I'm trying to enable Encryption in transit for my environment variable in lambda.
However I couldn't find any possible documentation in terraform to fix this?
I was able to create and attach customer master key in lambda. kms_key_arn
I have created this :
data "aws_kms_ciphertext" "secret_encryption" {
key_id = aws_kms_key.kms_key.key_id
plaintext = <<EOF
{
"token": "${var.token}"
}
EOF
}
now in my lambda's environment variable :
environment {
variables = {
ENV_TOKEN = data.aws_kms_ciphertext.secret_encryption.ciphertext_blob
}
also I attached the kms:decryt to lambda execution role
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:XXXX:XXXX:key/1234-567-...."
}
}
In my lambda:
encrypted_token = os.environ["ENV_TOKEN"]
decrypt_github_token = boto3.client('kms').decrypt( CiphertextBlob=base64.b64decode(encrypted_token)
)['Plaintext'].decode('utf-8')
But i'm getting "An error occurred (AccessDeniedException) when calling the Decrypt operation:when calling the Decrypt operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."
does anyone knows where i'm doing wrong.
Should the encryption be only value format not the key value format?
Maybe the error is happening prior to decryption. I wonder if you can't even read the key itself. You can test this by appending "kms:DescribeKey".
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:XXXX:XXXX:key/1234-567-...."
}
}
Related
Good day.
I tried getDashboardEmbedUrl() and it works fine with the UserArn set to the ADMIN user in my Quicksight account. Now I am trying to use the generateEmbedUrlForRegisteredUser(). But it gives the following error:
Error executing "GenerateEmbedUrlForRegisteredUser" on "https://quicksight.eu-west-1.amazonaws.com/accounts/971170084134/embed-url/registered-user"; AWS HTTP error: Client error: `POST https://quicksight.eu-west-1.amazonaws.com/accounts/xxxxxxxxxxxx/embed-url/registered-user` resulted in a `404 Not Found` response:
{"Message":"User arn:aws:quicksight:eu-west-1:xxxxxxxxxxxx:user/default/jjordaan does not exist.","RequestId":"5c310250- (truncated...)
ResourceNotFoundException (client): User arn:aws:quicksight:eu-west-1:xxxxxxxxxxxx:user/default/jjordaan does not exist. - {"Message":"User arn:aws:quicksight:eu-west-1:xxxxxxxxxxxx:user/default/jjordaan does not exist.","RequestId":"5c310250-a1bb-413f-b2d7-f07fdb91e027","ResourceType":null}
GenerateEmbedUrlForRegisteredUser Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"quicksight:GenerateEmbedUrlForRegisteredUser",
"quicksight:RegisterUser"
],
"Resource": "*"
}
]
}
EmbeddingQuicksightAssumeRole policy:
{
"Version": "2012-10-17",
"Statement":
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::971170084134:role/GenerateEmbedUrlForRegisteredUser"
}
}
Also attempted to create a new Quicksight user, but no luck. The URL generation error is the same. What could I be doing wrong? Thanks.
Regards.
Jarrett
The error message says the user does not exist: User arn:aws:quicksight:eu-west-1:xxxxxxxxxxxx:user/default/jjordaan does not exist
You need to register the user with Quicksight before that user can do anything with Quicksight. Requesting a dashboard and registering users are separate methods with separate permissions.
For example:
client.register_user(
AwsAccountId=AWS_ACCOUNT_ID,
Namespace="default",
IdentityType="IAM",
IamArn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:role/{QUICKSIGHT_DASHBOARD_ROLE_NAME}",
UserRole="READER",
SessionName=user.email,
Email=user.email
)
QUICKSIGHT_DASHBOARD_ROLE_NAME is a role that is allowed to embed a dashboard (such as GenerateEmbedUrlForRegisteredUser).
To get a dashboard URL
assume the role and get credentials
use credentials to get the dashboard embed URL
response = client.assume_role(
RoleArn=f"arn:aws:iam::{AWS_ACCOUNT_ID}:role/{QUICKSIGHT_DASHBOARD_ROLE_NAME}",
RoleSessionName=user.email
)
creds = response["Credentials"]
# get the access key, the secret key, and the session token from the response
client = boto3.client(
"quicksight",
region_name=QUICKSIGHT_REGION,
aws_access_key_id=creds["AccessKeyId"],
aws_secret_access_key=creds["SecretAccessKey"],
aws_session_token=creds["SessionToken"],
)
response = client.get_dashboard_embed_url(
AwsAccountId=AWS_ACCOUNT_ID,
DashboardId=dashboard_id,
IdentityType="IAM",
SessionLifetimeInMinutes=60,
)
url = response.get("EmbedUrl")
I am trying to create a Lambda role and attach it a policy to Allow all ElasticSearch cluster operations.
Below is the code -
resource "aws_iam_role" "lambda_iam" {
name = "lambda_iam"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"es:*"
],
"Effect": "Allow",
"Resource": "*"
}]
}
EOF
}
resource "aws_lambda_function" "developmentlambda" {
filename = "lambda_function.zip"
function_name = "name"
role = "${aws_iam_role.lambda_iam.arn}"
handler = "exports.handler"
source_code_hash = "${filebase64sha256("lambda_function.zip")}"
runtime = "nodejs10.x"
}
I get the following error
Error creating IAM Role lambda_iam: MalformedPolicyDocument: Has prohibited field Resource
The Terraform document regarding Resource says you can specify a "*" for ALL users. The Principal field is not mandatory either so thats not the problem.
I still changed it to be
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "es.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
But that said -
Error creating Lambda function: InvalidParameterValueException: The role defined for the function cannot be assumed by Lambda.
My lambda function definition is simple
resource "aws_lambda_function" "development_lambda" {
filename = "dev_lambda_function.zip"
function_name = "dev_lambda_function_name"
role = "${aws_iam_role.lambda_iam.arn}"
handler = "exports.test"
source_code_hash = "${filebase64sha256("dev_lambda_function.zip")}"
runtime = "nodejs10.x"
}
The lambda file itself has nothing in it but I do not know if that explains the error.
Is there something I am missing here ?
The assume role policy is the role's trust policy (allowing the role to be assumed), not the role's permissions policy (what permissions the role grants to the assuming entity).
A Lambda execution role needs both types of policies.
The immediate error, that the "role defined for the function cannot be assumed by Lambda" is occurring because it needs "Principal": {"Service": "lambda.amazonaws.com"}, not es.amazonaws.com -- that goes in the permissions policy. I don't use terraform, but it looks like that might be resource "aws_iam_policy" based on https://www.terraform.io/docs/providers/aws/r/lambda_function.html, which I assume is the reference you are working from.
I used the above CLI command but got an error in the console, please find the attached screenshot of the error
Please find below function policy of lambda:
{ "Version": "2012-10-17", "Id": "default", "Statement": [
{
"Sid": "events-access",
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-east-1:096280016729:function:leto_debug_log",
"Condition": {
"ArnLike": {
"AWS:SourceArn": "arn:aws:events:us-east-1:096280016729:rule/*"
}
}
} ] }
I followed the answer from the below link but still got an error:
Allow all cloudwatch event rules to have access to lambda function
Perhaps a clue to this, is that a CloudWatch Event rule name of * does not appear to be valid. For example, if you try to delete this rule in the AWS lambda console area, you will get an error like this on the trigger UI area:
It would be nice if this approach was formally supported in some way, but I don't think it is. idk
I am trying to use boto3 from within AWS lambda function in order to do post_text to a Lex chat bot.
Python code:
client = boto3.client('lex-runtime')
data = "string input"
response = client.post_text(
botName='xxx',
botAlias='yyy',
userId='id',
inputText= data)
but i get:
An error occurred (AccessDeniedException) when calling the PostText
operation: User: arn:aws:sts::111111111:assumed-
role/functionName/functionName is not authorized to perform: lex:PostText on
resource: arn:aws:lex:us-east-1:111111111:bot:xxx:yyyy"
So i set up IAM rule an and policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lex:PostText"
],
"Resource": [
"arn:aws:lex:us-east-1:111111111:bot:xxx:yyyy"
]
}
]
}
Trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
But it still doesn't work and i get the same error.
I experienced the same issue recently.
It is most certainly related to the permissions assigned to the IAM role that you're using when running the Lambda function.
The easiest way to resolve this is below:-
Open the Lambda function on the AWS Console.
Scroll down to the "Execution role" section.
Click the link under the role to view the role in a new window. It
should look something like this: "View the role".
In the new window under the permissions tab click on "Attach
policies".
This takes you to a new screen. On this screen filter the listed
policies by typing in "lex" in the input field.
The filtered list will contain a policy call "AmazonLexRunBotsOnly".
Attach this policy to your role.
Save the changes and make your way back to your lambda function.
Save the lambda function and retest.
This will resolve your issue.
Has someone figured out the minimum IAM policies required to run the EC2 dynamic inventory script (ec2.py) on ansible via an IAM role?
So far, I haven't seen a concrete reference in this matter other than specifying credentials for boto library in the official documentation of ansible, however, on production environments, I rarely use key pairs for access to AWS services from EC2 instances, instead I have embraced the use of IAM roles for that case scenario.
I have tried policies allowing ec2:Describe* actions but it doesn't seem to be enough for the script as it always exits with Unauthorized operation.
Could you help me out?
The script also looks at RDS and elasticache. They can be disabled in ec2.ini, but if you don't, the following policy seems to be enough to run the dynamic inventory.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Demo201505282045",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"rds:Describe*",
"elasticache:Describe*"
],
"Resource": "*"
}
]
}
I just created a demo policy, created a new role and used that new policy, and then created a new instance that used that new role.
Demo Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Demo201505282045",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"route53:ListHostedZones",
"route53:ListResourceRecordSets"
],
"Resource": "*"
}
]
}
I had to add route53 as I use the route53 option (route53 = true in the ec2.ini) but other than that it worked fine.
If you are still having problems, try running ec2.py from the commandline (./ec2.py) as that does usually give reasonable error messages when run directly.
The script checks also for Route53, RDS and ElastiCache configurations, so it will require access to ec2:Describe*, route53:ListHostedZones, route53:ListResourceRecordSets, rds:Describe* and elasticache:Describe*.
Still, if you don't use all these services you can selectively disable their check in the ec2.ini file by setting to False the values of the associated group_by_* variables: this will skip the fetching of those configurations, both allowing you to minimize the actions allowed for the role (eg: ec2:Describe* only) and reducing the overall query time of the script.
These are the permissions that I identified as required by ec2.py after checking CloudTrail:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"elasticache:DescribeReplicationGroups",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"rds:DescribeDBInstances",
"elasticache:DescribeCacheClusters"
],
"Resource": "*"
}
]
}