Questions tagged with IAM Policies
Content language: English
Sort by most recent
I want to create a Custom I AM policy with custom IAM Actions.
something like below:
`{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"myCustomService:MyCustomAction",
"myCustomService1:MyCustomAction1",
],
"Resource": "*"
}
]
}`
I need this to control clients/ users/ clientApplication access to my application running in EKS cluster.
thanks in advance.
I am creating an EKS cluster from scratch but every time I do I get the following error:
2023-03-28 15:08:05 [✖] creating OIDC provider: operation error IAM:
```
CreateOpenIDConnectProvider, https response error StatusCode: 403, RequestID: bacf7543-bfe0-4b1c-982e-a81e61cef1c7, api error AccessDenied: User: arn:aws:sts::*:assumed-role/DEV-EC2-JenkinsMaster-Instance/i-09f8b9ad4eb5hhh09 is not authorized to perform: iam:TagOpenIDConnectProvider on resource: arn:aws:iam::*:oidc-provider/oidc.eks.us-east-1.amazonaws.com because no identity-based policy allows the iam:TagOpenIDConnectProvider action
```
After much effort and looking I found the following policy which I have in place.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:DeleteInternetGateway",
"Resource": "arn:aws:ec2:*:*:internet-gateway/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:ModifyListener",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeInstances",
"ec2:AttachInternetGateway",
"ec2:DeleteRouteTable",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:DescribeVolumes",
"ec2:DeleteInternetGateway",
"ec2:DescribeKeyPairs",
"iam:GetRole",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
"ec2:ImportKeyPair",
"ec2:CreateTags",
"elasticloadbalancing:CreateTargetGroup",
"ecr:GetAuthorizationToken",
"ec2:RunInstances",
"ec2:DisassociateRouteTable",
"ec2:CreateVolume",
"ec2:RevokeSecurityGroupIngress",
"elasticloadbalancing:AddTags",
"ec2:DescribeImageAttribute",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"ec2:DeleteNatGateway",
"autoscaling:DeleteAutoScalingGroup",
"ec2:CreateSubnet",
"ec2:DescribeSubnets",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"ecr:InitiateLayerUpload",
"ec2:AttachVolume",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ecr:ListImages",
"ec2:DescribeVpcAttribute",
"ec2:ModifySubnetAttribute",
"autoscaling:DescribeScalingActivities",
"ec2:DescribeAvailabilityZones",
"ssm:GetParametersByPath",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"ec2:ReleaseAddress",
"ec2:DeleteLaunchTemplate",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"ec2:DescribeSecurityGroups",
"autoscaling:CreateLaunchConfiguration",
"ec2:CreateLaunchTemplate",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"ec2:DescribeVpcs",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
"ec2:DeleteSubnet",
"elasticloadbalancing:RegisterTargets",
"ec2:DescribeVolumesModifications",
"ssm:GetParameter",
"ec2:AssociateRouteTable",
"elasticloadbalancing:DeleteLoadBalancer",
"ec2:DescribeInternetGateways",
"elasticloadbalancing:DescribeLoadBalancers",
"ec2:DeleteVolume",
"ssm:DeleteParameter",
"ssm:DescribeParameters",
"autoscaling:DescribeAutoScalingGroups",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"autoscaling:UpdateAutoScalingGroup",
"ec2:DescribeAccountAttributes",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"ec2:DescribeRouteTables",
"ecr:BatchCheckLayerAvailability",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:DescribeLaunchTemplates",
"ecr:GetDownloadUrlForLayer",
"ec2:CreateRouteTable",
"cloudformation:*",
"elasticloadbalancing:DeregisterTargets",
"ec2:DetachInternetGateway",
"ssm:GetParameters",
"ssm:DeleteParameters",
"ecr:PutImage",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"ssm:PutParameter",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ec2:DeleteVpc",
"eks:*",
"autoscaling:CreateAutoScalingGroup",
"ec2:DescribeAddresses",
"ec2:DeleteTags",
"elasticloadbalancing:ConfigureHealthCheck",
"autoscaling:DescribeLaunchConfigurations",
"ec2:DescribeDhcpOptions",
"ecr:UploadLayerPart",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DescribeListeners",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateSecurityGroup",
"ecr:CompleteLayerUpload",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"kms:DescribeKey",
"ecr:DescribeRepositories",
"ec2:ModifyVpcAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:AuthorizeSecurityGroupEgress",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"ec2:DescribeTags",
"ssm:GetParameterHistory",
"ec2:DeleteRoute",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeNatGateways",
"elasticloadbalancing:CreateLoadBalancerListeners",
"ec2:AllocateAddress",
"ec2:DescribeImages",
"autoscaling:DeleteLaunchConfiguration",
"ec2:DeleteSecurityGroup",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyTargetGroup"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:CreateOpenIDConnectProvider",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:DeleteRolePolicy",
"iam:DeleteServiceLinkedRole",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::*:instance-profile/eksctl-*",
"arn:aws:iam::*:role/eksctl-*",
"arn:aws:iam::*:role/aws-service-role/eks.amazonaws.com/*",
"arn:aws:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/*",
"arn:aws:iam::*:oidc-provider/*"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": "iam:GetOpenIDConnectProvider",
"Resource": "arn:aws:iam::*:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/*"
}
]
}
```
So what am I mising?
I am working on IaC EKS using terraform.
[https://www.ahead.com/resources/automate-iam-role-mapping-on-amazon-eks]()
I receive below error.
Error: creating IAM Role (eks_admin): MalformedPolicyDocument: Invalid principal in policy: "AWS":"arn:aws:iam::xxxxxxxxxxx:user/eks-test-usr"
status code: 400
```
resource "aws_iam_role" "eks_admin" {
name = "eks_admin"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = "sts:AssumeRole"
Effect = "Allow"
Sid = ""
Principal: { "AWS" : "${var.assume_role}" }
},
]
})
inline_policy {
name = "eks_admin_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Action = ["eks:DescribeCluster"]
Effect = "Allow"
Resource = "*"
},
]
})
}
}
I pass the variable as
assum_role=["eks-test-dev","eks-test-admin"]
```
I want to delete the user pool but receiving the following error message from AWS web console: Failed to deactivate deletion protection
Code: `InvalidSmsRoleTrustRelationshipException`
Message: `Role does not have a trust relationship allowing Cognito to assume the role`
How could I disable the protection and delete the user pool?
I want to be able to implement Attribute Based Access Controls on a complex data system.
To implement this, I want to use a dynamic verification ideally completely in IAM to preserve performance.
For example:
Person A has been given permissions to see objects with Green, Purple and Blue categories, but cannot see objects that have a Vehicle category.
Person B can see Purple and Vehicle but cannot see Green or Blue.
Object A is stored in the Vehicle category S3 and is also contains Blue data.
We initially looked at tags, but the customer currently manages thousands of tags and that equates to billions of potential tag combinations - and this number is always growing.
I am looking for a clean way to implement this access control that would meet these requirements.
I want to transfer my root user to IAM user account, am I still able to manage the IAM users account that were linked to my root account after the transfer?
After closing my root account, all the IAM Users accounts including my admin IAM account are now getting an authentication error when trying to log in to the AWS console.
My plan is to terminate my root account and transfer to an Admin account without getting authentication errors from the IAM Users when they tried login, and while still being able to manage those IAM users accounts.
How can I resolve this issue?
I set up AdministratorAccess for my role, this is a master level policy for this role to pass all the services, specially is AWS Glue, I want to create crawler for build etl pipeline and pour data to database in catalog of AWS Glue, but I stuck in the error 400 denied access. I tried many way like:
- Change the credit card, set default on it
- Add permission many times, still failed.
When I execute command:
aws ec2 export-image --image-id ami-04f516c --disk-image-format vmdk --s3-export-location S3Bucket=ami-export
I had a returned error:
An error occurred (InvalidParameter) when calling the ExportImage operation: Insufficient permissions - please verify bucket ownership and write permissions on the bucket. Bucket: ami-export
I couldn't change the permissions.
Can someone help me?
# Requirement
I have been able to set up IAM Identity Center and provide log-in credentials for access to AWS services (let's use S3 as an example), however, I'd like to limit any console access to this service to a single region to isolate some user's workspace from other's.
# Attempted Config
I created the following IAM policy named `RegionRestrict` then imported it into IAM Identity Center when mapping a user to an AWS Organizations account. I referred to a few guides and found that the Condition shared in this guide <https://aws.amazon.com/blogs/security/easier-way-to-control-access-to-aws-regions-using-iam-policies/> only applies to API requests (and not console access), thus I ended up using `ec2:Region` instead of the global region flag.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:Region": "us-east-1"
}
}
}
]
}
```
# Issues
When assigning a Permissions set to a user, I receive the following error:
```
1 of 1 failed to be configured.
You can retry submitting them, or you can leave the page and the failed assignments won’t be submitted.
Assign user "permission-test" to AWS account "permissions-test" with permission set "RegionRestrict"
Received a 404 status error: Not supported policy arn:aws:iam::############:policy/RegionRestrict.
```
Hi,
For adding a user with a home directory mapping, I tried the below stack template.
However, the home directory was not created after stack was run. It was in restricted mode.
If we only do to edit user configuration manually we can uncheck restricted.
I want to implement this mode in yaml template.
Please help me to do better.
```
GoldcoastTvodUser:
Type: 'AWS::Transfer::User'
Properties:
HomeDirectoryMappings:
- Entry: /
Target: /goldcoast-tvod
HomeDirectoryType: LOGICAL
Policy:
'Fn::Sub': |
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowFullAccessToBucket",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::goldcoast-tvod",
"arn:aws:s3:::goldcoast-tvod/*"
]
}
}
Role:
'Fn::Sub': 'arn:aws:iam::${AWS::AccountId}:role/TransferManagementRole'
ServerId:
'Fn::GetAtt': TransferServer.ServerId
SshPublicKeys:
- >-
ssh-rsa
AAAAB
UserName: GoldcoastTvodUser
```
Hello, my question is just whether or not I could use the kms:ViaService condition key in a IAM policy with FIPS endpoints specified? I need to use FIPS endpoints for compliance reasons and I can't find any documentation that details this. The Kms:Via Service supported services table does not include FIPS endpoints (Services that support the kms:ViaService condition key - example elasticfilesystem.AWS_region.amazonaws.com). See here - https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-via-service
An example of the IAM policy would be - https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "elasticfilesystem.us-east-2.amazonaws.com",
"kms:CallerAccount": "111122223333"
**But I would like to use -**
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "elasticfilesystem-fips.us-gov-east-1.amazonaws.com",
"kms:CallerAccount": "111122223333"
Should this work? I feel like it would because for compliance reasons a lot of GovCloud workloads are required to use FIPS endpoints and this seems like a gap otherwise.