AWS Lambda: Cross-account pass role is not allowed.

Today I came across the following exception while working with the AWS SDK for Amazon Lambda:

com.amazonaws.AmazonServiceException: Cross-account pass role is not allowed. (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException; Request ID: xxx)

At first I was a bit puzzled where this exception might come from; but when I found out what the problem was, it seemed to be pretty obvious:

I tried to upload a service to one AWS account while specifying an execution role that belonged to another AWS account.

So that could easily be fixed by providing a role belonging to the correct account!

UPDATE

As mentioned in the comments by rjhintz, if you require the to use the role from another user, you can do so by modifying the policy for the role as follows:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Principal":{
            "AWS":[
               "arn:aws:iam::123456789012:user/user1",
               "arn:aws:iam::123456789012:user/user2"
            ],
            "Service":"ec2.amazonaws.com"
         },
         "Action":"sts:AssumeRole"
      }
   ]
}

What is Amazon Flourish (for AWS)

According to a recent article on the New Stack Blog, the Amazon Serverless Team (responsible for instance for Amazon Lambda) is about to release a new open source product called ‘Floruish’.

Currently, there are very few details available on this product. These are some points I could find:

  • It will be a platform to manage components of serverless applications.
  • This includes versioning lambda functions and packaging lambda functions with other components such as database dependencies.
  • It will be open source (under Apache license)

As more details become available, I will update this post.

For now, here are some related resources regarding serverless applications with Amazon:

Bulk Change ACL for Amazon S3

Using bucket policies, it is easy to set ACL settings for all new objects that are uploaded to Amazon S3.

However, I wanted to remove ‘public’ read rights for a whole bunch of objects at the same time and such policies do not apply to objects that are already stored on S3.

I found an easy way to change the ACL settings for many objects at the same time. To bulk change, ACL, do the following:

  • Download the free tool CloudBerry Explorer for Amazon S3
  • Install it
  • In the AWS management console, go to Security Credentials
  • Create a new user ‘s3-super’. Save the access and secret key.
  • Assign the role  ‘AmazonS3FullAccess’ to the user

full_access

  • Start CloudBerry Explorer and connect to your S3 with the access and secret key of the s3-super user
  • Now in this tool navigate to the bucket with the objects you would like to change
  • Select one or more objects for which you want to change the ACL settings in the left-hand column.
  • Click on the button ACL Settings

acl

  • In the dialog that pops up, change the settings to what you like and click OK.

acl_settings

The ACL settings for your objects should now be changed.

 

 

JQuery UI Droppable: Prevent Event Bubbling

JQuery UI Droppable is a great framework for implementing drag and drop features in a web application.

Here I will show two ways how it can be prevented that multiple droppable elements on the same page can receive the same drop events.

If the one droppable is the parent of the other:

In this case, it is sufficient to add the property greedy: true. Easy.

If there is no parent-child relationship between the elements:

This is a bit tricky, since setting the greedy property will only prevent events bubbling up to the parent. If the two elements are independent (but somehow one floats on top of the other), we need to add some extra code to the drop handlers for both elements:

elem.droppable({
 ...
 drop: function( event, ui ) {

   var elementAtPoint = document.elementFromPoint(event.pageX-1, event.pageY-1);
 
   if (!$.contains(elem[0], elementAtPoint)) {
     // not really meant for this element
     return;
   }

   // handle drop for this element

 }
 ...
});

Replace elem with the two respective elements that are droppable.

This code will assure that the event will only be triggered on the element that is visible for the user.

Install Puppet 3 in Amazon Linux

The most recent version of the Amazon Linux VMI (2015.09.1) seems to install version 2 of Puppet by default.

However, if you need to install Puppet 3, that is also easy enough.

Just type in the following to install it:

sudo yum install puppet3

If any errors pop up in respect to incorrect dependencies (this can happen if you installed puppet 2 first), just remove these – they should be reinstalled with the correct version for puppet 3 upon running the above command again.

 

Add Date to File Name in Windows

I like to organize my files by prefixing the current date and time to the file name. Yes, sorting files by date created and date modified more or less accomplishes the same thing but I just find it to be more organized this way.

I’ve spent countless hours prefixing the respective date to files but today I found a much easier way.

I found the free tool Bulk Rename Utility.

Just download and extract this, then launch it and drag and drop the files you want to rename on the file list (it can be more than one file).

Then set the following options:

autodate

Mode: Prefix

Type: Creation (Current)

Fmt: YMD

Sep.: Just put one space

Next, select the file(s) you want to rename and click the Rename button on the bottom left.

newrelic service doesn’t start on CentOS: Solution Run as Root

Today one of my virtual servers suddenly showed up as offline in my New Relic console (Which is an amazing tool and free by the way).

I checked the log file /var/log/newrelic/nrsysmond.log and it had these contents:

2015-08-15 02:06:04.512 (915) error: nria_context_create(): SIGAR_OK != status; goto error; status=13

2015-08-15 02:06:04.512 (915) error: nria_context_create(): in error label

2015-08-15 02:06:04.512 (915) error: failed to create sampling context

2015-08-15 02:06:04.512 (913) info: worker process exited with 1 – NOT restarting

I found a post on the New Relic forum which provided the solution:

-> Run the newrelic service as root

This can be done by editing /etc/sysconfig/newrelic-sysmond and uncommenting the option RUNAS:

# User to run the Server Monitor as

# RUNAS=newrelic

Not a perfect solution since ideally this should run with the newrelic user but at least it got the server online on my console again.