Questions tagged with AWS Identity and Access Management

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Missing (resource) permission in AWSAppRunnerFullAccess causes failure when calling the CreateVpcConnector operation

Not really a question, more of a 'bug report'. Solution is provided in this post. `arn:aws:iam::aws:policy/AWSAppRunnerFullAccess` is missing permission to create `AWSServiceRoleForAppRunnerNetworking` service role. That makes it impossible to create vpc connector despite using `FullAccess` policy. Error message doesn't really help, as pointed by it policy is in fact attached. Steps to reproduce: 1. Use user or assume role with `AWSAppRunnerFullAccess` permissions. 2. Run ```shell aws apprunner create-vpc-connector --vpc-connector-name test-vpc-connector --subnets <subnets> --security-groups <security-groups> ``` Command produces following error: "An error occurred (InvalidRequestException) when calling the CreateVpcConnector operation: AccessDenied. Couldn't create a service-linked role for App Runner. When creating the first vpc connector in the account, caller must have the 'iam:CreateServiceLinkedRole' permission. Use the 'AWSAppRunnerFullAccess' managed user policy to ensure users have all required permissions." Temporary solution: add additional policy with `Allow` `iam:CreateServiceLinkedRole` on resource `arn:aws:iam::*:role/aws-service-role/apprunner.amazonaws.com/AWSServiceRoleForAppRunner`. Long term, I believe it should be added to AWSAppRunnerFullAccess.
1
answers
0
votes
39
views
Pszem
asked a month ago

IAM abac tag problems: User is not authorized to perform: execute-api:Invoke on resource

I'm trying to call an api-gateway endpoint from my web app but getting the error: ``` User: arn:aws:sts::<number>:assumed-role/my_identity_pool_auth_role/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:eu-west-2:********9277:<api-gateway id>/test/GET/theme ``` I have a user pool set up in which I've created two groups, one of which I'd like to give access to execute the endpoint mentioned above. The user pool group has an iam role attached with no permissions, but the following trust relationships: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": [ "sts:AssumeRoleWithWebIdentity", "sts:TagSession" ], "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "<identity pool id>" } } } ] } ``` and a tag with: ``` key: user_role value: end_user_basic ``` The identity pool auth role has permissions and trust relationship below: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "cognito-identity:*", "mobileanalytics:PutEvents", "cognito-sync:*" ], "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "execute-api:Invoke", "Resource": "arn:aws:execute-api:eu-west-2:*:<api-gateway id>/*/GET/theme", "Condition": { "StringEquals": { "aws:PrincipalTag/user_role": "end_user_basic" } } } ] } ``` ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "cognito-identity.amazonaws.com" }, "Action": [ "sts:AssumeRoleWithWebIdentity", "sts:TagSession" ], "Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "<identity pool id>" }, "ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } } } ] } ``` In the identity pool settings, I have 'authenticated role selection' set to 'user default role' and 'attributes for access control' set to 'use custom mappings' with the below: ``` Tag key for principal: user_role Attribute name: user_role ``` And when I make the request, my id token has a payload something like below: ``` { "sub": ..., "cognito:groups": [ "<the correct cognito user group>" ], "iss": ..., "cognito:username": ..., "origin_jti": ..., "cognito:roles": [ "<the correct iam role with tag attached>" ], "aud": ..., "event_id": ..., "token_use": "id", "auth_time": ..., "exp": ..., "iat": ..., "jti": ..., "email": ... } ``` so the user belongs to the correct group with the correct iam role applied. I'm new to AWS so I'm sure i'm missing something daft but if somebody could point me in the right direction I'd be grateful. As an aside, if I remove the condition below: ``` "Condition": { "StringEquals": { "aws:PrincipalTag/user_role": "end_user_basic" } } ``` from the identity pool auth role, I can make the api call successfully
0
answers
0
votes
44
views
steve
asked a month ago

How to download s3 file to Window 2022 EC2 instance with CloudFormation Init? Getting Access Denied error.

I'm trying to download a file from an S3 bucket onto a EC2 Windows server. I'm set up the IAM role, policy, and profile. In the CloudFormation::Init section of the server, I have different configSets and one of them is downloading a file from the bucket. ``` --- Some items not shown --- "Parameters": { "S3BucketName": { "Description": "The name of an existing S3 bucket that the server needs to access.", "Type": "String", "Default": "ccw-to-rds-poc-1" }, --- Some parameters not shown --- "InstanceRole":{ "Type":"AWS::IAM::Role", "Properties":{ "AssumeRolePolicyDocument":{ "Statement":[ { "Effect":"Allow", "Principal":{ "Service":[ "ec2.amazonaws.com" ] }, "Action":[ "sts:AssumeRole" ] } ] }, "Path":"/" } }, "RolePolicies":{ "Type":"AWS::IAM::Policy", "Properties":{ "PolicyName":"S3Download", "PolicyDocument":{ "Statement":[ { "Action":[ "s3:GetObject" ], "Effect":"Allow", "Resource": {"Fn::Join": ["", ["arn:aws:s3:::", {"Ref": "S3BucketName"}]]} } ] }, "Roles":[ { "Ref":"InstanceRole" } ] } }, "InstanceProfile":{ "Type":"AWS::IAM::InstanceProfile", "Properties":{ "Path":"/", "Roles":[ { "Ref":"InstanceRole" } ] } }, "myAppServer": { "Type": "AWS::EC2::Instance", "Metadata": { "AWS::CloudFormation::Authentication": { "S3AccessCreds": { "type": "S3", "roleName": { "Ref": "InstanceRole" }, "buckets" : [{"Ref": "S3BucketName"}] } }, "AWS::CloudFormation::Init": { "configSets": { "downloadS3Data": ["downloadS3"], "Full": [{"ConfigSet": "downloadS3Data"}, "fullServer"], "default": [ {"ConfigSet": "Full"}], "App": [{"ConfigSet": "downloadS3Data"}, "appServer"], "Interface": [{"ConfigSet": "downloadS3Data"}, "interfaceServer"], "Notification": [{"ConfigSet": "downloadS3Data"}, "notificationServer"] }, "downloadS3": { "files": { "C:\\Users\\Administrator\\Documents\\s3download.bak": { "source": "https://ccw-to-rds-poc-1.s3.us-east-2.amazonaws.com/test.txt", "authentication": "S3AccessCreds" } } }, "fullServer": { "commands": { "test": { "command": "echo \"$MAGIC\"", "env": {"MAGIC": "I am from the full server env"}, "cwd": "C:\\Users\\Administrator\\Desktop" } } }, --- Some config sets not shown --- } }, "Properties": { "IamInstanceProfile": { "Ref": "InstanceProfile" }, "ImageId": "ami-012bb86d0081c5240", "InstanceType": "t2.small", "KeyName": {"Ref": "keypair"}, "SecurityGroupIds": ["sg-0d0b50ca1774707b7"], "UserData" : { "Fn::Base64" : { "Fn::Join" : [ "", [ "<powershell>\n", "cfn-init.exe -v -s ", {"Ref" : "AWS::StackId"}, " -r YourInstance -c ", {"Ref": "CCWServerType"} , " --region ", {"Ref" : "AWS::Region"}, "\n", "</powershell>\n", "<persist>true</persist>" ] ] } } } } ``` When the server runs `"cfn-init.exe -v -s ", {"Ref" : "AWS::StackId"}, " -r YourInstance -c ", {"Ref": "CCWServerType"} , " --region ", {"Ref" : "AWS::Region"}, "\n",`, It creates the `s3download.bak`, but it is empty and gives an Access Denied, (HTTP Error 403). Is there something I'm not doing correctly with the IAM configurations that is causing this? EDIT: I thought that because I am accessing the entire bucket and not just a specific item, like mentioned in [this article](https://aws.amazon.com/blogs/devops/authenticated-file-downloads-with-cloudformation/) that might be the issue. However, after trying `"Action":["s3:*Object"]` and `"Action":["s3.Get*"]`, I still get the same access denied error.
2
answers
0
votes
54
views
asked a month ago

Cognito vs Identity Center (SSO)

I am building a web application. Customers should have a valid AWS account to onboard. Each customer could be a whole corporate on their own with their own Identity provider. The application should authenticate users of each Customer's org and authorize their access to certain APIs within my application. The application should also be able to run automation in the customer's AWS account by assuming certain IAM role. Looking at Identity solutions from AWS, I see native IAM, Cognito, and SSO. Native IAM doesn't present the identity of the user and their group membership to my application. Cognito seems to fit my use case. I can provide the customer with Cloudformation template to run in their account to prepare things: Cognito user pool, certain group name that my application looks for, certain IAM roles for my application to assume, and Cognito Identity pool to exchange the user's authenticated Identity with IAM temp creds to run automation in their account within certain permissions scope. The customer can integrate Cognito with their own IDP to have centralized user and group management. Does this solution look sane? Does SSO provide better integration for my application? If yes, does SSO allow me to provide the customer with a Cloudformation template to configure their SSO before they can onboard to my application? Related Q prior to rePost era: https://stackoverflow.com/questions/48767172/whats-the-difference-between-aws-sso-and-aws-cognito - but it is not answered yet.
1
answers
2
votes
83
views
asked a month ago

AWS File Transfer Family Server and IAM role setup

Hi All, We have setup AWS file transfer server with AWS directory service (connected to Microsoft AD) authentication. As per use case, once user login to sftp, user should be able to see two directory within their own folder. {username}/folder1 {username}/folder2 I have setup below Access policy and IAM policy (attached to S3) create-access CLI: ``` aws transfer create-access \ --home-directory-type LOGICAL \ --home-directory-mappings '[{"Entry":"/folder1","Target":"/bucket_name/${transfer:UserName}/folder1" },{ "Entry": "/folder2", "Target":"/bucket_name/${transfer:UserName}/folder2"}]' \ --role arn:aws:iam::account_id:role/iam_role \ --server-id s-1234567876454ert \ --external-id S-1-2-34-56789123-12345678-1234567898-1234 ``` access policy was created successfully. Below IAM role is attached to S3 bucket and file-transfer server. ``` { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::bucket_name" ], "Effect": "Allow", "Sid": "ReadWriteS3" }, { "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObjectVersion", "s3:GetObjectACL", "s3:PutObjectACL" ], "Resource": [ "arn:aws:s3:::bucket_name/${transfer:UserName}/*" ], "Effect": "Allow", "Sid": "" } ] } ``` When user login to sftp, they do not see folder1 & folder2 in their own directory. Can anyone help if anything missing in IAM policy? Thank You
3
answers
0
votes
81
views
profile picture
asked a month ago