Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

IoT DescribeRoleAlias denied from CloudFormation

0

What I'm trying to do:

When the stack gets created, it hits CREATE_FAILED on the AWS::IoT::RoleAlias:

Resource handler returned message: "Access denied for operation 'DescribeRoleAlias'." (RequestToken: *****, HandlerErrorCode: AccessDenied)

I see the role alias in the IoT Core console, and I see the successful CreateRoleAlias call in CloudTrail, but something around the permissions of DescribeRoleAlias appears to be lacking.

The policy in use by the GitHub Action:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"cloudformation:ListStacks",
				"cloudformation:CreateStack",
				"cloudformation:CreateChangeSet",
				"cloudformation:DescribeChangeSet",
				"cloudformation:ExecuteChangeSet",
				"cloudformation:DeleteChangeSet",
				"cloudformation:DescribeStacks"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:GetRole",
				"iam:DeleteRolePolicy",
				"iam:CreateRole",
				"iam:DeleteRole",
				"iam:PutRolePolicy",
				"iam:GetRolePolicy"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": "iam:PassRole",
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"iam:PassedToService": "iot.amazonaws.com"
				}
			}
		},
		{
			"Effect": "Allow",
			"Action": [
				"iot:CreateRoleAlias",
				"iot:DeleteRoleAlias",
				"iot:DescribeRoleAlias",
				"iot:UpdateRoleAlias"
			],
			"Resource": "*"
		}
	]
}

The CloudFormation template:

AWSTemplateFormatVersion: "2010-09-09"

Resources:
  MyGreengrassV2TokenExchangeRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - credentials.iot.amazonaws.com
            Action:
              - sts:AssumeRole
  MyGreengrassV2TokenExchangeRoleAccess:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: MyGreengrassV2TokenExchangeRoleAccess
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Action:
              - logs:CreateLogGroup
              - logs:CreateLogStream
              - logs:PutLogEvents
              - logs:DescribeLogStreams
              - s3:GetBucketLocation
            Resource: "*"
      Roles:
        - !Ref MyGreengrassV2TokenExchangeRole
  MyGreengrassCoreTokenExchangeRoleAlias:
    Type: AWS::IoT::RoleAlias
    Properties:
      RoleArn: !GetAtt MyGreengrassV2TokenExchangeRole.Arn
      RoleAlias: MyGreengrassCoreTokenExchangeRoleAlias

Additional notes:

  • Is there some way for me to view more details about why DescribeRoleAlias is being denied?
  • I get the same exact failure when I remove iot:DescribeRoleAlias from the policy used by the GitHub Action; its presence doesn't seem to have any effect.
  • Is this related to iam:PassRole?

What's missing?

  • MichaelDombrowski-AWS ESPERTO
    9 mesi fa

    Hello, I'd recommend that you look at CloudTrail to see what exact API call is being denied. This is a good permission debugging technique in general.

Argomenti
Internet delle cose (IoT)Gestione e amministrazioneSicurezza, identità e conformità
Tag
AWS IoT GreengrassAWS IoT CoreAWS CloudFormationPolitiche IAM
Lingua
English
jc-rr
posta 9 mesi fa213 visualizzazioni
1 Risposta
0
Risposta accettata

Hi,

I have performed testings with the same IAM policy and CloudFormation stack and can replicate the permission error. While looking at CloudTrail, I have found the following log for my IAM role iot-cloudformation:

"errorMessage": "User: arn:aws:sts::123456789012:assumed-role/iot-cloudformation/AWSCloudFormation is not authorized to perform: iot:ListTagsForResource on resource: arn:aws:iot:us-east-1:123456789012:rolealias/MyGreengrassCoreTokenExchangeRoleAlias because no identity-based policy allows the iot:ListTagsForResource action",

Therefore, when CloudFormation manages the IOT role alias resource, it sends an iot:ListTagsForResource event as well. With the following IAM policy, the CloudFormation creation has passed:

        {
            "Effect": "Allow",
            "Action": [
                "iot:CreateRoleAlias",
                "iot:DeleteRoleAlias",
                "iot:DescribeRoleAlias",
                "iot:UpdateRoleAlias",
                "iot:ListTagsForResource"
            ],
            "Resource": "*"
        }
profile pictureAWS
Feng_C
con risposta 9 mesi fa
  • jc-rr
    9 mesi fa

    Aha, the debugging piece I was missing was that I needed to filter the CloudTrail event history by the user name. Then I could see that failed ListTagsForResource call. Now that I've added iot:ListTagsForResource to the policy, my stack (including the role alias) is successfully creating. Thanks!

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente