Questions tagged with AWS Identity and Access Management
Content language: English
Sort by most recent
Did we use AWS Organizations wrong?
Rather than sharing a single "root" login for **account A** on a 3rd party service it's often preferable to invite other account (B, C, D, etc.) and assign permissions to each of these accounts (admin, viewer, etc.) The "owner" of AWS **account A** invited the owner of **account B** into their "organization" by using owner B's email address associated with **B's** AWS root account. Assumption: **B** would remain independent but be able to switch into a management (admin) role of account **A** as authorized. **A** should not have ANY access to account **B**. Now it would appear Account **A** has consumed Account **B**?!?! What does "Organization" mean in AWS parlance (read: layman's speak)? IAM role is what should have been done but now I'm trying to understand what happened and help them back out of this…if possible?
IAM Role (arn:aws:iam::xxxxxxxxxxxx:role/demo) cannot be assumed
I have created an assume role 2 months back in a dev account and update my root user in trust relationship . Terraform was working fine with that configuration Now I have done the same thing , but while running terraform plan , am getting this error , Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: c0e2ae10-cbaf-44b3-9ecc-16e180405088, api error AccessDenied: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/demo/aws-go-sdk-1667304405742939100 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxx:role/demo I dont know whats the reason , the roles and trust relationship were exactly same , but may I know whats the reason for this error? I used the role which was created before and I ran terraform , which is working perfectly fine . The roles which created now are facing these errors Has aws made any updates regarding these? Should I add any policies for this ? I cant get what is the cause for this error Am able to switch role using the console , everything working good in the console ,I get these error only with terraform
S3 bucket per tenant approach. Can I assign different IAM roles for diefferent users in the amplify project?
Please let me know if this a valid approach or I am missing something fundamental.. **Requirement**: - I need to be able to restrict each tenant users from accessing each other s3 files - and be able to measure each tenant space usage in the s3. **Solution I think to implement**: Upon user signup, we check if this is a sign up by invitation to already existing tenant space or a new registration - if it's a new tenant than we register him in a custom dynamodb table and create an s3 bucket for him - if it's a new user in existing tenant we we only adding him to the IAM Role that can access the tenant s3 bucket **Details**: I currently am using cognito custom attribute to save tenant ID (it's configured to not be changeable by the user itself) and struggle to figure out how I can affect the role mapping in the cognito Identity pool to implement the above logic. Please give me directions to dig further or advises on the overall approach in general. Some of the ideas are taken from this article https://medium.com/@dantasfiles/multi-tenant-aws-amplify-method-2-cognito-groups-38b40ace2e9e and it also suggests to use cognito dynamic groups to differ tenants and it seems to resolve the s3 issue as well, but with dynamic groups sync events won't work, right? > Known limitation: Real-time subscriptions are not supported for dynamic group authorization. https://docs.amplify.aws/cli/graphql/authorization-rules/#user-group-based-data-access There is also this question https://repost.aws/questions/QUW1WibDWjQd2rOll4mDiPMA which suggest to use a lymbda and presigned s3 urls to regulate the access to s3 files based on the tenant logic
Delegating full access to EC2 instance
Hello, I would like to delegate full access to EC2 to a third party (developer) by creating a role in IAM and then giving them a permission to only access the EC2 services whilst keeping business and other information confidential. Could you please let me know if the right permission would 'AmazonEC2FullAccess' and what exactcly does this permission provide? If convenient, please let me know the order of the steps needed to delegate access to a third party without compromising the security of my account. In this regard, would the AWS Access Analyzer monitor the access by the third party? Thanks!
Issue adding user to the list
Hello all, we are using a dashboard: https://app.monitron.aws/ We want to add a general user to the list in order to have only read rights. The user is: firstname.lastname@example.org When I try to add it, the button of 'Add' remains grey. Can you please help me with this case? Kind regards,
Powershell script works on one EC2 instance but not another
I have a simple Powershell script to upload a file to S3. I have 2 EC2 instances that use the same IAM profile. The instances and S3 bucket all live in the same AWS account. RDP into one instance, open Powershell prompt as admin, and the script works. RDP to the other instance, open Powershell prompt as admin, and the script fails with: Write-S3Object : Access Denied To check networking/routing, both instances can open a browser and surf the web. I assume the credentials used are the role assigned to the instances. If it matters, this is the ps1 script (access point obfuscated) $ArtifactFile = "c:\temp\junk1.txt" $S3BucketAP = "arn:aws:s3:us-east-1:1234567890:accesspoint/my-s3-ap" $Key = "Junk3\junk1.txt" Write-S3Object -BucketName $S3BucketAP -Key $Key -File $ArtifactFile Where else can I look to debug?
Connecting to mysql database store hosted in AWS EC2 from another AWS account using glue connection.
I have two AWS accounts say S1 and S2. In S1 AWS account i created and EC2 instance and within that instance i hosted mysql database containing some tables. Now i want to connect to this data store from other AWS account S2 using AWS glue connection. I created connection in S2 AWS account using JDBC and other related credentials but when i test my connection it fails. Can you please guide me how can i successfully create connection. Thank you.
AWS SDK for .NET can't access credentials with IIS
I have written some code to retrieve my secrets from the AWS Secrets Manager to be used for further processing of other components. In my development environment I configured my credentials using AWS CLI. Once the code was compiled I am able to run it from VS and also from the exe that is generated. My question is that once it's on my IIS production server, I repeat these steps but it doesn't work, because I run the steps as the user account I'm logged in as, but the IIS process doesn't run as the logged in user, so the code can't get what it needs. I want the IIS process to be able to access these credentials under its own user profile. How do I place the credentials under that profile? I do not want credentials just randomly somewhere on the system. ETA: This is an on-prem production server...
Greengrass autoprovision with temp credentials is broken?
I've been trying to autoprovision greengrass devices using temporary credentials. It always fails at the same spot. I've tried on different types of devices. Attaching TES role policy to IoT thing... Exiting due to unexpected error while looking up managed policy - The security token included in the request is invalid (Service: Iam, Status Code: 403, Request ID: 18d4f9c5-3f9a-49dc-YYYY-XXXXXXXXXXXXX, Extended Request ID: null) Error while trying to setup Greengrass Nucleus software.amazon.awssdk.services.iam.model.IamException: The security token included in the request is invalid (Service: Iam, Status Code: 403, Request ID: 18d4f9c5-3f9a-49dc-YYYY-XXXXXXXXXXX, Extended Request ID: null) The creds are exported as environmental vars correctly.** I confirm the temp credentials work on the devices using other AWS CLI commands. I also confirm its calling the original users permissions with : aws sts get-caller-identity** If I use the original users access key and secret, the device will autoprovision correctly. But never with temp credentials. Nucleus version is 2.8.1 Temp creds WILL WORK if you don't have '--provision true' set. I don't believe any special permissions are ever needed for TES. So I think there may be some endpoint issue in the Nucleus code. Someone please prove me wrong, its driving me crazy.