts::480607316411:assumed-role/CloudWatchAgentAdminRole/i-071eb9d7a32d10801 is not authorized to perform: ssm:PutParameter on resource: arn:aws:ssm:us-east-1:480607316411:parameter/WindowsAgentConfig because no identity-based policy allows the ssm:PutParameter action
I checked my AIM Role for permissions and I see this:
For that same role I also use the folowing policies:
- CloudWatchAgentServerPolicy
- AmazonSSMManagedInstanceCore
Is there something obvious I'm doing wrong here? Any help will be very appreciated.
Adrian.
why does one s3 folder show in my web browser and another folder in the same parent doesn't. They're in the same parent folder and same instance on EC2. All the setting/properties are the exact same.
I am using an IAM role AWSGlueServiceRole created in AWS Glue and tried to create the crwaler to run on S3 source. The error I get is
The following crawler failed to create: "abc"
Here is the most recent error message: Account XXX is denied access.
Also tried with another role that I created with below policies. But still get the same error.
AmazonS3FullAccess
AWSGlueServiceRole
AdministratorAccess
AWSGlueConsoleFullAccess
AWSGlueSchemaRegistryFullAccess
AWSGlueDataBrewServiceRole
Hi, We have developed a private MWS applications which runs fine with MWS APIs.
We are now trying to test SP-API in order to prepare migration.
Using the technical documentation we have :
- created an IAM user with our AWS account
- defined and created an authorization policy with STS
- created a role with this policy
- registered in seller central a new private SP-API application with the previously created arn (including nearly all authorization, notably orders)
- self-authorized this application and got the LWA information : id, secret code and refresh-token
- using Postman, we requested with success a security token using STS
- using Postman we imported the Orders json file and tried to call SP-API GET Orders. We provided all the relevant infos, including id, secret code, and the token obtained in the previous step.
Unfortunately, the only answer we can get is code 403 error : The security token included in the request is invalid.
According to the documentation I created a "SellerPartnerAPI" policy including
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:*:*:*"
}
]
}
Please help , it's been a week since our first try !
Here is the postman track re a new test done this morning :
GET https://sellingpartnerapi-eu.amazon.com/orders/v0/orders?CreatedAfter=2023-03-01&MarketplaceIds=A13V1IB3VIYZZH
403
172 ms
GET /orders/v0/orders?CreatedAfter=2023-03-01&MarketplaceIds=A13V1IB3VIYZZH HTTP/1.1
Accept: application/json
Host: sellingpartnerapi-eu.amazon.com
X-Amz-Security-Token: Atza|IwEBIBAAVkX_G6WERnyAtp03wCe2Hvc1ucciQQ15xxTPRS1iVqaIrHRUGQR7nMir1UX6LceaJ-DkjjKIKvwk2WOHre0opwzo4yjAl9SM3xwsg5bKzajv2XXgLj7FKYVhGdIlYlB_J52Lgeo-EHzllmwFJMeCj2UiWK_3rfb_4eVUJov5PsvYt1J0yY85Lweh4Vcnxevcb0zEIaFCalCzm0dCAh5tQCEvF8TOiliJJE2lKImfp7aka5go94Chko4mjs3nLxByY9JUnTn8r5JyAnmvOkn4zPHr0361YJK5I2Pq_IgIC05rD57lcwDElwochknVP-EAn8MEe0iPrdu_AKZfN2yx
X-Amz-Date: 20230308T091250Z
Authorization: AWS4-HMAC-SHA256 Credential=amzn1.application-oa2-client.15bef5d917ca45709dd18035b6d35996/20230308/eu-west-1/execute-api/aws4_request, SignedHeaders=accept;host;x-amz-date;x-amz-security-token, Signature=d893a93dba2612d61e7e8fa23f89301a115312627011a78062d395f6819fb2f8
User-Agent: PostmanRuntime/7.29.2
Postman-Token: c2a4878e-d395-40ca-92eb-568f77b1154c
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
HTTP/1.1 403 Forbidden
Date: Wed, 08 Mar 2023 09:12:50 GMT
Content-Type: application/json
Content-Length: 137
Connection: keep-alive
x-amzn-RequestId: f79343aa-bb8c-40f7-a63e-cc12300c3b16
x-amzn-ErrorType: UnrecognizedClientException
x-amz-apigw-id: BdGu9GgjjoEFjZg=
{
"errors": [
{
"message": "The security token included in the request is invalid.",
"code": "InvalidInput"
}
]
}
Hi,
We are trying to setup a **SCP** which will deny some **DynamoDB** actions based on the **IP Ranes ** of our Network, the way that IAM Users for example can't Scan or Query a DynamoDB table outside of our Network.
In this SCP we need to add a**n exception** to some AWS Services (Like: **EC2** or **Lambda**) which can freely Query/Scan a DynamoDB table if they have the necessary permissions.
We tried with the following SCP and it worked fine for the first case "IAM Users" but failed for the Lambda case as we still recieving an AccessDenied Error trying to Query a DynamoDB table from a Lambda Function :
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "dynamodb:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:ViaAWSService": "false"
},
"NotIpAddress": {
"aws:SourceIp": [
"IP Range"
]
}
}
}
]
}
```
Do you know how we can manage to add this exception for all AWS Services which need to perform any DynamoDB action without the need to use the ARN of specific IAM Role used by these service ?
When I launch a simple EC2 instance and open the IP address, I get an Error as "Your connection was interrupted". It used to work before, but I don't know what might have caused all of a sudden.
I even checked the security group and it's correct as far I know, as I have given HTTP & SSH for inbound and All Traffic for outbound.
Is there anything else to check or configure? I'm still learning the basics in AWS.
Do we have any documentation or resources that talks about how AWS has implemented IAM, trust, least privilege, etc.
Hello,
We are using a number of services which are accessing data from AWS S3 via IAM Roles and Credentials. We are looking to get a breakdown of the costs by each IAM role for the data transfer. Is there a way to get a breakdown of costs by the IAM role? Alternatively, what would be the best way to find the API calls that are billed by AWS for data transfer.
Thanks,
When I [added Tag Policy](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies-create.html) to my resources I can't get the show a meaningful error message to the users that are violating this policy.
They get a message with encoded authorization failure message that looks like this:
```
Instance launch failed
You are not authorized to perform this operation. Encoded authorization failure message: P1LEqsQ1orBoHehDtgplDLEXWiLanDeBQnxbP1nuXL6lPD4dPu9ziQleETlPnaHFjAVKJmdn4ZGl6xdTiD2LQILFWnqcHDAvZprs4aGvJ3WTS_igTs0Mxewe6ujcyUH1LcG7XhzgqUNEKEQGXvgNIQRpexi5HS0ggON_sJe5HRDFPjR8LciUwS1cJgQ1EnPagzU-Pm_ugNxuTBtp6K1SMLBM06JylxliLDI4IOuEx-PCirEGqPQ5H90nOVWA23Q6ah-UJ5WOmWnbC9lwvVjneDZ3VjoNJa3swU5zxbi-TTAHdMxAEY1RxpQ4F8T5OP-N-1qgXzuvWJArmMkIQ-1FDt28nM_76FMH8xateCHC1Ip9iJT0Jhwfjk9SSfRur37a3H1xILZfd-VwvlL2JJJZxR_YBb7lMiIvwutFRnBMCzNsAklA9cvxK03HQZmhzcov568iysIb8-WQwVrROJHtdKmfxZ5fX5RX58nfolurWQJBAnrlYCPiXZx1kqhFAm4p7pdXh5RyaJ_3tGYiFpeqnNUIHtVmhkEQdzsPmRomQh-GwYD6g3x3hRL2hh7eAjtH8ZfgIf67ofvOH19ErcHYHRLJjelwyrGudiFGMgKerqkscj8d0n2y4R8ddp8eNG6XkUARPEAAUF_l3z3MxMM6N6Ka5iV--8VCr1ikIkZLj-BNy9-EBWk7G64bJvWMAjyczTv1agRae_kGi_r773BWhKEaqhT82kCxwyfxmvy6WINhYiboPQ5cW-r_4EsJ61lgf9_HYT2kzClZcv_-8XAapHaugmeyZJSBxy4eUYfeGa4t7mwRzJhp0-Rtc19QeHMkzIIm1SIRSABijLsYO0950DbsGkosf1YufifYolTNU9swq5mcsVoZGA
Launch log
Initializing requests
Succeeded
Creating security groups
Succeeded
Creating security group rules
Succeeded
Launch initiation
Failed
```
I saw that there is an [API call in STS](https://docs.aws.amazon.com/cli/latest/reference/sts/decode-authorization-message.html) that can decode it, which I couldn't really make work myself, since I don't know in which account to run it in my Organization. Nevertheless, it is not usable for the users that get this in the console or CLI.
What configurations or permissions I should add to make the error messages more meaningful?
I'm trying to connect to a postgresql RDS database using Datagrip and the AWS Toolkit plugin with IAM Authentication. The instructions on the subject are confusing and inconsistent and it's very unclear to me what I'm doing wrong. Here's what I did:
- enabled IAM Auth on the RDS instance.
- installed the AWS Toolkit and configured the access keys (I can access most services just fine, including viewing files on S3 through Datagrip. So that part is functional)
- I created a policy that allows `rds-db:connect` action and assigned it to my user
- I used the AWS explorer in Datagrip, selected the DB instance, clicked "connect with IAM auth"
- when I run "test connection" I get this:
The details that the toolkit inserts are correct as far as I can tell. I've been googling, and asking, and trying different things. Some places suggest creating a role to connect through an EC2 instance which I completely don't understand (why would I need a complete instance? Why wouldn't I just connect directly?) It's very confusing, incredibly frustrating and I'm stumped. What am I missing?