How to assign a role to an iam user? - amazon-web-services

I am trying to assign a role to a user using the AWS console but not having a whole lot of success with it. So i created a user David and i created a role with a trust policy in which i am assigning the David i.e. IAM user as the principal which looks like this :-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account-ID:user/David"
},
"Action": "sts:AssumeRole"
}
]
}
and i also attached a policy to the role which lets the user listbuckets and getobject. The policy looks like this :-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allowsusertotolistbuckets",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::*"
}
]
}
Now when i run aws configure and authenticate as David user with the right access key and secret access key and run aws s3 ls. I run into the following: An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied. How can i have the user assume the role. Any help will be appreciated.

IAM Roles are not 'attached' to a user. Rather, an IAM User can be permitted to assume an IAM Role.
Using the AWS CLI, they would assume an IAM Role like this:
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/xaccounts3access --role-session-name s3-access-example
In response, AWS STS will return a set of temporary credentials:
{
"AssumedRoleUser": {
"AssumedRoleId": "AROA3XFRBF535PLBIFPI4:s3-access-example",
"Arn": "arn:aws:sts::123456789012:assumed-role/xaccounts3access/s3-access-example"
},
"Credentials": {
"SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
"SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
"Expiration": "2016-03-15T00:05:07Z",
"AccessKeyId": "ASIAJEXAMPLEXEG2JICEA"
}
}
These credentials can then be used to call AWS service 'as the IAM Role' rather than 'as the IAM User'.
See: assume-role — AWS CLI Command Reference
To make things easier, it is possible to define a profile that uses an IAM Role. The AWS CLI will automatically use IAM User credentials to call AssumeRole(), then use the resulting credentials to make the desired API call.
Here is an example profile entry:
[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
source_profile = user1
This is saying: "Use the IAM User credentials from profile user1 to call AssumeRole() on the marketingadminrole"
It can then be used like this:
aws s3 ls s3://marketing-bucket --profile marketingadmin
See: Using an IAM role in the AWS CLI - AWS Command Line Interface

Related

AWS Signature returns Forbidden for FunctionURL

I have created a Lambda function URL secured with IAM_AUTH and have created a user attached to a group containing a policy which can invoke function URLs.
Taking the user's Access Key and Secret Key I can call the function url in Postman with a 200 OK response.
However, I want have my users assume a role to grant them the lambda:InvokeFunctionUrl action.
So, I have created a role with the above policy attached and set the trust relationship to a new user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::012345678901:user/myFunctionUrlUser"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
That user is not in any group and has just one inline policy attached, allowing it to assume any role in my account...
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "lambda:InvokeFunctionUrl",
"Resource": "arn:aws:lambda:*:012345678901:function:*"
}
]
}
However, when I user this user's AccessKey and Secret in postman I get 403 Forbidden.
What am I missing?
You shouldn't be using the credentials of the user directly; instead, you should be assuming the role that you created.
Open a new terminal and export the user's credentials:
$ export AWS_ACCESS_KEY_ID=...
$ export AWS_SECRET_ACCESS_KEY=...
then, assume the IAM role (replace <ROLE-ARN> with the ARN of your role)
$ aws sts assume-role --role-arn <ROLE-ARN> --role-session-name "mysession" --duration-seconds 3600
this will return the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN of the session. Use those in postman.

AWS group user not allowed to assume role - access denied

I have a user and I'm trying to impersonate a role for running a service on Kubernetes. However, when I tried using STS to assume the role, I get the following error:
$ aws sts assume-role --role-arn "arn:aws:iam::{ACCOUNT_ID}:role/service-myservice" --role-session-name AWSCLI-Session
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::{ACCOUNT_ID}:user/me is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{ACCOUNT_ID}:role/service-myservice
I find this odd because this user belongs to a user group with the AdministratorAccess permission attached to it, which should give it access to anything on AWS. This is it:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
So, what am I doing wrong here?
What you have here is the IAM policy attached to this User, aka - what is this user is able to do.
You need to set the Trust Relationship as well. This defines which resources or principals is able to use this role/user. Could be Lambda, EC2 or in your case: an IAM User.
See here for example.
The IAM User/Role (in that case, role) you want to assume must have the Trust Relationship as follow:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:role/<role_name>
},
"Action": "sts:AssumeRole"
}
]
}

How to require users to set their role_session_name with scp

Using scp, I would like to require role_session_name to users who assume roles in my organization accounts when running terraform template. The role_session_name value need to be equals to their iam username.
I have attached below scp in my organization
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "sts:AssumeRole",
"Resource": "*",
"Condition": {
"StringNotLike": {
"sts:RoleSessionName": [
"${aws:username}"
]
}
}
}
]
}
Below the ~/.aws/config file content
[profile my_profile]
region = us-west-3
role_arn = arn:aws:iam:ACOUNT_ID:role/role_name
output = json
below provider section of terraform template
provider "aws" {
shared_credentials = "~/.aws/credentials"
region = "eu-west-3"
profile = "my_profile"
}
Without specifying role_session_name = my_aws_user_name` inside the config file, I am able to run the template without being blocked by the scp.
How to achieve this please ?
Thanks
EDIT
I finally setup an AWS organization to test. The SCP as you now have is working fine. Role is in account A. SCP attached to account B:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "sts:AssumeRole",
"Resource": "*",
"Condition": {
"StringNotLike": {
"sts:RoleSessionName": [
"${aws:username}"
]
}
}
}
]
}
Using a user in account B, I tried to assume a Role in Account A using a random session name. Got access denied.
>aws sts assume-role --profile accountB --role-arn arn:aws:iam::<account-A>:role/<rolename> --role-session-name abc
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::<account-B>:user/<username> is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<account-A>:role/<rolename>
But when I use a session name that is same as my username, I am able to.
>aws sts assume-role --profile accountB --role-arn arn:aws:iam::<account-A>:role/<rolename> --role-session-name username
{
"Credentials": {
"AccessKeyId": "xxx",
"SecretAccessKey": "xxx",
"SessionToken": "xxx",
"Expiration": "2022-03-23T10:31:52Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "xxx:username",
"Arn": "arn:aws:sts::xxx:assumed-role/xxx/yyy"
}
}
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam:::user/ is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam:::role/T
this issue is your profile account doesnt has permission attach policy for other account, so I give the IAM full access of role then run fine.

What permissions besides AssumeRole are needed to be able to switch role to another account in AWS console?

I have a:
a IAM role in AccountB myrole with a trust relationship to AccountA
the role in AccountB has a policy associated to only allow eu-north-1.
an IAM user in AccountA with a policy to allow AssumeRole to role myrole in Account B
This works for my test user where only this policy that allows sts:AssumeRole is attached.
But I have a user in AccountA with a DenyAllOutsideEU policy where the switch role operation in the aws console gives me a "Invalid information in one or more fields. Check you information or contact your administrator".
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideEU",
"Effect": "Deny",
"NotAction": [
"cloudfront:*",
"iam:*",
"route53:*",
"support:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-west-1"
]}}}]}
But when I do aws sts assume-role --role-arn arn:aws:iam::xxxxxxxxx:role/myrole --role-session-name yyyy for that user in AccountA it successfully assumes the role. So I know the sts:AssumeRole is not being denied.
I know is this DenyAllOutsideEU policy that is causing it because if I add sts:* to the list of NotAction in the DenyAllOutsideEu policy in AccountA it will start working.
So what exactly happens after sts:AssumeRole, and what other permission is needed that is denied. I know I can just fixit by adding sts:* to the DenyAllOutsideEU but I want to understand exactly what is going on. I was expecting that after the successful sts:AssumeRole the AWS console would not do further request to AccountA so none of the permissions of user in AccountA would matter, but it's obviously not the case.
Is AWS Console doing some other STS request user in AccountA towards another region after the sts:AssumeRole?

Cross account sync not working

I am stumped.
I have a credential for account A: arn:aws:iam::<ACCOUNT>:user/<USER>
I have a bucket in account B: arn:aws:s3:::bucket-name
Policy on the bucket in account B is set to:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::<ACCOUNT>:user/<USER>"},
"Resource": [
"arn:aws:s3:::bucket-name/*",
"arn:aws:s3:::bucket-name"
]
}
]
}
aws --profile <PROFILE> s3 ls s3://bucket-name
fails with:
An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
I have tried 1001 variations on the policy. What am I missing?
Access your IAM tab in your AWS console - Create a group - and when your group is created - create a policy with the following information:
{
"Statement":{
"Effect":"Allow",
"Action":"s3:Get*",
"Resource":"arn:aws:s3:::your-bucket name/*"
}
}
Make your IAM user a member of the group you created - any they will now have access to your S3 bucket in a separate AWS account.
Edit: As Pointed in Comment I Would like to Add Explanation that For this to work you need to have permission from Bucket Owner and User's Own Account before cross account access is allowed.
Thus What you might be missing is the permission from user's own account.
aws --profile <PROFILE> s3 ls s3://bucket-name
Double check your PROFILE here, maybe you are using wrong profile.
This is good article to read: Reference