I'm trying to have my EC2 instance assume a role that has AdministratorAccess but I keep getting the following:
User: arn:aws:sts::000111222333:assumed-role/Administrator_EC2/i-07e8e4a9cc81cd5fe is not
authorized to perform: sts:AssumeRole on resource: arn:aws:iam::000111222333:instance-profile/Administrator_EC2
My role has the standard EC2 gets sts::assume-role trust policy which I figured should allow me to assume the role but for some reason it's not letting me. I've also associated the role with the EC2 instance in the console. What's going on? Please let me know if I should provide more info
Related
I am trying to create a new IAM user (programmatic access only) that has full access to Amazon S3 using PHP SDK.
I looked at https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-iam-2010-05-08.html#createuser and I am not able to figure out what parameter is required to indicate programmatic access only to the user. Does specifying the username alone indicates it to be Programmatic user? Once I create the user, I am assuming, I have to call the "createAccessKey" method for that user to get the access credentials? Is that right?
You are correct. createuser only creates an IAM user without any permissions. By default the user can't do anything, including no programmatic access. To enable the access you have to call createAccessKey.
Since the user has no permissions by default, you will also need to add IAM policy to the user with S3 permissions.
I am successfully connecting to the Google Adwords API with the OAuth2 examples from Google. I want now to implement programatically the disconnection of the customer for this OAuth2 connection.
I saw in some examples the function
$client->revokeToken()
but in my case this function is not present. I am using for the connection the libraries from
"googleads/googleads-php-lib": "*"
I think you miss-understand how Oauth2 works. When you run your application a window pops up asking the user if they would like to grant your application permission to access their data. Assuming the user says yes then your application can now access their data. They are not logged in any scene.
What revoke does is remove the access that they granted to your application.
There is an issue about this on the issue forum 986 I cant seem to figure out if the bug was fixed or not.
If you cant get it to work you can do
https://accounts.google.com/o/oauth2/revoke?token={token}
this works the same as the user removing your application from Permissions
i try to develop a web-service which displays some user information from an Office 365 instance using the Microsoft Graph.
I'm able to query groups, user details and so on, but i'm not able to get the user profile picture as described here http://graph.microsoft.io/docs/api-reference/v1.0/api/profilephoto_get. It always return a 403, even when my service had all rights (for testing purpose).
The webservice is a deamon as described here: http://graph.microsoft.io/docs/authorization/app_only, so no actual user is logged in. Could that be an issue? Is it possible to query the photo information using a deamon?
As mentioned above, the problem could be solved by two things:
Use app permissions istead of delegated
If implementation reuses the Auth-Token, restart the apache (or other webserver) running the app after changing permissions for the app. The cached token doesn't seem to get updated rights.
I am using this script to populate DynamoDB: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/LoadDataPHP.html
I'm getting this error using the AWS SDK:
PHP Fatal error: Uncaught exception
'Aws\Exception\CredentialsException' with message 'Cannot read
credentials from /root/.aws/credentials' in
/var/www/vendor/aws/aws-sdk-php/src/Credentials/CredentialProvider.php:263
According to https://docs.aws.amazon.com/aws-sdk-php/v2/guide/credentials.html
If you do not explicitly provide credentials to the client object and no environment variable credentials are available, the SDK attempts to retrieve instance profile credentials from an Amazon EC2 instance metadata server. These credentials are available only when running on Amazon EC2 instances that have been configured with an IAM role.
I have an IAM role attached to my instance with full power user access. I have confirmed the role is working fine via the AWS CLI, which can access DynamoDB without any credential configuration.
Any suggestions as to what I could be doing wrong? I am under the impression (and interpret that credentials document to say) that I don't need to configure any credentials, hence the use of the IAM role.
I just wanted to expand a bit on this for anyone else that may end up in this situation.
If you use an IAM role on a EC2 instance as your method of credentials
Then don't use the profile line when creating a client. If you do specify profile in your client it tells the SDK to override any form of credentials you set in the client with a profile from the credentials ini file.
Mentioned (but buried a bit) in the PHP SDK V3 documentation here:
https://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/configuration.html#profile
Example Code
$client = new SqsClient([
'profile' => 'default', // <--- Don't use this line if you're using IAM Roles for credentials
'region' => 'us-west-2',
'version' => '2012-11-05'
]);
Misleading Documentation
The PHP SDK documentation recommends using IAM roles above all other credentials for EC2 instances. That's fine and makes total sense. The misleading part to new comers is for example this scenario;
Say someone new to the SDK reads the Basic SDK Usage in the getting started section.
Sets up a S3 client for testing as per the docs.
Once they have working S3 code, the developer decides to skip to the code examples section to setup a client for a different AWS service.
The problem here is that all of the code examples (with the exception of the S3 examples) contain the profile setting that breaks the IAM role credential method.
The code examples should at least have a reference to what profile does.
This line in the code:
'profile' => 'default',
is what was causing my issue. If you are using an IAM role you do not require the profile line, and removing it will fix the "Cannot read credentials" error.
I want my app to be able to edit all events for which user is admin. It appears that the app can only update events that were created by the app. I've tested this a few different ways and it always comes the same. It returns error 200, permissions error.
Is this by design or is it a bug? Is there anyway to grant permission to the app to allow updating events not created by the app?
Events that were initially created by the app can be updated by the app.
This appears to be by design. The app must be designated as admin of the event. It can only be assigned as admin if the app creates the event. There is no way to find all admins of an event, either.