Questions tagged with AWS Identity and Access Management

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

action geo:GetPlace not recognizable for IAM policy

currently working on an app that uses the Amazon Location Service. Everything is working wwll from render map to autocomplete and reverse geocoding. But i would like to use the results from autocomplete by using the method geo:GetPlace using PlaceIndex and PlaceID. The function is being called successfully with the correct parameters but the function is returning an err 403 saying that the user is not authorized to use action geo:GetPlace. I have configured the IAM policy using Cognito and has appropriate actions and resources. But when i try to enter geo:GetPlace i get an error that it is not recognizable. Anyone knows how to enter this action to the IAM Policy. Here is the error: `AccessDeniedException: User: arn:aws:sts::58*******976:assumed-role/Cognito_*************Management_***/CognitoIdentityCredentials is not authorized to perform: geo:GetPlace on resource: arn:aws:geo:ap-southeast-1:58*****65976:* ` Here is my code: const identityPoolId = "ap-southeast-1:*******-6dcb-***-ad06-*******"; AWS.config.region = identityPoolId.split(":")[0]; // instantiate an Amazon Cognito-backed credential provider const credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: identityPoolId, }); const location = new AWS.Location({ credentials, region: AWS.config.region }); const getLocation = (placeID) => () => { console.log("getting place.."); console.log(placeID); let params = { IndexName: "IndexGrabber", PlaceId: placeID, }; location.getPlace(params, function (err, data) { if (err) console.log(err.stack); console.log(data); }); }; IAM Policy { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "geo:SearchPlaceIndexForText", "geo:SearchPlaceIndexForSuggestions", "geo:GetMap*", "geo:SearchPlaceIndexForPosition" ], "Resource": [ "arn:aws:geo:ap-southeast-1:************:place-index/HEREGrabber", "arn:aws:geo:ap-southeast-1:************:place-index/LocationGrabber", "arn:aws:geo:ap-southeast-1:************:map/LocationGrabber", "arn:aws:geo:ap-southeast-1:************:map/GreyLocationGrabber", "arn:aws:geo:ap-southeast-1:************:map/HEREGrabber" ], "Condition": { "StringLike": { "aws:Referer": [ "http://localhost:*/*", "http://jularbs.com:*/*", "http://*******.herokuapp.com/*" ] } } }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "geo:GetPlace", "Resource": [ "arn:aws:geo:ap-southeast-1:************:place-index/HEREGrabber", "arn:aws:geo:ap-southeast-1:************:place-index/LocationGrabber", "arn:aws:geo:ap-southeast-1:************:map/LocationGrabber", "arn:aws:geo:ap-southeast-1:************:map/GreyLocationGrabber", "arn:aws:geo:ap-southeast-1:************:map/HEREGrabber" ], "Condition": { "StringLike": { "aws:Referer": [ "http://localhost:*/*", "http://jularbs.com:*/*", "http://*******.herokuapp.com/*" ] } } } ] }
3
answers
0
votes
82
views
jularbs
asked a month ago

AWS ECR allow roles from secondary account

I have an ECR in a prod account that I want to grant push access to from the dev role. This is my current policy ```json { "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPushPull", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::account:role/rolename", "arn:aws:sts::account:assumed-role/rolename/instance", "arn:aws:sts::account:assumed-role/rolename/AWSCLI-Session" ] }, "Action": [ "ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:CompleteLayerUpload", "ecr:DescribeImages", "ecr:DescribeRepositories", "ecr:GetDownloadUrlForLayer", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:GetRepositoryPolicy", "ecr:InitiateLayerUpload", "ecr:ListImages", "ecr:PutImage", "ecr:PutLifecyclePolicy", "ecr:SetRepositoryPolicy", "ecr:StartLifecyclePolicyPreview", "ecr:UploadLayerPart" ] } ] } ``` Running aws sts get-caller-identity I can see I have the role checked out "arn:aws:sts::account:assumed-role/rolename/AWSCLI-Session" but I do not have access to push. I receive the following until timeout. > The push refers to repository > [account.dkr.ecr.us-west-2.amazonaws.com/repo] 87e2ce75493a: Retrying > in 4 seconds My non-prod account does exist in us-east-1. but my login command specifies west. task: [docker:ecr-login] aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin accpunt.dkr.ecr.us-west-2.amazonaws.com Any ideas what may be my problem on this repo? (this works with my production account so the registry is valid) Also this works when I use my dev account and allow the user IAM
1
answers
0
votes
38
views
asked 2 months ago

[URGENT] AWS SSO Failing with botocore.exceptions.ClientError: An error occurred (InternalServerException) when calling the GetRoleCredentials operation (reached max retries: 4): internal error

Hello, Starting in recent hour today we cannot login using SSO from external (standalone) applications, we have done no change in our side. The AWS management console works, however, 3rd party desktop applications are not working, this is across the board issue. I try to manually trigger SSO with a test program, I get the exception: botocore.exceptions.ClientError: ``` An error occurred (InternalServerException) when calling the GetRoleCredentials operation (reached max retries: 4): internal error ``` The sequence is based on the AWS examples available and provided below, it worked perfectly until recent hours. Does anyone experience the same? What is the right channel to provide the information to AWS? Regards,\ Alon --- ``` #!/usr/bin/env python3 import boto3.session import time import typing def awssso( sso_start_url: str, sso_region: str, sso_account_id: str, sso_role_name: str, region: str, urlopenner: typing.Callable[[str], None] = lambda url: print( f"Please open URL: {url}" ), ) -> tuple[boto3.session.Session, None]: session = boto3.session.Session() sso_oidc = session.client("sso-oidc", sso_region) client_creds = sso_oidc.register_client( clientName="myapp", clientType="public", ) device_authorization = sso_oidc.start_device_authorization( clientId=client_creds["clientId"], clientSecret=client_creds["clientSecret"], startUrl=sso_start_url, ) urlopenner(device_authorization["verificationUriComplete"]) for n in range( device_authorization["expiresIn"] // device_authorization["interval"] ): time.sleep(device_authorization["interval"]) try: token = sso_oidc.create_token( grantType="urn:ietf:params:oauth:grant-type:device_code", deviceCode=device_authorization["deviceCode"], clientId=client_creds["clientId"], clientSecret=client_creds["clientSecret"], ) break except sso_oidc.exceptions.AuthorizationPendingException: pass else: raise RuntimeError("Timeout while waiting for authorization") role_creds = session.client("sso", sso_region).get_role_credentials( roleName=sso_role_name, accountId=sso_account_id, accessToken=token["accessToken"], )["roleCredentials"] role_expiration = time.gmtime(role_creds["expiration"] / 1000) return ( boto3.session.Session( region_name=region, aws_access_key_id=role_creds["accessKeyId"], aws_secret_access_key=role_creds["secretAccessKey"], aws_session_token=role_creds["sessionToken"], ), role_expiration, ) def test() -> None: session, ttl = awssso( sso_start_url="https://<snip>.awsapps.com/start", sso_region="us-east-1", sso_account_id="<snip>", sso_role_name="<snip>", region="us-east-1", ) print(f"Identity: {session.client('sts').get_caller_identity()}") print(f"TTL: {ttl}") for b in session.resource("s3").buckets.all(): print(b) if __name__ == "__main__": test() ```
2
answers
1
votes
35
views
asked 2 months ago