Questions tagged with IAM Policies

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

IAM abac tag problems: User is not authorized to perform: execute-api:Invoke on resource

I'm trying to call an api-gateway endpoint from my web app but getting the error: ``` User: arn:aws:sts::<number>:assumed-role/my_identity_pool_auth_role/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:eu-west-2:********9277:<api-gateway id>/test/GET/theme ``` I have a user pool set up in which I've created two groups, one of which I'd like to give access to execute the endpoint mentioned above. The user pool group has an iam role attached with no permissions, but the following trust relationships: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": [ "sts:AssumeRoleWithWebIdentity", "sts:TagSession" ], "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "<identity pool id>" } } } ] } ``` and a tag with: ``` key: user_role value: end_user_basic ``` The identity pool auth role has permissions and trust relationship below: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "cognito-identity:*", "mobileanalytics:PutEvents", "cognito-sync:*" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:eu-west-2:*:<api-gateway id>/*/GET/theme", "Condition": { "StringEquals": { "aws:PrincipalTag/user_role": "end_user_basic" } } } ] } ``` ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": [ "sts:AssumeRoleWithWebIdentity", "sts:TagSession" ], "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "<identity pool id>" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } } } ] } ``` In the identity pool settings, I have 'authenticated role selection' set to 'user default role' and 'attributes for access control' set to 'use custom mappings' with the below: ``` Tag key for principal: user_role Attribute name: user_role ``` And when I make the request, my id token has a payload something like below: ``` { "sub": ..., "cognito:groups": [ "<the correct cognito user group>" ], "iss": ..., "cognito:username": ..., "origin_jti": ..., "cognito:roles": [ "<the correct iam role with tag attached>" ], "aud": ..., "event_id": ..., "token_use": "id", "auth_time": ..., "exp": ..., "iat": ..., "jti": ..., "email": ... } ``` so the user belongs to the correct group with the correct iam role applied. I'm new to AWS so I'm sure i'm missing something daft but if somebody could point me in the right direction I'd be grateful. As an aside, if I remove the condition below: ``` "Condition": { "StringEquals": { "aws:PrincipalTag/user_role": "end_user_basic" } } ``` from the identity pool auth role, I can make the api call successfully
0
answers
0
votes
44
views
steve
asked a month ago

How to download s3 file to Window 2022 EC2 instance with CloudFormation Init? Getting Access Denied error.

I'm trying to download a file from an S3 bucket onto a EC2 Windows server. I'm set up the IAM role, policy, and profile. In the CloudFormation::Init section of the server, I have different configSets and one of them is downloading a file from the bucket. ``` --- Some items not shown --- "Parameters": { "S3BucketName": { "Description": "The name of an existing S3 bucket that the server needs to access.", "Type": "String", "Default": "ccw-to-rds-poc-1" }, --- Some parameters not shown --- "InstanceRole":{ "Type":"AWS::IAM::Role", "Properties":{ "AssumeRolePolicyDocument":{ "Statement":[ { "Effect":"Allow", "Principal":{ "Service":[ "ec2.amazonaws.com" ] }, "Action":[ "sts:AssumeRole" ] } ] }, "Path":"/" } }, "RolePolicies":{ "Type":"AWS::IAM::Policy", "Properties":{ "PolicyName":"S3Download", "PolicyDocument":{ "Statement":[ { "Action":[ "s3:GetObject" ], "Effect":"Allow", "Resource": {"Fn::Join": ["", ["arn:aws:s3:::", {"Ref": "S3BucketName"}]]} } ] }, "Roles":[ { "Ref":"InstanceRole" } ] } }, "InstanceProfile":{ "Type":"AWS::IAM::InstanceProfile", "Properties":{ "Path":"/", "Roles":[ { "Ref":"InstanceRole" } ] } }, "myAppServer": { "Type": "AWS::EC2::Instance", "Metadata": { "AWS::CloudFormation::Authentication": { "S3AccessCreds": { "type": "S3", "roleName": { "Ref": "InstanceRole" }, "buckets" : [{"Ref": "S3BucketName"}] } }, "AWS::CloudFormation::Init": { "configSets": { "downloadS3Data": ["downloadS3"], "Full": [{"ConfigSet": "downloadS3Data"}, "fullServer"], "default": [ {"ConfigSet": "Full"}], "App": [{"ConfigSet": "downloadS3Data"}, "appServer"], "Interface": [{"ConfigSet": "downloadS3Data"}, "interfaceServer"], "Notification": [{"ConfigSet": "downloadS3Data"}, "notificationServer"] }, "downloadS3": { "files": { "C:\\Users\\Administrator\\Documents\\s3download.bak": { "source": "https://ccw-to-rds-poc-1.s3.us-east-2.amazonaws.com/test.txt", "authentication": "S3AccessCreds" } } }, "fullServer": { "commands": { "test": { "command": "echo \"$MAGIC\"", "env": {"MAGIC": "I am from the full server env"}, "cwd": "C:\\Users\\Administrator\\Desktop" } } }, --- Some config sets not shown --- } }, "Properties": { "IamInstanceProfile": { "Ref": "InstanceProfile" }, "ImageId": "ami-012bb86d0081c5240", "InstanceType": "t2.small", "KeyName": {"Ref": "keypair"}, "SecurityGroupIds": ["sg-0d0b50ca1774707b7"], "UserData" : { "Fn::Base64" : { "Fn::Join" : [ "", [ "<powershell>\n", "cfn-init.exe -v -s ", {"Ref" : "AWS::StackId"}, " -r YourInstance -c ", {"Ref": "CCWServerType"} , " --region ", {"Ref" : "AWS::Region"}, "\n", "</powershell>\n", "<persist>true</persist>" ] ] } } } } ``` When the server runs `"cfn-init.exe -v -s ", {"Ref" : "AWS::StackId"}, " -r YourInstance -c ", {"Ref": "CCWServerType"} , " --region ", {"Ref" : "AWS::Region"}, "\n",`, It creates the `s3download.bak`, but it is empty and gives an Access Denied, (HTTP Error 403). Is there something I'm not doing correctly with the IAM configurations that is causing this? EDIT: I thought that because I am accessing the entire bucket and not just a specific item, like mentioned in [this article](https://aws.amazon.com/blogs/devops/authenticated-file-downloads-with-cloudformation/) that might be the issue. However, after trying `"Action":["s3:*Object"]` and `"Action":["s3.Get*"]`, I still get the same access denied error.
2
answers
0
votes
54
views
asked a month ago

AWS File Transfer Family Server and IAM role setup

Hi All, We have setup AWS file transfer server with AWS directory service (connected to Microsoft AD) authentication. As per use case, once user login to sftp, user should be able to see two directory within their own folder. {username}/folder1 {username}/folder2 I have setup below Access policy and IAM policy (attached to S3) create-access CLI: ``` aws transfer create-access \ --home-directory-type LOGICAL \ --home-directory-mappings '[{"Entry":"/folder1","Target":"/bucket_name/${transfer:UserName}/folder1" },{ "Entry": "/folder2", "Target":"/bucket_name/${transfer:UserName}/folder2"}]' \ --role arn:aws:iam::account_id:role/iam_role \ --server-id s-1234567876454ert \ --external-id S-1-2-34-56789123-12345678-1234567898-1234 ``` access policy was created successfully. Below IAM role is attached to S3 bucket and file-transfer server. ``` { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::bucket_name" ], "Effect": "Allow", "Sid": "ReadWriteS3" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", "s3:GetObjectACL", "s3:PutObjectACL" ], "Resource": [ "arn:aws:s3:::bucket_name/${transfer:UserName}/*" ], "Effect": "Allow", "Sid": "" } ] } ``` When user login to sftp, they do not see folder1 & folder2 in their own directory. Can anyone help if anything missing in IAM policy? Thank You
3
answers
0
votes
81
views
profile picture
asked 2 months ago

AWS ECR allow roles from secondary account

I have an ECR in a prod account that I want to grant push access to from the dev role. This is my current policy ```json { "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPushPull", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::account:role/rolename", "arn:aws:sts::account:assumed-role/rolename/instance", "arn:aws:sts::account:assumed-role/rolename/AWSCLI-Session" ] }, "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:CompleteLayerUpload", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:GetDownloadUrlForLayer", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:GetRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:ListImages", "ecr:PutImage", "ecr:PutLifecyclePolicy", "ecr:SetRepositoryPolicy", "ecr:StartLifecyclePolicyPreview", "ecr:UploadLayerPart" ] } ] } ``` Running aws sts get-caller-identity I can see I have the role checked out "arn:aws:sts::account:assumed-role/rolename/AWSCLI-Session" but I do not have access to push. I receive the following until timeout. > The push refers to repository > [account.dkr.ecr.us-west-2.amazonaws.com/repo] 87e2ce75493a: Retrying > in 4 seconds My non-prod account does exist in us-east-1. but my login command specifies west. task: [docker:ecr-login] aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin accpunt.dkr.ecr.us-west-2.amazonaws.com Any ideas what may be my problem on this repo? (this works with my production account so the registry is valid) Also this works when I use my dev account and allow the user IAM
1
answers
0
votes
38
views
asked 2 months ago