Amazon AWS: DataPipelineDefaultRole/EDPSession not authorized to perform iam:ListRolePolicies

3
votes

I have been assigned an IAM role in AWS by my manager and I am trying to setup an Amazon Data Pipeline. I am repeatedly facing permission issues and authorization issues like the following when trying to activate the PipeLine.

WARNING: Error occured while validating role 'DataPipelineDefaultRole'. Error: Status Code: 403, AWS Service: AmazonIdentityManagement, AWS Request ID: fbf1935a-bcf1-11e3-82d4-cd47aac2f228, AWS Error Code: AccessDenied, AWS Error Message: User: arn:aws:sts::723751385540:assumed-role/DataPipelineDefaultRole/EDPSession is not authorized to perform: iam:ListRolePolicies on resource: role DataPipelineDefaultRole

There are no errors... only warnings like the one above.

My CTO has assigned me with Super Administrator Role in the AWS access manager. Yet i am not able to do it. Been at least 2 weeks that we are going around this thing. He has granted all super admin permissions and privileges to my IAM.

p.s. i followed the documentation of "Export RDS data to S3 via CopyActivity using the AWS Data Pipeline console" tutorial from http://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-copydata-mysql-console.html

2
amazon-web-servicesamazon-s3amazon-rdsamazon-iamamazon-data-pipeline

2 Answers

3
votes

I had the same error and could find a solution in the following AWS documentation link: http://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-roles.html

I quote the text that solved the issue:

Update Existing IAM Roles for AWS Data Pipeline

Use the following procedure to update the DataPipelineDefaultRole and DataPipelineDefaultResourceRole roles.

To update your existing IAM roles using managed policies

Open the Identity and Access Management console at https://console.aws.amazon.com/iam/

Update the DataPipelineDefaultRole role as follows:

  1. In the navigation pane, click Roles, and then click the row for the DataPipelineDefaultRole role.
  2. Under Permissions, click Attach Policy.
  3. On the Attach Policy page, click the box next to the AWSDataPipelineRole policy, and then click Attach Policy.

Update the DataPipelineDefaultResourceRole role as follows:

  1. In the navigation pane, click Roles, and then click the row for the DataPipelineDefaultResourceRole role
  2. Under Permissions, click Attach Policy.
  3. On the Attach Policy page, click the box next to the AmazonEC2RoleForDataPipelineRole policy, and then click Attach Policy.

I hope this helps!

0
votes

You are using DataPipelineDefaultRole as datapipeline role. Make sure it has permissions to listPolicies - Go to aws console. Checkout the policy for the role and make sure it has the required permissions

Also, if it is just warnings, they should not be a blocker. I would suggest you to continue activating your pipeline. Once, pipeline is activated, refer the datapipeline trouble shooting docs - http://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-troubleshooting.html in case of any issues. My personal tip would be to enable logUri - http://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-error-logs.html since it makes debugging the failed activity easier.