I would like to set up a Location profile for Kasten to perform backup on a S3 bucket on AWS. The documentation recommends giving minimal permissions to the user/role designated to perform the backup, but I keep getting an error when trying to add the profile only with those permissions in my IAM policy.
https://docs.kasten.io/latest/usage/configuration.html#profile-creation
When I give full S3 access to the user, the profile is added correctly, but I don't want to do that.
The correct minimal permissions are a combination of the permissions specified on these 2 pages in the documentation:
https://docs.kasten.io/latest/usage/configuration.html#profile-creation
https://docs.kasten.io/latest/install/aws/using_aws_iam_roles.html#using-aws-iam-roles
Here is how your minimal permissions policy should look like (just replace your bucket name at the end):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetBucketObjectLockConfiguration",
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectRetention",
"s3:PutObjectRetention",
"s3:PutBucketPolicy",
"s3:ListBucket",
"s3:DeleteObject",
"s3:DeleteBucketPolicy",
"s3:GetBucketLocation",
"s3:GetBucketPolicy"
],
"Resource": [
"arn:aws:s3:::{BUCKET_NAME}",
"arn:aws:s3:::{BUCKET_NAME}/*"
]
}
]
}
Related
I am able to create a policy this way with the AWS CLI:
aws iam create-policy --policy-name "alpha-policy" --policy-document file:///tmp/policy.json
The content of the policy.json is following:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement",
"Effect": "Allow",
"Action": [ "s3:ListBucket"],
"Resource": "*"
}
]
}
I convert it into the following CloudFormation file:
Resources:
SimplePolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: OfficialSimplePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Resource: "*"
Action:
- cloudformation:Describe*
And the command to create the policy with CloudFormation is:
aws cloudformation create-stack --stack-name bucket-policy --template-body file://BucketPolicy.yaml --capabilities CAPABILITY_IAM
When I run this command, I only get a stack ID back. However, no policy is created. What am I missing?
I would have expected the policy to be available in the aws console or via following command:
aws iam list-policies
It's nowhere to be found.
I checked the event list with:
aws cloudformation describe-stack-events --stack-name bucket-policy
What this reveals is that: "At least one of [Groups,Roles,Users] must be non-empty."
And so my question is why can I create a policy without user, group or role when using the cli directly and I am not able to do the same when using cloudformation.
Following article explains my problem: https://cloudkatha.com/iam-policy-at-least-one-of-groupsrolesusers-must-be-non-empty/
Basically for standalone policies I should use ManagedPolicy. Also PolicyName is not a support field. These two changes solved my problem.
I have a repository in AWS codeartifact, i'm able to publish jars there successfully. Now, i want to retrieve that jar in my sbt project. Trying this in local gives me not found.
In order for my local project to be able to retrieve from codeArtifact i have added credentials( codeArtifact authToken ) and resolvers( codeArtifact repository location and repository name ) in build.sbt .
the error i am getting is : -
[error] coursier.ResolutionException: Encountered 1 error(s) in dependency resolution:
[error] com.tusfi.tusplatform.commons:tg-commons_2.11:1.0.0-snapshot:
[error] not found:
[error]https://repo1.maven.org/maven2/com/tusfi/tusplatform/commons/tg-commons_2.11/1.0.0-snapshot/tg-commons_2.11-1.0.0-snapshot.pom
It looks to me that my build is trying to retrieve the jar from maven central repository instead of looking in the custom resolver that i provided. I am able to perform list-repository command successfully from CLI so i am assuming that i have permission to this repo.
Can you tell me if there is any permission issue? If not, then what seems to be the issue here?
Also if it helps, codeArtifact policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "codeartifact:ReadFromRepository",
"Resource": "*"
}
]
}
I have been trying out the Freestyle SAP Fiori Project and Deployed it to my Sub Account Space. It is Deployed Successfully and it is in a running state. However, when I try to access it, it says "403 Forbidden".
Screenshot 1: Error Message while Accessing the App
Screenshot 2: App Status
#Update 1: Roles, Scope, Role Templates are Empty
I went inside the deployed Application to see its Roles, Scopes & Role Templates. But all of them are empty. Can this be the reason? If yes, how do we assign them?
#Update 2: Roles, Scope, Role Templates are Empty
I have verified the MTAR Archive to see whether xs-security.json file is getting included and I can confirm it is getting included. For example, below is the content of that file.
xs-security.json
{
"xsappname": "demofiori",
"tenant-mode": "dedicated",
"description": "Security profile of called application",
"scopes": [
{
"name": "uaa.user",
"description": "UAA"
}
],
"role-templates": [
{
"name": "Token_Exchange",
"description": "UAA",
"scope-references": [
"uaa.user"
]
}
]
}
I am getting resource not found in resource group error while deploying arm template.Could someone help
please .Below is the sample template used:
{
"name": "[variables('AppName')]",
"type": "Microsoft.Web/sites",
"apiVersion": "2016-08-01",
"kind": "app",
"location": "xx",
"identity": {
"type": "SystemAssigned"
},
"properties": {
"httpsOnly": true,
"clientAffinityEnabled": false,
"serverFarmId": "xx"
},
"resources": [
{
"name": "appsettings",
"type": "config",
"apiVersion": "2016-08-01",
"properties": {
xx:xx
},
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('AppName'))]",
"[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'),'xx')]",
"[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'),'xx')]",
"[resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'),'xx')]"
]
}
]
},
{
"type": "Microsoft.Web/sites/config",
"apiVersion": "2016-08-01",
"name": "[concat(variables('AppName'), '/web')]",
"location": "xx",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('AppName'))]"
],
}
Let me know is this the right way to do
its hard to tell without having the exact template and all the variables\parameters, but generally it means one of the following:
wrong name used for the resources that depend on the webapp somewhere
wrong location used for the resources that depend on the webapp somewhere
dependsOn isn't setup properly and it doesnt wait for the webapp and attempts to create a resource in parallel with the web app
Have you ever use the same ARM template to deploy succeed?
Also kindly check if you could directly use script to deploy locally successful without using Azure DevOps. This will help to narrow down the issue.
##[error]ResourceNotFound: The Resource 'Microsoft.Web/sites/xx' under resource group 'yy' was not found in deploying ARM template
This error indicate Resource Manager needs to retrieve the properties for a resource, but can't find the resource in your subscriptions.
You could give a try with below solution:
Solution 1 - check resource properties
Solution 2 - set dependencies
Solution 3 - get external resource
Solution 4 - get managed identity from resource
Solution 5 - check functions
More details please take a look at our official doc here-- Resolve resource not found errors
When trying to use
chrome.fileSystem.chooseEntry({
type: 'openFile'
},chooseEntryCallback)`
on Canary 28.0.1483.0 , I get the following error in the console:
chrome.fileSystem is not available: You do not have permission to access this API. Ensure that the required permission or manifest property is included in your manifest.json.
I only require read access, and this is how my permissions option in the manifest file looks like:
"permissions": [
{
"fileSystem": []
},
"contextMenus",
"clipboardWrite",
"storage"
],
This works fine with Stable 26.0.1410.64 so the question is whether there are some manifest permission changes which will need to be updated.
Note: Chrome running on Windows 8, and when opening the file via drag 'n drop it is opened without errors. So i'm guessing its some problem with chooseEntry ?
Based on #sowbug's comment I fixed this issue by changing the fileSystem permission to a list item:
"permissions": [
"fileSystem"
],
Edit:
To include the extended write permission:
"permissions": [
"fileSystem",
"fileSystem.write"
],