IAM Errors despite having full access

Andres Silva

unread,

Jan 29, 2013, 5:03:30 PM1/29/13

to edda-...@googlegroups.com

Im setting up Edda with 2 AWS accounts. For my proof of concept I've created one IAM role on each account with full read only access to everything. My account line in edda.properties looks like this

edda.accounts=nonprod.us-east-1,prod.us-east-1

Then I setup my keys like this

edda.prod.us-east-1.aws.accessKey=<key>

edda.prod.us-east-1.aws.secretKey=<secret key>

edda.nonprod.us-east-1.aws.accessKey=<key>

edda.nonprod.us-east-1.aws.secretKey=<secret key>

But I see these errors in the log

013-01-29 16:43:42.899 - ERROR - [StateMachine.scala:166] failed to handle event Crawl([Crawler nonprod.aws.autoScalingGroups])

Status Code: 403, AWS Service: AmazonAutoScaling, AWS Request ID: f2b4d9ac-6a5c-11e2-b131-f3cdbc858904, AWS Error Code: AccessDenied, AWS Error Message: User: arn:aws:sts::282233904647:federated-user/i-9ca95aec is not authorized to perform: autoscaling:DescribeAutoScalingGroups

2013-01-29 16:45:41.880 - ERROR - [StateMachine.scala:166] failed to handle event Crawl([Crawler nonprod.view.simpleQueues])

Status Code: 403, AWS Service: AmazonSQS, AWS Request ID: 728a1d52-ff08-5827-9910-54d0ba4d7e48, AWS Error Code: AccessDenied, AWS Error Message: Access to the resource https://sqs.us-east-1.amazonaws.com/ is denied.

I do get some data for instances and other things. But AMIs, ASG and Snapshots among other things are failing . Any ideas.

Sean Laurent

unread,

Jan 30, 2013, 6:45:09 PM1/30/13

to edda-...@googlegroups.com

Could you share what your IAM policy looks like for these accounts?

-Sean

Andres Silva

unread,

Jan 31, 2013, 10:24:56 AM1/31/13

to edda-...@googlegroups.com

Sure thing. Below is the policy Im using in both accounts. It is just the Read-Only template that AWS provides. Thanks in advance for your help.

{

"Statement": [

{

"Action": [

"autoscaling:Describe*",

"cloudformation:DescribeStacks",

"cloudformation:DescribeStackEvents",

"cloudformation:DescribeStackResources",

"cloudformation:GetTemplate",

"cloudfront:Get*",

"cloudfront:List*",

"cloudwatch:Describe*",

"cloudwatch:Get*",

"cloudwatch:List*",

"directconnect:Describe*",

"dynamodb:GetItem",

"dynamodb:BatchGetItem",

"dynamodb:Query",

"dynamodb:Scan",

"dynamodb:DescribeTable",

"dynamodb:ListTables",

"ec2:Describe*",

"elasticache:Describe*",

"elasticbeanstalk:Check*",

"elasticbeanstalk:Describe*",

"elasticbeanstalk:List*",

"elasticbeanstalk:RequestEnvironmentInfo",

"elasticbeanstalk:RetrieveEnvironmentInfo",

"elasticloadbalancing:Describe*",

"iam:List*",

"iam:Get*",

"route53:Get*",

"route53:List*",

"rds:Describe*",

"s3:Get*",

"s3:List*",

"sdb:GetAttributes",

"sdb:List*",

"sdb:Select*",

"ses:Get*",

"ses:List*",

"sns:Get*",

"sns:List*",

"sqs:GetQueueAttributes",

"sqs:ListQueues",

"sqs:ReceiveMessage",

"storagegateway:List*",

"storagegateway:Describe*"

],

"Effect": "Allow",

"Resource": "*"

}

]

Sean Laurent

unread,

Jan 31, 2013, 11:32:15 AM1/31/13

to edda-...@googlegroups.com

Hrmm. That looks right. I'm sure there's something simple we're both missing, but I can't quite see it.

If it helps, here's what we're using:

{

"Statement": [

{

"Sid": "Stmt1354237334303",

"Action": [

"ec2:DescribeAddresses",

"ec2:DescribeAvailabilityZones",

"ec2:DescribeBundleTasks",

"ec2:DescribeConversionTasks",

"ec2:DescribeCustomerGateways",

"ec2:DescribeDhcpOptions",

"ec2:DescribeExportTasks",

"ec2:DescribeImageAttribute",

"ec2:DescribeImages",

"ec2:DescribeInstanceAttribute",

"ec2:DescribeInstanceStatus",

"ec2:DescribeInstances",

"ec2:DescribeInternetGateways",

"ec2:DescribeKeyPairs",

"ec2:DescribeLicenses",

"ec2:DescribeNetworkAcls",

"ec2:DescribeNetworkInterfaceAttribute",

"ec2:DescribeNetworkInterfaces",

"ec2:DescribePlacementGroups",

"ec2:DescribeRegions",

"ec2:DescribeReservedInstances",

"ec2:DescribeReservedInstancesOfferings",

"ec2:DescribeRouteTables",

"ec2:DescribeSecurityGroups",

"ec2:DescribeSnapshotAttribute",

"ec2:DescribeSnapshots",

"ec2:DescribeSpotDatafeedSubscription",

"ec2:DescribeSpotInstanceRequests",

"ec2:DescribeSpotPriceHistory",

"ec2:DescribeSubnets",

"ec2:DescribeTags",

"ec2:DescribeVolumeAttribute",

"ec2:DescribeVolumeStatus",

"ec2:DescribeVolumes",

"ec2:DescribeVpcs",

"ec2:DescribeVpnConnections",

"ec2:DescribeVpnGateways"

],

"Effect": "Allow",

"Resource": [

"*"

]

},

{

"Sid": "Stmt1354237378678",

"Action": [

"autoscaling:DescribeAdjustmentTypes",

"autoscaling:DescribeAutoScalingGroups",

"autoscaling:DescribeAutoScalingInstances",

"autoscaling:DescribeAutoScalingNotificationTypes",

"autoscaling:DescribeLaunchConfigurations",

"autoscaling:DescribeMetricCollectionTypes",

"autoscaling:DescribeNotificationConfigurations",

"autoscaling:DescribePolicies",

"autoscaling:DescribeScalingActivities",

"autoscaling:DescribeScalingProcessTypes",

"autoscaling:DescribeScheduledActions",

"autoscaling:DescribeTags",

"autoscaling:DescribeTriggers"

],

"Effect": "Allow",

"Resource": [

"*"

]

},

{

"Sid": "Stmt1354237434829",

"Action": [

"s3:GetBucketAcl",

"s3:GetBucketLocation",

"s3:GetBucketVersioning",

"s3:ListAllMyBuckets",

"s3:ListBucket",

"s3:ListBucketMultipartUploads",

"s3:ListBucketVersions",

"s3:ListMultipartUploadParts"

],

"Effect": "Allow",

"Resource": [

"arn:aws:s3:::*"

]

},

{

"Sid": "Stmt1354237461128",

"Action": [

"elasticloadbalancing:DescribeInstanceHealth",

"elasticloadbalancing:DescribeLoadBalancers"

],

"Effect": "Allow",

"Resource": [

"*"

]

},

{

"Sid": "Stmt1354237839132",

"Action": [

"sqs:GetQueueAttributes",

"sqs:GetQueueUrl",

"sqs:ListQueues"

],

"Effect": "Allow",

"Resource": [

"arn:aws:sqs:us-east-1:ACCOUNT_ID_HERE:*"

]

}

]

}

-Sean

Cory Bennett

unread,

Jan 31, 2013, 5:30:33 PM1/31/13

to Sean Laurent, edda-...@googlegroups.com

I dont see anything missing either. For the record I created a WIKI
page with all the IAM permission needed:

https://github.com/Netflix/edda/wiki/AWS-Permissions

I am not sure why you would still be getting an error with the
permissions you listed.

-Cory

On 13-01-31 08:32, Sean Laurent <organi...@gmail.com> wrote

Andres Silva

unread,

Feb 1, 2013, 3:31:54 PM2/1/13

to edda-...@googlegroups.com

I ended up rebuilding the instance and reinstalling everything. I noticed that for some reason I had missed the step of adjusting the default PermGen size

export JAVA_OPTS="-XX:MaxPermSize=256M -Xmx1g"

Not sure if my problems were being caused by that. But the new install is working good. Thanks everyone.

On Tuesday, January 29, 2013 5:03:30 PM UTC-5, Andres Silva wrote:

Cory Bennett

unread,

Feb 1, 2013, 3:39:14 PM2/1/13

to Andres Silva, edda-...@googlegroups.com

A missing MaxPermSize will likely just cause an OOM error when running
gradle, it should not effect the AWS unauthorized error. Perhaps changing
IAM profiles takes a bit to take effect and now it using the profile
with the correct IAM permissions.

-Cory

On 13-02-01 12:31, Andres Silva <andres...@inmar.com> wrote

> > Error Message: Access to the resource https://sqs.us-east-1.amazonaws.com/is denied.

Daniel Butler

unread,

Jul 23, 2013, 2:22:14 PM7/23/13

to edda-...@googlegroups.com, Sean Laurent

I had exactly the same issue - I think it might be an issue with the AWS API interpreting the wildcard. I changed the permissions to be explicit for elasticloadbalancing. eg. changed from:
"elasticloadbalancing:Describe*",
to:

"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancers",

It must have been AWS API issue because I got the same error using the AWSCLI tool when I had the wild card in place:

aws elb describe-instance-health --load-balancer <load-balancer-name>

when the following was working fine:

aws elb describe-load-balancers

Weirdly it took a while to resolve and a reboot of the instance.

Dan.

Reply all

Reply to author

Forward