Unanswered Questions tagged with AWS Identity and Access Management

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

0
answers
0
votes
43
views
asked 4 months ago

Restriction on CloudFormation StackSet with IAM condition cloudformation:TemplateUrl

I'm trying to restrict the S3 bucket used for **StackSet** templates with the IAM condition **cloudformation:TemplateUrl**, but it's does not work as expected: the IAM Policy applied always deny the CreateStackSet. See below the tested policy. The [doc page](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-template.html#using-iam-template-conditions) explains that you can use the condition as usual, but there is a Note that is not clear for me: ![Enter image description here](/media/postImages/original/IMUjPviuTuSAaoxl5HvXktBQ) For allowed CreateStackSet calls, the CloudTrail event included the TemplateUrl in the context, so I don't understand why the condition does not work with Stack Set. Thank for your help! ``` { "eventVersion": "1.08", [...] "eventTime": "2022-08-09T15:42:50Z", "eventSource": "cloudformation.amazonaws.com", "eventName": "CreateStackSet", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": { "stackSetName": "test-deny1", "templateURL": "https://s3.amazonaws.com/trusted-bucket/EnableAWSCloudtrail.yml", "description": "Enable AWS CloudTrail. This template creates a CloudTrail trail, an Amazon S3 bucket where logs are published, and an Amazon SNS topic where notifications are sent.", "clientRequestToken": "1bd60a6d-f9dc-76a9-020a-f5a45f1bdf1e", "capabilities": [ "CAPABILITY_IAM" ] }, "responseElements": { "stackSetId": "test-deny1:97054f39-3925-47eb-92fd-09779f32bcf6" }, [...] } ``` For reference my IAM Policy: ``` { "Sid": "TemplateFromTrustedBucket", "Effect": "Allow", "Action": [ "cloudformation:CreateStackSet", "cloudformation:UpdateStackSet" ], "Resource": "*", "Condition": { "StringLike": { "cloudformation:TemplateURL": "https://s3.amazonaws.com/trusted-bucket/*" } } } ```
0
answers
0
votes
56
views
profile picture
asked 4 months ago

How do I not receive "Internal Failure for IAM authorizer" error when using AWS IAM authorizer on Govcloud?

I have an app which uses a role with this policy to invoke an API gateway: ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*", "cognito-identity:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "execute-api:Invoke" ], "Resource": [ "arn:aws:execute-api:us-east-1:XXXXXXXXXX:aaaaaaaaaa/$default/POST/routename/${aws:PrincipalTag/username}" ] } ] } ``` (In govcloud, us-east-1 is changed to us-gov-west-1). This works fine in commercial. However, I get 500 internal server errors on govcloud. Upon customizing and inspecting the logs, I find that it's an authorizer error with the error message "internal failure for IAM authorizer". Searching this error on google yielded 0 results... Now I'm scared. In a panic, I tried opening up all permissions more broadly ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents", "cognito-sync:*", "cognito-identity:*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "execute-api:*" ], "Resource": [ "*" ] } ] } ``` But this yielded the same results. However, when I tried hitting the same endpoint using complete admin permissions, my requests went through just fine. What can I do to stop this behavior? Are IAM Authorizers even supported on govcloud? Do I need to add more permissions?
0
answers
0
votes
107
views
asked 6 months ago