By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to write proper resource-based policy to allow access to Lex bots in draft mode for users from IAM Identity Center?

0
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lex:UpdateBot",
        "lex:GetBot",
        "lex:CreateSlot",
        "lex:CreateSlotType"
      ],
      "Resource": "arn:aws:lex:us-east-1:1234567890:bot/ABCDEFG",
      "Principal": {
        "AWS": "arn:aws:iam:1234567890:user/lastname.firstname"
      }
    }
  ]
}

I don't know what I'm doing wrong here (Resource and Principal are modified to protect privacy). The erorr message I get is: The resource policy isn't valid. Check the policy format and try your request again. I've tried asking both AmazonQ and Bing AI, but they give me contradicting information; I am aware of the Policy Generator, but i'm pretty sure that's only for IAM Management Console. My business partner is an IAM User in IAM Identity Center, not IAM Management Console, and I have no experience with editing resource based policies.

I'm not sure if I should deal with this or just publish my Lex bots prematurely, so he can help me with edting the bots. Nobody has responded to my previous question I submitted here a month ago, and only with constant trial and error along with reviewing documentation and getting help from Bing AI and AmazonQ was I able to resolve that issue. I sadly am only on the free support plan, so I can't directly ask AWS staff themselves to help me with my particular problem as much as I want to smdh (unless I pay but I won't).

UPDATE: I've been informed by both AmazonQ and Bing AI that even if I were to add my business partner as an IAM user, set up the permission set, and attach the necessary policies, he still can't fully access the Lex bots while they're still in draft mode. I've also been made aware that IAM and Identity Center are completely separate services and AWS might deprecate the former eventually. Therefore, I think I'll just publish the bots prematurely in Lex and then theoretically my business partner can fully access them as I did everything right in Identity Center.

Topics
Security, Identity, & ComplianceManagement & GovernanceMachine Learning & AI
Tags
AWS Identity and Access ManagementAWS Management ConsoleAmazon LexAWS IAM Identity CenterIAM Policies
Language
English
GHC
asked 4 months ago183 views
1 Answer
0

Hello,

I understood that when you are applying the policy as the resource based policy, you are getting error "The resource policy isn't valid. Check the policy format and try your request again"

Please allow me to state that you are receiving the error because you are not specifying the supported resource in the policy according to its actions.

If you refer below documentation and search for "GetBot" action, you will find that "GetBot" action only support ("bot alias" or "bot version") Arns in the Resource section of the policy.

https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlex.html#amazonlex-actions-as-permissions

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lex:UpdateBot",
        "lex:CreateSlot",
        "lex:CreateSlotType"
      ],
      "Resource": "arn:aws:lex:us-east-1:1234567890:bot/ABCDEFG",
      "Principal": {
        "AWS": "arn:aws:iam:1234567890:user/username"
      }
    },
{
      "Effect": "Allow",
      "Action": [
        "lex:GetBot"
      ],
      "Resource": "arn:aws:lex:{Region}:{Account}:bot:{BotName}:{BotAlias}", 
      "Principal": {
        "AWS": "arn:aws:iam:1234567890:user/username"
      }
    }
  ]
}

In the above policy please replace :

  • {Region} - with the region , {Account} with the account number, {BotName} with the specific bot name and {BotAlias} with the specific bot alias.
  • Also, please replace the username with the correct user name of the user, you would like to allow this action for.

If you want to allow all the bot alias then you can use "*" in that place, so the resource will be like : "arn:aws:lex:{Region}:{Account}:bot:{BotName}:*"

Trust this will help in resolving the issue. Also you can refer below documentation about "Resource-based policy examples for Amazon Lex V2"

https://docs.aws.amazon.com/lexv2/latest/dg/security_iam_resource-based-policy-examples.html

AWS
Sakshi M
answered 3 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed 24 days ago
  • GHC
    2 months ago

    Yeah I already figured out how to let my business partner access my bots; he just needed to change his AWS region from Sydney to Virginia

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content