Questions tagged with IAM Policies
Content language: English
Sort by most recent
Created a role but it was not available in the service. Turns out trust policy didnt contain necessary details.
How do I get the necessary service names to ad it manually ?
Im not able grant permission even after adding all the required permissions to role in aws lake
formation.
have a use case from a bigger enterprise, they are currently adopting AWS SSO with AzureAD integration. In the setup, currently account users or roles can create permissionsets with administrator access without adding Permission boundary.
The Permission Boundary policy is created for the AWS account. While manually adding the permission sets from the console and creating a new permission set, it works smoothly. Creating the permission sets without attaching permission boundary works as well. But, to be able to restrict creating the permissionsets does not seem to work by adding a Deny policy on the IAM role/user
```
{
"Sid": "DenyCreatePermissionSetWithoutBoundary",
"Effect": "Deny",
"Action": [
"sso:AttachManagedPolicyToPermissionSet",
"sso:CreateAccountAssignment",
"sso:CreatePermissionSet",
"sso:DeleteAccountAssignment",
"sso:DeleteInlinePolicyFromPermissionSet",
"sso:DeletePermissionSet",
"sso:DetachManagedPolicyFromPermissionSet",
"sso:ProvisionPermissionSet",
"sso:PutInlinePolicyToPermissionSet",
"sso:UpdatePermissionSet"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"iam:PermissionsBoundary": "ARN of the PB"
}
}
}
```
It seems the condition block is not getting evaluated for the above policy. Its either restricting the permission set overall or not restricting at all.
Is there any way to restrict creating the permission sets without adding Permission boundary?
I am logged into AWS console as administrator and trying to use Athena to read files on s3 that I don't allow public access to, but it doesn't work. budget policy is as follows, work group is The budget policy is as follows and the work group is the primary Athena SQL one. database
I have confirmed that the database is using the one generated by default and that the Data lake permissions also give All permissions to the IAM user used to log in to the console and I can open and download s3 budget file.
The DDL query for the create table including the s3 LOCATION succeeds, but when I try to hit the select statement
"Permission denied on s3 path: (s3 url)
This query ran against the "default" database, unless qualified by the query. Please post the error message on our forum or contact customer support with Query Id: 444f5547-4c37-4e05-a4a7-d1cd67cb865d"
I think this is probably because the IAM role used in the Athena query that I type in AWS console is different from the IAM user used for login, but I don't know where to refer to the Athena IAM User. (The work group in spark has IAM, but the primary in Athena SQL didn't have IAM.)
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "sample",
"Effect": "Allow",
"Principal": {
"AWS": [
"IAM user login to console"
]
},
"Action": "s3:*",
"Resource": [
"s3 arn",
"s3 arn/*"
]
}
]
}
```
about answer
1.About Output folder, budget policy has already been set.
2.And Glue Data Catalog Policy is configured as this.
```
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : {
"AWS" : [ "my Iam user arn" ]
},
"Action" : "glue:*",
"Resource" : "arn:aws:glue:ap-northeast-1:my id number:*"
} ]
}
```
3.I confirmed s3 is encrypted by Amazon S3 managed keys (SSE-S3).
I mistaked encrypted by my KSM key. but user and administrater key policy is attach to my iam account
but same error happened on AWS management console Athena
error messages s3 url is one I wanted to read from s3. not output folder
Permission denied on s3 path: (s3 url)
I have a code build leading to EKS. When it calls this particular command "CREDENTIALS=$(aws sts assume-role --role-arn arn:aws:iam::3318******:role/EksWorkshopCodeBuildKubectlRole --role-session-name code-build --duration-seconds 900)" I get an error
"An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::331*****:assumed-role/codebuild-kubernetes-eks-service-role/AWSCodeBuild-31746234-c1a9-4fe9-9cbc-b0d54264613e is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::331879450537:role/EksWorkshopCodeBuildKubectlRole"
My code build trusted relationship looks like
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
I have an STS policy attached to my user, group, codebuils service role and eksworkshopkubectlrole.
What could I be doing wrong
Getting error while connecting EKS cluster error: You must be logged in to the server (Unauthorized)
Hi All,
I have create a EKS cluster . and i am trying to connect this cluster from my local machine .I am getting this error while executing kubectl command .
Required your support .
]# kubectl describe -n kube-system configmap/aws-auth
error: You must be logged in to the server (Unauthorized)
I am try create a archtecture in Learner Lab with IoT core and I want send a message on email.
I use this https://docs.aws.amazon.com/iot/latest/developerguide/iot-sns-rule.html of base tutorial, but when I click in create role show this for me
Hello,
I am trying to understand the inner workings of AWS STS GetFederationToken in combination with resource based policy as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html. Does the IAM permission policy attached to the user which calls "GetFederationToken" must contain the same IAM actions as specified in the resource policy (the s3 actions in the example) or not? The documentation is not clear for me.
Thank you very much for any help.
In most regions the following KMS key policy
```
{
"Sid": "Enable IAM policies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "kms:*",
"Resource": "*"
}
```
[allows the account to use IAM policies to allow access to the KMS key, in addition to the key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-root-enable-iam).
However, [in the Beijing and Ningxia Regions, there is no concept of the "root user" or "account user" credentials](https://docs.amazonaws.cn/en_us/aws/latest/userguide/iam.html#feature-diff). Creating KMS key with such policy (replacing `arn:aws:` with `arn:aws-cn:`) fails. Is it possible to enable IAM policies for KMS keys in Chinese regions? If so, how?
I am deploying the components from s3 bucket, but it stucked in “In process”. I think it is permissions error for this, I followed [https://docs.aws.amazon.com/greengrass/v2/developerguide/device-service-role.html]. But it still in process, can anyone tell me the more about it.
Thank you
Nik
Yesterday we wanted to store my network load balancer access logs in a S3 bucket so by following the [docs](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html) we copied and edited the policy and when we pasted it and saved it, the NLB didn't have permission to use the bucket.
We noticed that the `"aws:SourceAccount": ["0123456789"]` kept getting saved as `"aws:SourceAccount": "0123456789"` even when we updated the policy using the AWS CLI (e.g. `aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json`)
Is this a bug in the API that is preventing me to use this as we want?
Any help would be greatly appreciated.