By using AWS re:Post, you agree to the Terms of Use

Questions tagged with AWS Identity and Access Management

Sort by most recent
  • 1
  • 12 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Issue with pushing an EC2 instance's Docker container logs into CloudWatch

I have a working EC2 instance in free tier, with a responding **java-based** grpc server in a docker container inside the instance.\ I'd like to send the logs of the container into the CloudWatch.\ I created the suggested policy, the EC2 role, and the role is attached to the instance.\ The container is started from the bash of the linux instance with this command:\ `docker run -d -p 9092:9092 -t <<my-container-name>> --log-driver=awslogs --log-opt awslogs-region=us-east-1 --log-opt awslogs-group="gRPC-POC" --log-opt awslogs-stream="gRPC-POC-log" --log-opt awslogs-create-group=true --log-opt awslogs-create-stream=true` \ I tried to run the container with different users, with different options of the log-driver, omitting parts and almost everything.\ The policy I created to use the CloudWatch looks like this:\ ``` { "Version": "2012-10-17", "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:PutLogEvents", "logs:DescribeLogStreams" ], "Effect": "Allow", "Resource": "arn:aws:logs:us-east-1:<<my-account-number>>:log-group:*:*" } ] } ``` So far,no sign of the gathered logs in CloudWatch even if I create a log-group and/or log-stream or I don't.\ Maybe I'm missing a step or a vital information somewhere?\ Do You have any suggestions, please? #EDIT The command `aws sts get-caller-identity` gives this result: ![Enter image description here](/media/postImages/original/IM2OUiCy6OTyi-RAGhLS-C1g) The command was used from the bash of the running instance. (This is what You meant, @Roberto? Anyways, thanks.)\ It looks like the instance has the proper right, 'GrpcPocAccessLogs'.
2
answers
0
votes
37
views
asked 3 days ago

Does the AWS SDK for JavaScript V3 handle refresh of expired temporary credentials?

I am developing an application using Amazon Cognito User Pools and Identity Pools. My application uses: * the Cognito Hosted UI and authorization code grant to get an authorization code * a POST request to a standard `oauth2/token` endpoint to exchange the authorization code for an `id_token`, `access_token`, and `refresh_token` * the AWS SDK for JavaScript V3 `fromCognitoIdentityPool` method to exchange an `id_token` for temporary AWS credentials (which are used to allow users to access various AWS services) My question relates to the expiration and refresh of these temporary AWS credentials. The IAM user guide says [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html): > You must make sure that you get a new set of credentials before the old ones expire. In some SDKs, you can use a provider that manages the process of refreshing credentials for you; check the documentation for the SDK you're using. I am using the AWS SDK for JavaScript V3. I have searched through these resources without finding any reference to whether or not the SDK handles refreshing of temporary credentials: 1. [The API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html) 2. [The Developer Guide](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/welcome.html) 3. [Various code files from the repository](https://github.com/aws/aws-sdk-js-v3) I did find one tangential, ambiguous reference to credential expiration and refreshing on the page ["Using Amazon Cognito Identity to authenticate users"](https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/loading-browser-credentials-cognito.html) in the section named ***Switch to Authenticated User***. I think adding a section to this page about the details of temporary credentials refresh would be extremely helpful to developers. **Does the AWS SDK for JavaScript V3 handle refresh of expired temporary credentials? Where is this described in the documentation for the SDK?** If yes: * Does the SDK handle the exchange of a `refresh_token` for an `id_token` and then exchange of an `id_token` for expired temporary credentials? * Or does the SDK require developers to write application code that exchanges a `refresh_token` for an `id_token`? (Meaning the SDK would just handle exchanging an `id_token` for expired temporary credentials)
0
answers
0
votes
35
views
profile picture
asked 6 days ago
1
answers
0
votes
92
views
asked 6 days ago

Restriction on CloudFormation StackSet with IAM condition cloudformation:TemplateUrl

I'm trying to restrict the S3 bucket used for **StackSet** templates with the IAM condition **cloudformation:TemplateUrl**, but it's does not work as expected: the IAM Policy applied always deny the CreateStackSet. See below the tested policy. The [doc page](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions) explains that you can use the condition as usual, but there is a Note that is not clear for me: ![Enter image description here](/media/postImages/original/IMUjPviuTuSAaoxl5HvXktBQ) For allowed CreateStackSet calls, the CloudTrail event included the TemplateUrl in the context, so I don't understand why the condition does not work with Stack Set. Thank for your help! ``` { "eventVersion": "1.08", [...] "eventTime": "2022-08-09T15:42:50Z", "eventSource": "cloudformation.amazonaws.com", "eventName": "CreateStackSet", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": { "stackSetName": "test-deny1", "templateURL": "https://s3.amazonaws.com/trusted-bucket/EnableAWSCloudtrail.yml", "description": "Enable AWS CloudTrail. This template creates a CloudTrail trail, an Amazon S3 bucket where logs are published, and an Amazon SNS topic where notifications are sent.", "clientRequestToken": "1bd60a6d-f9dc-76a9-020a-f5a45f1bdf1e", "capabilities": [ "CAPABILITY_IAM" ] }, "responseElements": { "stackSetId": "test-deny1:97054f39-3925-47eb-92fd-09779f32bcf6" }, [...] } ``` For reference my IAM Policy: ``` { "Sid": "TemplateFromTrustedBucket", "Effect": "Allow", "Action": [ "cloudformation:CreateStackSet", "cloudformation:UpdateStackSet" ], "Resource": "*", "Condition": { "StringLike": { "cloudformation:TemplateURL": "https://s3.amazonaws.com/trusted-bucket/*" } } } ```
0
answers
0
votes
36
views
profile picture
asked 6 days ago
  • 1
  • 12 / page