Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More rights required by -explorer-role #23

Closed
phahulin opened this issue May 31, 2018 · 1 comment
Closed

More rights required by -explorer-role #23

phahulin opened this issue May 31, 2018 · 1 comment

Comments

@phahulin
Copy link
Contributor

Getting the following errors in /var/log/amazon/ssm/error.log:

2018-05-31 17:57:41 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-05939a0faa0bbb4d3] [MessagingDeliveryService] error when calling AWS APIs. error details - GetMessages Error: AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ec2messages:GetMessages on resource: *
    status code: 400, request id: 1d0c1fbb-64fc-11e8-9d96-95f629114d32
2018-05-31 17:57:41 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-05939a0faa0bbb4d3] [HealthCheck] error when calling AWS APIs. error details - AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ssm:UpdateInstanceInformation on resource: arn:aws:ec2:us-east-2:758011127832:instance/i-05939a0faa0bbb4d3
    status code: 400, request id: 6681f3a3-7c19-4982-9816-52498e9ddb32
2018-05-31 17:57:41 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-05939a0faa0bbb4d3] [HealthCheck] error when calling AWS APIs. error details - AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ssm:UpdateInstanceInformation on resource: arn:aws:ec2:us-east-2:758011127832:instance/i-05939a0faa0bbb4d3
    status code: 400, request id: 6681f3a3-7c19-4982-9816-52498e9ddb32
2018-05-31 17:57:43 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-05939a0faa0bbb4d3] [MessagingDeliveryService] error when calling AWS APIs. error details - GetMessages Error: AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ec2messages:GetMessages on resource: *
    status code: 400, request id: 1e40ceee-64fc-11e8-9d96-95f629114d32
2018-05-31 17:57:45 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-05939a0faa0bbb4d3] [MessagingDeliveryService] error when calling AWS APIs. error details - GetMessages Error: AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ec2messages:GetMessages on resource: *
    status code: 400, request id: 1f61f67b-64fc-11e8-9d96-95f629114d32
2018-05-31 17:57:47 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-05939a0faa0bbb4d3] [MessagingDeliveryService] error when calling AWS APIs. error details - GetMessages Error: AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ec2messages:GetMessages on resource: *
    status code: 400, request id: 20b8d43d-64fc-11e8-9d96-95f629114d32
2018-05-31 17:57:50 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-05939a0faa0bbb4d3] [MessagingDeliveryService] error when calling AWS APIs. error details - GetMessages Error: AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ec2messages:GetMessages on resource: *
    status code: 400, request id: 2223ae5c-64fc-11e8-9d96-95f629114d32
2018-05-31 17:57:52 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-05939a0faa0bbb4d3] [MessagingDeliveryService] error when calling AWS APIs. error details - GetMessages Error: AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ec2messages:GetMessages on resource: *
    status code: 400, request id: 235e2a1d-64fc-11e8-9d96-95f629114d32
2018-05-31 17:57:54 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-05939a0faa0bbb4d3] [MessagingDeliveryService] error when calling AWS APIs. error details - GetMessages Error: AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ec2messages:GetMessages on resource: *
    status code: 400, request id: 24dc3ea2-64fc-11e8-9d96-95f629114d32
2018-05-31 17:57:57 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-05939a0faa0bbb4d3] [MessagingDeliveryService] error when calling AWS APIs. error details - GetMessages Error: AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ec2messages:GetMessages on resource: *
    status code: 400, request id: 264d5ad6-64fc-11e8-9d96-95f629114d32
2018-05-31 17:57:57 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-05939a0faa0bbb4d3] [MessagingDeliveryService] [Association] error when calling AWS APIs. error details - AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ssm:ListInstanceAssociations on resource: arn:aws:ec2:us-east-2:758011127832:instance/i-05939a0faa0bbb4d3
    status code: 400, request id: 59f7a442-a381-4007-beb6-12c6a431cee9
2018-05-31 17:57:57 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-05939a0faa0bbb4d3] [MessagingDeliveryService] [Association] error when calling AWS APIs. error details - AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ssm:ListAssociations on resource: arn:aws:ssm:us-east-2:758011127832:*
    status code: 400, request id: 507f7991-6804-479f-b274-140fe0c6db18
2018-05-31 17:57:57 ERROR [ProcessAssociation @ processor.go.157] [instanceID=i-05939a0faa0bbb4d3] [MessagingDeliveryService] [Association] Unable to load instance associations, unable to retrieve associations unable to retrieve associations AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ssm:ListAssociations on resource: arn:aws:ssm:us-east-2:758011127832:*
    status code: 400, request id: 507f7991-6804-479f-b274-140fe0c6db18
2018-05-31 17:57:59 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-05939a0faa0bbb4d3] [MessagingDeliveryService] error when calling AWS APIs. error details - GetMessages Error: AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ec2messages:GetMessages on resource: *
    status code: 400, request id: 27af832a-64fc-11e8-9d96-95f629114d32
2018-05-31 17:58:01 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-05939a0faa0bbb4d3] [MessagingDeliveryService] error when calling AWS APIs. error details - GetMessages Error: AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ec2messages:GetMessages on resource: *
    status code: 400, request id: 2929a047-64fc-11e8-9d96-95f629114d32
2018-05-31 17:58:04 ERROR [loop @ scheduler.go.56] [instanceID=i-05939a0faa0bbb4d3] [MessagingDeliveryService] MessagingDeliveryService stopped temporarily due to internal failure. We will retry automatically after 15 minutes
2018-05-31 18:00:17 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-05939a0faa0bbb4d3] [HealthCheck] error when calling AWS APIs. error details - AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ssm:UpdateInstanceInformation on resource: arn:aws:ec2:us-east-2:758011127832:instance/i-05939a0faa0bbb4d3
    status code: 400, request id: e70201bf-2b67-44f2-818a-4663ee5ff5c3
2018-05-31 18:00:17 ERROR [HandleAwsError @ awserr.go.48] [instanceID=i-05939a0faa0bbb4d3] [HealthCheck] error when calling AWS APIs. error details - AccessDeniedException: User: arn:aws:sts::758011127832:assumed-role/stag0-explorer-role/i-05939a0faa0bbb4d3 is not authorized to perform: ssm:UpdateInstanceInformation on resource: arn:aws:ec2:us-east-2:758011127832:instance/i-05939a0faa0bbb4d3
    status code: 400, request id: e70201bf-2b67-44f2-818a-4663ee5ff5c3

This is the policy that worked for me eventually:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ssm:DescribeParameters",
            "Resource": "*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "ssm:GetParametersByPath",
                "ssm:GetParameters",
                "ssm:GetParameter"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:parameter/$PREFIX/*/*",
                "arn:aws:ssm:*:*:parameter/$PREFIX/*"
            ]
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ec2:DescribeTags",
            "Resource": "*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ec2messages:GetMessages",
            "Resource": "*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": [
                "ssm:UpdateInstanceInformation",
                "ssm:ListInstanceAssociations"
            ],
            "Resource": "arn:aws:ec2:*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "ssm:ListAssociations",
            "Resource": "arn:aws:ssm:*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::aws-codedeploy-us-west-2/*",
                "arn:aws:s3:::aws-codedeploy-us-west-1/*",
                "arn:aws:s3:::aws-codedeploy-us-east-2/*",
                "arn:aws:s3:::aws-codedeploy-us-east-1/*",
                "arn:aws:s3:::aws-codedeploy-sa-east-1/*",
                "arn:aws:s3:::aws-codedeploy-eu-west-1/*",
                "arn:aws:s3:::aws-codedeploy-eu-central-1/*",
                "arn:aws:s3:::aws-codedeploy-ap-southeast-2/*",
                "arn:aws:s3:::aws-codedeploy-ap-southeast-1/*",
                "arn:aws:s3:::aws-codedeploy-ap-south-1/*",
                "arn:aws:s3:::aws-codedeploy-ap-northeast-2/*",
                "arn:aws:s3:::aws-codedeploy-ap-northeast-1/*"
            ]
        }
    ]
}
@phahulin phahulin mentioned this issue May 31, 2018
Closed
@bitwalker
Copy link

Fixed in master

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bitwalker @phahulin