I am trying to allow a user to assume a role on AWS. I attached an assume role policy to a group where the IAM user belongs so that they can assume a particular role. The problem is that the user now uses SSO to login and and is no longer allowed to login into through console with the IAM user credentials, therefore the user is unable to assume the role. How can I configure a user with SSO login to assume an existing IAM role? When i created the Assume role policy I chose both AssumeRole and AssumeRoleWithSaml. But it's still not working.
This is what the AssumeRole policy looks like
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithSAML"
],
"Resource": "arn:aws:iam::xxxxxxxxxxxx:role/service-role/KinesisFirehoseServiceRole--us-east-1-xxxxxxxxxxxxx"
}
]
The Trust relationship for the role looks like this
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "firehose.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
You need to specifically allow that user / role to be able to assume that role. Right now, the Principal is set to only allow the "firehose service" to assume that role.
The 2nd problem is that you need to specifically allow a SSO account to be able to access it. You'll need to get the ARN of your current SSO user session. To get this you should run aws sts get-caller-identity
You should get something like this
{
"UserId": "BROA5DAM2TACHAA38V9J1:daryl.teo#appetiser.com.au",
"Account": "1234567890",
"Arn": "arn:aws:sts::1234567890:assumed-role/AWSReservedSSO_AWSAdministratorAccess_abe68abec87ew/something.username"
}
Or a 1 liner aws sts get-caller-identity --output text --query Arn
Then take that value and add it to your policy as an additional policy statement.
{
"Version": "2012-10-17",
"Statement":
[
{
"Effect": "Allow",
"Principal":
{
"Service": "firehose.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal":
{
"AWS": "arn:aws:sts::1234567890:assumed-role/AWSReservedSSO_AWSAdministratorAccess_abe68abec87ew/something.username"
},
"Action": "sts:AssumeRole"
},
]
}
And now you can use:
aws sts assume-role --role-arn=arn:aws:iam::123456823432:role/NameOfYourRole --role-session-name=role-session-name
I managed to enable SSO users to assume a role in the account they were authenticated to by using the following. Note that you'll need to replace ${ACCOUNT_ID}, ${SSO_ROLE_NAME}, and ${ASSUMABLE_ROLE_NAME}. You may, of course, need to repackage the bits.
aws iam create-role --role-name ${ASSUMABLE_ROLE_NAME} --assume-role-policy-document file://policy.json --profile $PROFILE
policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${ACCOUNT_ID}:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::${ACCOUNT_ID}:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_${SSO_ROLE_NAME}_*",
"arn:aws:iam::${ACCOUNT_ID}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_${SSO_ROLE_NAME}_*"
]
}
}
}
]
}
Thanks to everyone that responded. I was able to complete the task using this instructions. google saml sso with AWS
Related
In the CI/CD section of the AWS SAM tutorial workshop, when I ran
sam pipeline init --bootstrap and went through the configurations, a role was created with this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow"
}
]
}
Doesn't this grant the role complete permission over my AWS account which is a big no no? Or is it fine because the permission is granted to an AWS service, and not a user?
This is the trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Having a role that exists with those permissionsis fine.
When you create a vanilla AWS Account (in other words I am not including those created by enterprise landing zones like Control Tower) it comes with a policy called AdministratorAccess and a role called Administrator.
The best practice is in who or what you allow to use that policy and when.
Roles are preferred over users, since roles provide security credentials. With a user you have durable credentials you need to secure.
In this case you are allowing CloudFormation to assume this role. This makes sense since CloudFormation often needs to be able to create and modify any resources including IAM roles. If you know you will not be creating or modifying IAM resources you can user a more restrictive role (least privilege), for example using the PowerUserAccess policy which looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"organizations:*",
"account:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole",
"iam:ListRoles",
"organizations:DescribeOrganization",
"account:ListRegions"
],
"Resource": "*"
}
]
}
I am trying to create a permissions set that will allow me to assume a test role I have created. When I log in however I have no permissions at all. Is there something I am missing on how I should assume this role?
As I understand it permissions sets are roles in themselves and should only contain individual permissions for a specific task. Is it just not possible to assume a role this way using SSO? With the max length of the permission sets it is not feasible for us to put many of our users policies in to one set. Having log in to do one task in S3 then go back out, assume another role to do something with RDS is a pain, hence the idea to assume a role that has all the required perms.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::12341341324:role/test_sso_role"
}
]
}
The role just has a number of RO policies for S3/Cloudwatch etc, the trust policy below and no conditions attached.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::12341341324:saml-provider/AWSSSO_a1b2c3d4e5f6g8_DO_NOT_DELETE"
},
"Action": "sts:AssumeRoleWithSAML"
}
]
}
Running: aws sts get-caller-identity
{
"UserId": "ABCDEFGHIJKLMNOPQRSTU:john.smith#company.com",
"Account": "12341341324",
"Arn": "arn:aws:sts::12341341324:assumed-role/AWSReservedSSO_test_sso_role_1a2s3d4f5g6h7j8k/john.smith#company.com"
}
Is it possible to restrict AWS S3 objects such that only users who authenticate via AWS Cognito gain access to the object? I haven't figured out a way to do this, but it seems obvious to me that this would be a use case.
I want to host a website via AWS S3 and restrict some objects (my pages) so that if a user were to go them directly they'd get a permission denied error. If the user was authenticated via AWS Cognito tho the object should be available.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny access to objects in the secured directory.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::domain.com/secured/*"
},
{
"Sid": "Only allowed authenticated users access to a specific bucket.",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::x:role/Cognito_Domain_IdP_Auth_Role"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::domain.com/secured/*"
},
{
"Sid": "Read access for web hosting.",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::domain.com/*"
}
]
}
You can pass a role to your users authenticated via cognito and then allow them certain actions.
Creating Roles for Role Mapping
It is important to add the appropriate trust policy for each role so that it can only be assumed by Amazon Cognito for authenticated users in your identity pool. Here is an example of such a trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:12345678-dead-beef-cafe-123456790ab"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
Granting Pass Role Permission
To allow an IAM user to set roles with permissions in excess of the user's existing permissions on an identity pool, you grant that user iam:PassRole permission to pass the role to the set-identity-pool-roles API.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::123456789012:role/myS3WriteAccessRole"
]
}
]
}
More Info here:
https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html
Yes, you can achieve that
But for that you can not achieve it directly configuring through the console
→First you need to create policy with limited access of Cognito and S3 bucket
→Create a role attaching them
→Assign them to your EC2 or Lambda
→Authenticate the user in your application using Cognito
→Using that you can have a signed URL for S3 object and retrieve them
This may help you
Given an IAM role created with this permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": "First"
}
]
}
is there anything that tells AWS that only lambda functions in this account should be able to assume the role. I want AWS lambda to be able to assume this role when running functions in this account, but only lambda functions running in this AWS account - not lambda functions running in other random AWS account that happen to discover the ARN of this IAM role.
If it is the case that using this configuration allows any lambda function running in any AWS account to assume this role, then how can this policy be amended to only allow lambda functions running in my account to assume this role.
"Service": "lambda.amazonaws.com" tells that your IAM role can only be assumed by Lambda.
If you want to grant permissions to another account to assume the role, your IAM policy for the role may look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AccountNumberThatCanAssumeTheRole>:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
I'm trying to create an IAM role and assign it to an EC2 instance according to Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI.
The policy looks like below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
But it gives this error:
This policy contains the following error: Has prohibited field Principal
There is a similar question here but it couldn't fix this issue.
Any help would be appreciated.
Faced the same issue when trying to update the "Trust Relationship" Or same known as "Trust Policy".
"Principal" comes to play only in "Trust Policy". May be by mistake you are updating normal policy falling under the permissions tab. Try updating the policy under "Trust Relationships" tab as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
The easiest way to create a Service Role is:
Go to the IAM Console
Click Roles
Create new Role
Select an Amazon EC2 service role
Then attach your policies
It will create the trust policy for you.
Please note that the Trust Policy is stored in a separate location to the actual Policy (the bit that assigns permissions). Based upon the error message, it seems like you're putting the trust policy in the normal spot, because Roles don't need a principle (but trust policies do).
write a policy inside bucket --> permissions --> bucket policy --> save
Note: don't write policy in iam console and bucket and cloud-watch regions must be same. other region wont work.
use below policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "logs.YOUR-CLOUD-WATCH-REGION.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::YOUR-BUCKET-NAME"
},
{
"Effect": "Allow",
"Principal": {
"Service": "logs.YOUR-CLOUD-WATCH-REGION.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}