I have resources like below:
Account A: API Gateway REST API
Account B: AppSync API
Now I want to use AppSync API in account B to call my API Gateway from account A. How should the permissions be set up?
I know for sure that it works with usage of resource policy in API Gateway and then in AppSync I need to have IAM attached to data source that allows invoking my resources.
But wanted to do it using IAM Roles since they give me more flexibility.
I've created role in Account A that provides policy to invoke API Gateway and I've added Account B in trust relationship, now how can I assume this role in my AppSync Account? I cannot do it while creating data source (HTTP endpoint) because it gives me Cross-account pass role is not allowed. Is this even possible to do this using roles?
Related
We have an AWS account with an IAM group, this group contains practically 6 users and most operations in the account are done by this 6 users.
There are 12 Lambda Functions that have been created in the account and there is a particular lambda function (created by one of the 6 users) that I am trying to know who created it (The Lambda function owner).
Please is there a way to do this ?
Resources created in AWS Accounts are associated with the Account, not the IAM User that created the account.
When a user requests AWS to create resources, IAM verifies that the user has permission to create resources. If so, then the resources are created in the Account, but no relationship with the user is kept on that resource.
You can, however, use AWS CloudTrail to view information about the API request that created the resource.
From What Is AWS CloudTrail? - AWS CloudTrail:
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
I have AWS Account A (billing account) and AWS account B (dev account). I have API Gateway endpoints deployed in account B and has aws iam as authoriser.
I would like a user from account A to be able to execute API deployed in account B.
I know I can achieve this by attaching the Resource Policy in account B. If possible, I would like to do this via the IAM role attached to the user in account A.
The user in account A can already assume an admin role in account B. I would have thought that this would get them access already. But it's not.
Thank you.
I want to call api gateway from our own backend which is a ECS cluster, and I want to use IAM authorization, is there any way to not manually sign the request using Access Key and Secret Key?
For example when Lambda call KMS to decrypt environment variables, no need to configure the AWS SDK. Wondering if there's similar thing for API gateway.
It is definitely possible, even more - it's a security best practice. You can assign IAM roles to all computing services of AWS: Lambda, EC2, ECS, Beanstalk etc. On ECS you can assign IAM roles to your tasks.
It gives a great benefit, which is well described in official docs:
Benefits of Using IAM Roles for Tasks
Credential Isolation: A container can only retrieve credentials for the IAM role that is defined in the task definition to which it belongs; a container never has access to credentials that are intended for another container that belongs to another task.
Authorization: Unauthorized containers cannot access IAM role credentials defined for other tasks.
Auditability: Access and event logging is available through CloudTrail to ensure retrospective auditing. Task credentials have a context of taskArn that is attached to the session, so CloudTrail logs show which task is using which role.
This link will help you: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
Isit possible to login as an IAM user from Cognito? I am creating a tool that does AWS management functions and I want users to login as their IAM users ideally. Is this possible?
2 alternatives I am considering is:
App will have its own IAM credentials and perform actions on behalf of app users. App will implement ACLs to determine who can do what (but this is implementing what IAM already does)
Users will login via Cognito and inherit IAM roles, but its still having 2 "IAM users" (1 Cognito + 1 IAM user) for 1 "real" user
Of these 2 which is better and is there a better way?
You can achieve your purpose with AWS Cognito with the newly introduced user groups feature which allows you to assume different IAM roles to groups of users.
For the implementation if you go with AWS serverless stack you can use API Gateway IAM authorizer and pass through the role to Lambda to execute code with assumed role permissions. Another approach is to have different API endpoints to provide different privileges for AWS Management Access where you can authorize access through API Gateway using assumed role IAM policies(Policy to authorize API Gateway resource access). Here you can assign a different IAM role for Lambda.
One of the things that drives me nuts is that AWS has loads of docs about the format of an ARN, but doesn't have any kind of generator to make you confident that the ARN is correct.
In IAM, I'm trying to set up a policy to allow access to an API Gateway and I've read the following docs about it:
http://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html#api-gateway-control-access-using-iam-policies
http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-apigateway
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html
But I can't get any ARN to validate, even just a wide open API Gateway ARN. See screenshot:
What am I doing wrong here?
From the documentation: To create an IAM policy using the Policy Generator in the IAM console, select Manage Amazon API Gateway as AWS Service to set permissions statements for apigateway and select Amazon API Gateway as AWS Service to set permission statements for execute-api.
If you are creating a policy to manage creating/editing your API, then you will need to select Manage - Amazon API Gateway and then use * to give permission for all resources. If you want to give permissions for specific resources, then use this format: (note that the service name is apigateway)
arn:aws:apigateway:region::resource-path-specifier.
If you are creating a policy to manage invoking your API, then you will need to select Amazon API Gateway and then use * to give permission for all resources. If you want to give permissions for specific resources, then use this format: (note that the service name is execute-api)
arn:aws:execute-api:region:account-id:api-id/stage-name/HTTP-VERB/resource-path-specifier.