Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

codecommit Access denied with an non existent explicit Deny

0

I am trying to perform a git pull action and I get the warning: Access denied: User: arn:aws:iam::account:user/username is not authorized to perform: codecommit:GitPull on resource: arn:aws:codecommit:region:account:repo with an explicit deny in an identity-based policy fatal: Could not read from remote repository.

but none of my permissions contain an explicit deny. In fact there is an explicit allow for codecommit:* to the repo in on of my policies. I have an mfa policy, but it allows access to codecommit:* without mfa. Any help would be greatly appreciated

Themen
EntwicklertoolsSicherheit, Identität & Konformität
Tags
AWS CodeCommitAWS Identity and Access ManagementIAM-Richtlinien
Sprache
English
Nyall
gefragt vor 4 Monaten286 Aufrufe
1 Antwort
0

Hello.

Since CodeCommit is encrypted with KMS, you need to configure IAM policy to allow KMS operations.
https://docs.aws.amazon.com/codecommit/latest/userguide/auth-and-access-control-iam-identity-based-access-control.html
https://docs.aws.amazon.com/codecommit/latest/userguide/encryption.html

So, I don't know what your policy settings are currently, but I think it will work if you set it as follows.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListActions",
            "Effect": "Allow",
            "Action": [
                "iam:ListUsers",
                "iam:ListVirtualMFADevices"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowIndividualUserToListOnlyTheirOwnMFA",
            "Effect": "Allow",
            "Action": [
                "iam:ListMFADevices"
            ],
            "Resource": [
                "arn:aws:iam::*:mfa/*",
                "arn:aws:iam::*:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowIndividualUserToManageTheirOwnMFA",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ResyncMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::*:mfa/${aws:username}",
                "arn:aws:iam::*:user/${aws:username}"
            ]
        },
        {
            "Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice"
            ],
            "Resource": [
                "arn:aws:iam::*:mfa/${aws:username}",
                "arn:aws:iam::*:user/${aws:username}"
            ],
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        },
        {
            "Sid": "BlockMostAccessUnlessSignedInWithMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ListUsers",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "codecommit:*"
            ],
            "Resource": "*",
            "Condition": {
                "Null": {
                    "kms:ViaService": "true"
                },
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}
profile picture
EXPERTE
Riku_Kobayashi
beantwortet vor 4 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt