Questions tagged with IAM Policies
Content language: English
Sort by most recent
Hello,
required: Enable s3 bucket access for a specific permission set
1.I have an SSO role in IAM for Billing. This is an AWS managed SSO Role and gives access to Billing Actions in its policy. AWSReservedSSO_BillingReadOnly_tagnumber.
2.Have an IAM Identity Center Group, AWS-acctnum-BillingReaders-Prod, that has 4 SSO users.
3. The above group has been assigned to permission sets below, user is able to see the permission sets on his login page, under the account.
4. Also Have a permission set(BillingReadOnly) that has the AWS managed Billing policy- AWSBillingReadOnlyAccess and also an inline policy that allows access to s3 bucket, (ListBucket, GetObject)
The SSO user who is part of group 2, sees this permission set on his login screen. But he does not see any buckets listed on s3.
Note, anything that is AWS managed, cannot be altered, hence the addition of custom inline policy on the permission set.
Any idea what's wrong here?
Thanks in advance.
`{
"Version": "2012-10-17",
"Id": "PersonalizeS3BucketAccessPolicy",
"Statement": [
{
"Sid": "PersonalizeS3BucketAccessPolicy",
"Effect": "Allow",
"Principal": {
"Service": "personalize.amazonaws.com"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::fashionrecommendationsystem",
"arn:aws:s3:::fashionrecommendationsystem/*"
]
}
]
}
`
This is the bucket policy I have attached to my S3 bucket.
Template format error: Unresolved resource dependencies [VpcFlowLogBucket] in the Resources block of the template
I am getting the above error in my cloudformation template when i use conditions while creating resources.
I have a usecase where if user enters a specific parameter then i will apply a particular condition to avoid creating an s3 bucket and use the one that user has given the arn to.
```
AWSTemplateFormatVersion: "2010-09-09"
Description: CloudFormation stack for relaying AWS VPC flow logs for security analysis and storage.
Outputs:
StackName:
Description: The name of the stack deployed by this CloudFormation template.
Value: !Ref "AWS::StackName"
Parameters:
VpcIds:
Description: The IDs of the VPCs for which flow logs will be relayed. VPC Flow Logs will be enabled for these VPCs.
Type: List<AWS::EC2::VPC::Id>
VpcFlowLogBucketArn:
Type: String
Description: (Optional) The ARN of an existing S3 bucket to use for VPC flow logs. If specified, VpcFlowLogDestination will be ignored.
TrafficType:
AllowedValues:
- ACCEPT
- REJECT
- ALL
Default: ALL
Description: Whether to log only rejected or accepted traffic, or log all traffic. Logging all traffic (default) enables more security outcomes.
Type: String
OrgId:
Description: Your account number.
Type: Number
RetentionInDays:
Description: The number of days to retain AWS VPC Flow Logs in the S3 bucket. This is effectively the size of your recovery window if the flow of logs is interrupted.
Type: Number
Default: 3
Conditions:
HasExpirationInDays: !Not [!Equals [!Ref RetentionInDays, 0]]
UseExistingS3Bucket: !Equals [!Ref VpcFlowLogBucketArn, ""]
Resources:
VpcFlowLogBucket:
Type: "AWS::S3::Bucket"
Condition: UseExistingS3Bucket
Properties:
BucketName: !Join
- "-"
- - aarmo-vpc-flow-bucket
- !Ref OrgId
- !Ref "AWS::StackName"
- !Ref "AWS::Region"
LifecycleConfiguration:
Rules:
- ExpirationInDays: !If [HasExpirationInDays, !Ref RetentionInDays, 1]
Status: !If [HasExpirationInDays, Enabled, Disabled]
NotificationConfiguration:
QueueConfigurations:
- Event: "s3:ObjectCreated:*"
Queue: !GetAtt [MyQueue, Arn]
DependsOn:
- MyQueue
VpcFlowLogBucketPolicy:
Type: "AWS::S3::BucketPolicy"
Condition: UseExistingS3Bucket
DependsOn:
- VpcFlowLogBucket
Properties:
Bucket: !Ref VpcFlowLogBucket
PolicyDocument:
Version: "2012-10-17"
Statement: # https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-s3.html#flow-logs-s3-permissions
- Sid: AWSLogDeliveryWrite
Effect: Allow
Principal:
Service: "delivery.logs.amazonaws.com"
Action: "s3:PutObject"
Resource: !Sub "${VpcFlowLogBucket.Arn}/AWSLogs/${AWS::AccountId}/*"
Condition:
StringEquals:
"s3:x-amz-acl": "bucket-owner-full-control"
- Sid: AWSLogDeliveryAclCheck
Effect: Allow
Principal:
Service: "delivery.logs.amazonaws.com"
Action: "s3:GetBucketAcl"
Resource: !GetAtt "VpcFlowLogBucket.Arn"
MyQueue:
Type: AWS::SQS::Queue
Properties:
QueueName: "SampleQueue12345128"
MyQueuePolicy:
Type: AWS::SQS::QueuePolicy
Properties:
PolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: sns.amazonaws.com
Action:
- sqs:SendMessage
- sqs:DeleteMessage
- sqs:RecieveMessage
Resource: "*"
Queues:
- Ref: MyQueue
```
What is the issue with the above cloudformation template? I have tried debugging the template multiple times but still getting nowhere. any help would be greatly appretiated!
I have the IAM role and policy setup per https://eksctl.io/usage/minimum-iam-policies/. When I create the cluster all the CF stacks complete with no errors at all. But I am getting this on the screen. The acutal error is at the very bottom.
```
2023-03-30 11:51:22 [▶] completed task: create IAM role for serviceaccount "kube-system/aws-node"
2023-03-30 11:51:22 [▶] started task: create serviceaccount "kube-system/aws-node"
2023-03-30 11:51:22 [ℹ] waiting for CloudFormation stack "eksctl-tmdev-us1-pipe-prod-addon-iamserviceaccount-kube-system-AS-cluster-autoscaler"
2023-03-30 11:51:52 [▶] failed task: create serviceaccount "kube-system/aws-node" (will not run other sequential tasks)
2023-03-30 11:51:52 [▶] failed task:
2 sequential sub-tasks: {
create IAM role for serviceaccount "kube-system/aws-node",
create serviceaccount "kube-system/aws-node",
}
(will continue until other parallel tasks are completed)
2023-03-30 11:51:52 [▶] failed task:
4 parallel sub-tasks: {
2 sequential sub-tasks: {
create IAM role for serviceaccount "kube-system-LB/aws-lb-controller",
create serviceaccount "kube-system-LB/aws-lb-controller",
},
2 sequential sub-tasks: {
create IAM role for serviceaccount "kube-system-DNS/external-dns",
create serviceaccount "kube-system-DNS/external-dns",
},
create IAM role for serviceaccount "kube-system-AS/cluster-autoscaler",
2 sequential sub-tasks: {
create IAM role for serviceaccount "kube-system/aws-node",
create serviceaccount "kube-system/aws-node",
},
}
(will not run other sequential tasks)
2023-03-30 11:51:52 [▶] failed task:
2 sequential sub-tasks: {
4 sequential sub-tasks: {
wait for control plane to become ready,
associate IAM OIDC provider,
4 parallel sub-tasks: {
2 sequential sub-tasks: {
create IAM role for serviceaccount "kube-system-LB/aws-lb-controller",
create serviceaccount "kube-system-LB/aws-lb-controller",
},
2 sequential sub-tasks: {
create IAM role for serviceaccount "kube-system-DNS/external-dns",
create serviceaccount "kube-system-DNS/external-dns",
},
create IAM role for serviceaccount "kube-system-AS/cluster-autoscaler",
2 sequential sub-tasks: {
create IAM role for serviceaccount "kube-system/aws-node",
create serviceaccount "kube-system/aws-node",
},
},
restart daemonset "kube-system/aws-node",
},
create managed nodegroup "jenkins-pipeline-nodegroup",
}
(will not run other sequential tasks)
2023-03-30 11:51:52 [!] 1 error(s) occurred and cluster hasn't been created properly, you may wish to check CloudFormation console
2023-03-30 11:51:52 [ℹ] to cleanup resources, run 'eksctl delete cluster --region=us-east-1 --name=tmdev-us1-pipe-prod'
2023-03-30 11:51:52 [✖] failed to create service account kube-system/aws-node: checking whether namespace "kube-system" exists: Get "https://XXXXXXXXXXB2A140B1DB492834D6A69A.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system": dial tcp 172.11.111.111:443: i/o timeout
Error: failed to create cluster "tmdev-us1-pipe-prod"
```
When I go to EKS in the AWS Console and click on this cluster I do see a strange error at the top. Not sure if its related or not.
```
Error loading GenericResourceCollection/namespaces
```
My client is not able to access ALB URL, but I am able to access the same. ALB URL's security group has "All Traffic" rule in both inbound and outbound rules. Also my EC2 instance is windows and I have deactivated its firewall to not block any incoming IP addresses. How to solve this issue.
Hi Guys,
I deployed my java app on EC2 and here I am doing call to Amazon Cognito in order to push user data. So I am getting below error,
`Profile file contained no credentials for profile 'default': ProfileFile(profiles=[])". When you are trying the same on your local machine its working fine`
My understanding was If I gave IAM role(CognitoSuperUser) which has permission for Cognito to Ec2, I don't have to put credentials in EC2 profile file. Am I wrong?
will not EC2 be able to allow calling to Cognito without any configuration? Like I do call to S3 from Ec2 by allowing permission in the IAM role that assigned Ec2.
This is the way I create client to call. is there any other way to make call instead of **ProfileCredentialsProvider**
```
this.cognitoClient = CognitoIdentityProviderClient.builder()
.region(Region.US_EAST_2)
.credentialsProvider(ProfileCredentialsProvider.create())
.build();
```
Thanks
I am trying to create and EC2 instance and in Network settings I am supposed to pick the default VPC selection but there no VPC onthe drop down, it was blank. I decided to create a default VPC but now I also have no subnet in the dropdown but cannot create one. How do I rectify this?
I want create a architecture, inside to Learner Lab, but I don't know what police use, because inside of Learned Lab, I can't create role.
I'm try do this my thing(temperature) send a message to IoT core and save IoT data inside to dynamoDB if temperature > 30 send a message from iot to sns
It show this error "ValidationException: The assume role is invalid" while creating Association with the document "AWSEC2-PatchLoadBalancerInstance". It say to use "AWSServiceRoleForAmazonSSM" but it can be added as the association role
I created EKS resources via Terraform. I now want to get temporary credentials for a new role (new_dev has eks:DescribeCluster permission). It throws below error, user xxxxx has AdminitratorAccess policy. Should I add an assume role policy to the user xxxxx?
aws sts assume-role --role-arn arn:aws:iam::---:role/new_dev --role-session-name dev
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::---:user/xxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::---:role/new_dev
I want to create a Custom I AM policy with custom IAM Actions.
something like below:
`{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"myCustomService:MyCustomAction",
"myCustomService1:MyCustomAction1",
],
"Resource": "*"
}
]
}`
I need this to control clients/ users/ clientApplication access to my application running in EKS cluster.
thanks in advance.
I am creating an EKS cluster from scratch but every time I do I get the following error:
2023-03-28 15:08:05 [✖] creating OIDC provider: operation error IAM:
```
CreateOpenIDConnectProvider, https response error StatusCode: 403, RequestID: bacf7543-bfe0-4b1c-982e-a81e61cef1c7, api error AccessDenied: User: arn:aws:sts::*:assumed-role/DEV-EC2-JenkinsMaster-Instance/i-09f8b9ad4eb5hhh09 is not authorized to perform: iam:TagOpenIDConnectProvider on resource: arn:aws:iam::*:oidc-provider/oidc.eks.us-east-1.amazonaws.com because no identity-based policy allows the iam:TagOpenIDConnectProvider action
```
After much effort and looking I found the following policy which I have in place.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:DeleteInternetGateway",
"Resource": "arn:aws:ec2:*:*:internet-gateway/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:ModifyListener",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeInstances",
"ec2:AttachInternetGateway",
"ec2:DeleteRouteTable",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:DescribeVolumes",
"ec2:DeleteInternetGateway",
"ec2:DescribeKeyPairs",
"iam:GetRole",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
"ec2:ImportKeyPair",
"ec2:CreateTags",
"elasticloadbalancing:CreateTargetGroup",
"ecr:GetAuthorizationToken",
"ec2:RunInstances",
"ec2:DisassociateRouteTable",
"ec2:CreateVolume",
"ec2:RevokeSecurityGroupIngress",
"elasticloadbalancing:AddTags",
"ec2:DescribeImageAttribute",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"ec2:DeleteNatGateway",
"autoscaling:DeleteAutoScalingGroup",
"ec2:CreateSubnet",
"ec2:DescribeSubnets",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"ecr:InitiateLayerUpload",
"ec2:AttachVolume",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ecr:ListImages",
"ec2:DescribeVpcAttribute",
"ec2:ModifySubnetAttribute",
"autoscaling:DescribeScalingActivities",
"ec2:DescribeAvailabilityZones",
"ssm:GetParametersByPath",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"ec2:ReleaseAddress",
"ec2:DeleteLaunchTemplate",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"ec2:DescribeSecurityGroups",
"autoscaling:CreateLaunchConfiguration",
"ec2:CreateLaunchTemplate",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"ec2:DescribeVpcs",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
"ec2:DeleteSubnet",
"elasticloadbalancing:RegisterTargets",
"ec2:DescribeVolumesModifications",
"ssm:GetParameter",
"ec2:AssociateRouteTable",
"elasticloadbalancing:DeleteLoadBalancer",
"ec2:DescribeInternetGateways",
"elasticloadbalancing:DescribeLoadBalancers",
"ec2:DeleteVolume",
"ssm:DeleteParameter",
"ssm:DescribeParameters",
"autoscaling:DescribeAutoScalingGroups",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"autoscaling:UpdateAutoScalingGroup",
"ec2:DescribeAccountAttributes",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"ec2:DescribeRouteTables",
"ecr:BatchCheckLayerAvailability",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:DescribeLaunchTemplates",
"ecr:GetDownloadUrlForLayer",
"ec2:CreateRouteTable",
"cloudformation:*",
"elasticloadbalancing:DeregisterTargets",
"ec2:DetachInternetGateway",
"ssm:GetParameters",
"ssm:DeleteParameters",
"ecr:PutImage",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"ssm:PutParameter",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ec2:DeleteVpc",
"eks:*",
"autoscaling:CreateAutoScalingGroup",
"ec2:DescribeAddresses",
"ec2:DeleteTags",
"elasticloadbalancing:ConfigureHealthCheck",
"autoscaling:DescribeLaunchConfigurations",
"ec2:DescribeDhcpOptions",
"ecr:UploadLayerPart",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DescribeListeners",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateSecurityGroup",
"ecr:CompleteLayerUpload",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"kms:DescribeKey",
"ecr:DescribeRepositories",
"ec2:ModifyVpcAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:AuthorizeSecurityGroupEgress",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"ec2:DescribeTags",
"ssm:GetParameterHistory",
"ec2:DeleteRoute",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeNatGateways",
"elasticloadbalancing:CreateLoadBalancerListeners",
"ec2:AllocateAddress",
"ec2:DescribeImages",
"autoscaling:DeleteLaunchConfiguration",
"ec2:DeleteSecurityGroup",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyTargetGroup"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:CreateOpenIDConnectProvider",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:DeleteRolePolicy",
"iam:DeleteServiceLinkedRole",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::*:instance-profile/eksctl-*",
"arn:aws:iam::*:role/eksctl-*",
"arn:aws:iam::*:role/aws-service-role/eks.amazonaws.com/*",
"arn:aws:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/*",
"arn:aws:iam::*:oidc-provider/*"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": "iam:GetOpenIDConnectProvider",
"Resource": "arn:aws:iam::*:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/*"
}
]
}
```
So what am I mising?