I am pretty new to AWS and struggling with role chaining for my github-actions-role.
I have a role “GithubActionsRole” which has the following Permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity"
],
"Resource": [
"arn:aws:iam::ACCOUNT_NO:role/cdk-contactupd-deploy-role-ACCOUNT_NO-REGION
],
"Effect": "Allow"
}
]
}
And this Trust relationships:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::ACC_NO:oidc-provider/token.actions.githubusercontent.com"
},
"Action": [
"sts:AssumeRoleWithWebIdentity",
"sts:SetSourceIdentity"
],
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:my-repo/sub-dir:*”
}
}
}
]
}
So now, the GithubActionsRole should assume the role “cdk-contactupd-deploy-role-ACCOUNT_NO-REGION”. This role is configured like this:
Persmissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet",
"cloudformation:CreateStack",
"cloudformation:UpdateStack"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormationPermissions"
}
]
}
Trust relationships:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NO:root"
},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity"
]
}
]
}
In my GitHub-action I execute the following:
…
- name: Set nonlive variables
run: |
echo "STAGE=nonlive" >> $GITHUB_ENV
echo "GITHUB_ROLE=arn:aws:iam::ACC_NO:role/GithubActionsRole" >> $GITHUB_ENV
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials#v1
with:
aws-region: MY_REGION
role-to-assume: ${{ env.GITHUB_ROLE }}
- run: aws sts get-caller-identity
- name: Deploy CDK Stacks
…
Unfortunately the last step is failing with the following Message:
failed: AccessDenied: User: arn:aws:sts::***:assumed-role/GithubActionsRole/GitHubActions is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:...:stack/MY_STACK/... because no identity-based policy allows the cloudformation:DescribeStacks action.
But the "cloudformation:DescribeStacks"-policy should be allowed through the role chaining from the ""cdk-contactupd-deploy-role-ACCOUNT_NO-REGION" role.
I appreciate any idea how to fix it. I tried already a lot the last few days :/
Related
I am trying to assume a role (in Account B) from inside of an EKS Pod (in Account A). When running aws sts get-caller-identity from inside of the pod, I get:
/app # aws sts get-caller-identity
{
"UserId": "AROAXXXXXXXXXXXCQLF:botocore-session-1659114796",
"Account": "00ACCOUNTA00",
"Arn": "arn:aws:sts::00ACCOUNTA00:assumed-role/my-pod-role/botocore-session-1659114796"
}
The Trust Relationship configs I have tried in arn:aws:iam::00ACCOUNTB00:role/yolo-test-role (In Account B) which are not working:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::00ACCOUNTA00:role/my-pod-role"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
and
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::00ACCOUNTA00:root"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Condition": {
"StringLike": {
"aws:userId": "AROAXXXXXXXXXXXCQLF:*"
}
}
}
]
}
and
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "00ACCOUNTA00"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Condition": {
"StringLike": {
"aws:userId": "AROAXXXXXXXXXXXCQLF:*"
}
}
}
]
}
When I try to run a aws sts assume-role --role-arn 'arn:aws:iam::00ACCOUNTB00:role/yolo-test-role' --role-session-name metesting from the pod, I get:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::00ACCOUNTA00:assumed-role/my-pod-role/botocore-session-1659114796 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::00ACCOUNTB00:role/yolo-test-role
I've created a role with an attached Policy "AmazonSSMManagedInstanceCore":
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
}
]
}
And Trust relationships:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I've then attached the IAM role to the instance. When I start the SSM agent in the instance I get the following error:
2022-03-16 23:14:49 ERROR [HandleAwsError # awserr.go.49] [ssm-agent-worker] [MessageService] [MDSInteractor] error when calling AWS APIs. error details - GetMessages Error: AccessDeniedException: User: arn:aws:sts::XXXX:assumed-role/SSMandCloudWatch/i-YYYYY is not authorized to perform: ec2messages:GetMessages on resource: arn:aws:ssm:eu-central-1:XXXX:* with an explicit deny in a service control policy
status code: 400, request id: zzzz
The call it's complaining about is explicitly allowed in the policy. I've tried restarting the agent but didn't make any difference.
AWS permission evaluation can be complex. I like this AWS diagram below, so it is a good one to follow to track down permissions issues.
So there are a few other things to check or be aware of that could still be limiting access.
I am creating and running a task on my ECS fargate cluster.
Task definition (with role) and fargate cluster is already created.
When I use run task step in step function, I am getting following error,
{
"Error": "ECS.AccessDeniedException",
"Cause": "User: arn:aws:sts::xxxxxxxxxx:assumed-role/StepFunctions-my-state-machine-role-xxxxxxxxxx/xxxxxxxxxx is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxxxxxxxxx:role/my-app-dev-exec because no identity-based policy allows the iam:PassRole action (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException; Request ID: xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx; Proxy: null)"
}
The role attached to the step function has the following policies (as per the documentation provided by AWS https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": [
"arn:aws:ecs:eu-west-1:xxxxxxxxxx:task-definition/*:*"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:StopTask",
"ecs:DescribeTasks"
],
"Resource": [
"arn:aws:ecs:eu-west-1:xxxxxxxxxx:task/*"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:eu-west-1:xxxxxxxxxx:rule/StepFunctionsGetEventsForECSTaskRule"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeStateMachine",
"states:StartExecution",
"states:ListExecutions",
"states:UpdateStateMachine"
],
"Resource": [
"arn:aws:states:eu-west-1:xxxxxxxxxx:stateMachine:my-state-machine"
]
}
]
}
with following trusted entities
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Can someone help with what additional permission I need to give to resolve the above permission issue? From the error, I am not able to figure out what additional permission is required.
If I attach AmazonECS_FullAccess (aws managed) policy to the role, job works perfectly.
Because your task will use an IAM Role, you need to specify the additional permission 'PassRole'.
The best practice is to restrict which roles can be passed. So is recommended to add a condition limiting to only allow to pass roles to ECS tasks.
Try adding this statement to your policy:
{
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"iam:PassedToService": "ecs-tasks.amazonaws.com"
}
}
}
When deploying Spinnaker to EKS via hal deploy apply, Spinnaker Clouddriver pod goes to CrashLoopBackOff with the following error,
Caused by: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/Spinnaker-k8s-Worker-Node-Role/i-yyyyyyyyyyyyyyy is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxx:role/Spinnaker-Managed-Role
My Halyard config is like follows,
currentDeployment: default
deploymentConfigurations:
- name: default
version: 1.17.6
providers:
appengine:
enabled: false
accounts: []
aws:
enabled: true
accounts:
- name: my-account
requiredGroupMembership: []
providerVersion: V1
permissions: {}
accountId: 'xxxxxxxxxxxx' # my account id here
regions:
- name: us-east-1
assumeRole: Spinnaker-Clouddriver-Role
lifecycleHooks: []
primaryAccount: my-account
bakeryDefaults:
baseImages: []
defaultKeyPairTemplate: '{{name}}-keypair'
defaultRegions:
- name: us-east-1
defaults:
iamRole: BaseIAMRole
My Spinnaker-Clouddriver-Role IAM role has PowerUserAccess permissions at the moment and has following as the Trust Relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"ecs.amazonaws.com",
"application-autoscaling.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxx:role/Spinnaker-k8s-Worker-Node-Role"
},
"Action": "sts:AssumeRole"
}
]
}
How can I get this resolved?
The full log can be found on https://gist.github.com/agentmilindu/d9d31ee4287c87fb87e5060e0709989d#file-awssecuritytokenserviceexception-log-L3
Take a look at an AWS IAM policy that works flawlessly.
Refer to Armory AWS IAM set up and EC2 provider set up
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"cloudformation:*",
"ecr:*"
],
"Resource": [
"*"
]
},
{
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::123456789012:role/SpinnakerManagedRoleAccount1",
"arn:aws:iam::101121314157:role/SpinnakerManagedRoleAccount2",
"arn:aws:iam::202122232425:role/SpinnakerManagedRoleAccount3"
],
"Effect": "Allow"
}
]
}
I have a domain: domain1 and trying to allow user1 to access it. This is the policy:
{ "Version": "2012-10-17", "Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::340539148951:user/user1"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:340539148951:domain/domain1/*"
} ] }
When the user1 tries logs in the Console and tries to go to ElasticSearch content, he gets this error:
ListDomainNames: {"Message":"User:
arn:aws:iam::340539148951:user/user1 is not authorized to perform:
es:ListDomainNames on resource:
arn:aws:es:us-east-1:340539148951:domain/*"}
So the question is where do I set this? At the user level? What would the policy be?
Dima.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1504015454000",
"Effect": "Allow",
"Action": [
"es:*"
],
"Resource": [
"arn:aws:es:us-east-1:340539148951:domain/*"
]
}
]
}
Probably too much es:* - but it worked