When I create a brand new CodeBuild project, it allows me to select an IAM Service Role, and when I check the box "Allow AWS CodeBuild to modify this service role so it can be used with this build project", AWS modifies that Service Role with a custom policy that's specific to this role.
But If after creating that CodeBuild project I want to attach a different service role to it, I keep getting the below message saying "The policy was not attached ot role [x]"
I'm pretty sure I'm missing a permission somewhere, but I'm not sure where.
Edit with more troubleshooting data:
If I uncheck the box "Allow aws [...]" It allows me to update the CodeBuild project configuration, but all subsequent builds fail at startup. This is expected.
If I try to re-add the original service role I added to this project when I created it, it lets me add it without any problems.
I had the similar issue when I tried creating a more generic role that can be used by all of my CodeBuild projects. The way I got around it is I unchecked the "Allow AWS CodeBuild to modify this service role so it can be used with this build project" checkbox
I had to ensure that the role I'm attaching had all the necessary IAM permissions for my subsequent builds to keep running
I had the same issue and noticed that the previous role that was assigned to the CodeBuild project also had a Managed policy attached that had been added when the project was originally created. This role was named similar to this:
CodeBuildBasePolicy-project-name-us-west-2
I attached this policy to the new Role and detached it from the old role.
After this I was able to select "Update environment" and did not receive the error message.
After a long time spent on this issue, I discovered the problem!
I modified my CodeBuildServiceRole-projectName base policy instead of creating a new policy and attaching it to the CodeBuildServiceRole-projectName role. You should never edit the inline policy that was created by CodePipeline! Only create and add new policies to a role.
As AWS obscurely states in their documentation:
Modifying a policy statement or attaching another policy to the role can prevent your pipelines from functioning. Be sure that you understand the implications before you modify the service role for CodePipeline in any way. Make sure you test your pipelines after you make any change to the service role.
If you delete a CodeBuild project, the policies that CodeBuild created remain attached to the existing role. When you create a new project with the same name as the deleted one - this error will occur.
My solution was to delete all of the roles and policies that were referenced in the pipeline and rebuild those roles and policies. Then rebuild the pipeline.
Related
I just created a new Azure DevOps cloud/instance. I am the project admin, but I am unable to update the Organization Settings -> "Process". When I try to add a custom field into a work item or try to change the "States", It seems I don't have the permission to do so.
Please help.
I figured it out. I created a Process that inherited the default Process. Then I changed the Process for the Project. Poof, now I can make changes to my Project's Process, e.g. add new work item types.
I recently when I want to deploy my SSAS project to server, faced this error:
Either the domain\user user does not have permission to create a new object in database, or the object does not exist.
I searched on the internet and do some solutions but none worked. I do these steps and it solve the issue.
1)Login to SSAS instance on the server.
2)In Role node you should see (at least) one role:
3)In the SSDT in role node in solution explorer define a new role with exactly same role name in SSAS server instance and check all check boxes:
4)In Membership tab add active directory users:
Now you can deploy your project without above error!
whilst 'hardening' the accounts - namely removing or toning down accounts with editor permissions on the projects I removed editor from what appears to be the kubernetes account that container engine uses on the back end of gcloud commands.
Once you remove the last role from an account it vanishes - hard lesson to learn!
Removed editor
serviceAccount:386242358897#cloudservices.gserviceaccount.com
It meant I initially couldn't deploy because it couldn't access container registry.
So I deleted the cluster and recreated expecting the account to get recreated. That failed due to insufficient permissions.
so I manually removed the compute instances (it wouldn't have permissions to recreate them), then templates and then the cluster.
As the UI now thinks you have no clusters it looks like you are back to the beginning. So I ran my scripts and they failed.
ERROR: (gcloud.container.clusters.create) Opetion [https://container.googleapis.com/v1/projects/xxxx/zones/europe-west2-b/operations/operation-xxxx'
startTime: u'2017-10-17T17:59:41.515667863Z'
status: StatusValueValuesEnum(DONE, 3)
statusMessage: u'Deploy error: "Not all instances running in IGM. Expect 1. Current actions &{Abandoning:0 Creating:0 CreatingWithoutRetries:0 Deleting:0 None:0 Recreating:1 Refreshing:0 Restarting:0 Verifying:0 ForceSendFields:[] NullFields:[]}. Errors [https://www.googleapis.com/compute/beta/projects/xxxx/zones/europe-west2-b/instances/gke-xxxx-default-pool-xxxx:PERMISSIONS_ERROR]".'
targetLink: u'https://container.googleapis.com/v1/projects/xxxx/zones/europe-west2-b/clusters/xxxx'
zone: u'europe-west2-b'>] finished with error: Deploy error: "Not all instances running in IGM. Expect 1. Current actions &{Abandoning:0 Creating:0 CreatingWithoutRetries:0 Deleting:0 None:0 Recreating:1 Refreshing:0 Restarting:0 Verifying:0 ForceSendFields:[] NullFields:[]}. Errors [https://www.googleapis.com/compute/beta/projects/xxxx/zones/europe-west2-b/instances/xxxx:PERMISSIONS_ERROR]".
Updated property [container/cluster].
when I try to create through UI I get this
Permission denied (HTTP 403): Google Compute Engine: Required 'compute.zones.get' permission for 'projects/xxxx/zones/us-central1-a'
Have done a number on it!
My problem is that I don't see a way of giving permissions back to whatever account it is trying to use (as I cannot see that account if it exists) nor can I see how to attach a new service account with permissions that are needed to whatever is doing the work under the hood.
UPDATE:
So ...
I recreated the account at the organisation level. Gave it service account role there because you cannot modify the domain of the accounts at project level.
I have then modified that at the project level to have editor permissions.
This means i can deploy a cluster but ... still cannot create load balancer - insufficient permissions
Error creating load balancer (will retry): Error getting LB for service default/bot: googleapi: Error 403: Required
'compute.forwardingRules.get' permission for 'projects/xxxx/regions/europe-west2/forwardingRules/xxxx', forbidden
the user having the problem this time is:
service-xxx#container-engine-robot.iam.gserviceaccount.com
So ...
I played with recreating accounts etc. Eventually got Kubernetes working again.
A week later tried to use datastore and discovered that AppEngine was dead beyond dead.
The only recourse was to start a new project from scratch.
The answer to this question is (some may laugh at its self evidence, but we are all in a rush at some point).
DO NOT CREATE USER ACCOUNTS OR GIVE THEM PERMISSIONS BEYOND WHAT THEY NEED BECAUSE DELETING THEM LATER IS REALLY NOT WORTH THE RISK.
Thankyou for listening :D
I am having issues enabling the repository service on the Informatica Admin console. Steps I took so far,
create a new repository service with option to create contents, keeps spinning and after a while it times out. I log back in and I see the repository service created in the Admins console with option to disable but unavailable. Also not able to see the repository tables created in the metadata schema. And not able to connect using the powercenter repository manager as well.
create a new repository service without create contents. A disabled repository service is created. To add/restore contents I try to enable the service then it keeps spinning and nothing happens. After a while it times out and when I log back in I see the option to disable but the service is unavailable. Therefore I am unable to add contents.
I am looking for some helpful insight to resolve this crisis.
Thanks!
While creating repository did you provide database user name and password? And that user has necessary privileges to be a user of informatica repository?
User of that database must have necessary privileges. Even if you have error in the credentials provided during the creation, repository will be created as it can be created at any time in informatica. Kindly delete the repository and create the new one by providing accurate credentials.
Execute these queries to improve the visibility of the user to informatica,
increase the cursor size,
ALTER SYSTEM SET OPEN_CURSOR = 1000 SCOPE = BOTH;
GRANT CONNECT, RESOURCE, CREATE VIEW, SELECT ANY DICTIONARY TO USER_NAME;
Make sure you are executing these queries in sys user.
In case you need to clear the issue without deleting the created repository, go to,
Actions -> Repository contents -> Create
I am unable to create project in open shift. I created a project previously and deleted it. Looks like a project exists but unable to access or delete it. Seems like i am stuck. Also logging into the console https://console.preview.openshift.com/console/ doesn't show any existing projects.
I ran the following oc commands from the terminal.
Any suggestions on how to resolve this issue?
Thanks
XX:~ XX$ oc new-project test
Error from server: projectrequests "test" is forbidden: user XX cannot create more than 1 project(s).
XX:~ XX$ oc delete project test
Error from server: User "XX" cannot delete projects in project "test"
XX:~ XX$ oc status
Error from server: User "XX" cannot get projects in project "default"
XX:~ XX$ oc get projects
You need to give privileges/policies to your user which will allow the actions you want to perform.
If you are just in a proof-of-concept environment I would recommend the make your user cluster-admin in the whole cluster. This will give all the possible privileges to your user. Of course this in't recommended for every user in a 'real' environment.
First you need to authenticate with the 'default admin' which is created after the installation. This default admin-user isn't working with the normal user/password authentication. It's using a client certificate.
oc login -u system:admin --config=/etc/origin/master/admin.kubeconfig
Now you will see a list of the available projects (default, openshift management, etc). Now you're able to give cluster-roles to other users.
Make your user cluster-admin over the whole cluster
oadm policy add-cluster-role-to-user cluster-admin (youruser)
Now you have the cluster-admin privileges inside the whole cluster. You are also able to give privileges for some user in a specific project and not in the whole cluster. Than you have to use:
oadm policy add-role-to-user <role> <username> (in the current project)
This will give the role to a user, but only inside the project from where you've performed this command.
For more information about the avaiable cluster roles and policies I will point to the official documentation.
I raised a defect with Openshift Team as pointed out in the Support Link.
https://docs.openshift.com/online/getting_started/devpreview_faq.html#devpreview-faq-support
Here is the response i received from Support Team.
It seems that you have issued a bug and followed up for this already:
https://bugzilla.redhat.com/show_bug.cgi?id=1368862
After the cause is investigated, our operations team will sure clean up the project manually for you to allow you continue working with the developer preview
Latest update:
The project has now been cleaned up and you should be able to create a new project.
I am able to create Project in Openshift now.