I have one problem I want to create VPN Endpoint in AWS but it seem message error permission deny and I try to take root account to create role also not possible.
Please read AWS docs on what are and how to use trust policies:
How to use trust policies with IAM roles
Trust policies do not have resource and they use sts:AssumeRole in Actions.
Related
I am using metricbeat to monitor metrics from a few AWS accounts. I have read through the doc: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-aws.html
it says to configure the credential as environment variables or in aws credential file. But I'd like to use cross account IAM policy to access different AWS account. That means metricbeat needs to assume a role when it tries to query metrics. How can I achieve this in metrcibeat? I can't find related doc in their document.
So you can specify the IAM Role like this
Metricbeat Configuration Params
metricbeat.modules:
- module: aws
period: 300s
metricsets:
- ec2
role_arn: arn:aws:iam::123456789012:role/test-mb
I would say there is nothing like Cross Account Policy.
Your role has permissions based on the policies you assign to it via IAM Policies.
When you wanna use Cross-Account IAM Roles, you still have to assign IAM Policies on the role you create in the destination account + an IAM Trust Policy as well so that you can assume the role from another account, In addition to that your source IAM Role must have permissions to assume the destination IAM Role
IAM Role Delegation
How to use trust policies with IAM roles
IAM Tutorial: Delegate access across AWS accounts using IAM roles
I'm trying to replicate this lab :https://github.com/aws-samples/ec2-spot-montecarlo-workshop, But keep getting an error The provided credentials do not have permission to create the service-linked role for EC2 Spot Instances. seems like when it tries to create instance it fails, does anyone have an idea why ? I made sure to give it all permission role but didn't work ...
Seems that credentials which you use (IAM user or role) do not have permissions to execute an action iam:CreateServiceLinkedRole. The action:
Grants permission to create an IAM role that allows an AWS service to perform actions on your behalf
Please double check the IAM user and credentials which you use.
When lodging a spot request – there is a service-linked role that needs to be created (if it does not exist) in IAM called AWSServiceRoleForEC2Spot.
Check that the IAM user has the permission:
iam:CreateServiceLinkedRole
More in the docs:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-requests.html#service-linked-roles-spot-instance-requests
I need to provide IAM role creation permission to a user but with a condition that if he does it only from some AWS service.
For example, if a user running cloudformation stack and attempting to create an IAM role, he should be allowed. if he manually creating role it should be denied. or if a person creating a codepipeline he should have permission to create the role.
The concept you are looking for sounds like service-linked roles.
https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html
https://aws.amazon.com/blogs/security/introducing-an-easier-way-to-delegate-permissions-to-aws-services-service-linked-roles/
However, I don't think it is supported for CloudFormation or CodePipeline
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
So I am following this Tutorial
I have created a role and attached the AmazonDynamoDBFullAccess policy to it ...
When I assign this role to Gateway API .... like this
I keep getting this error ...
Execution failed due to configuration error: API Gateway does not have
permission to assume the provided role
Isn't the "AmazonDynamoDBFullAccess" policy that I have applied to my role "MyDynamoRole" enough to give Gateway API necessary permissions ?
Found a solution ....
Under "Role --> Trust Relationship", I have added another service i.e. API Gateway ...
"apigateway.amazonaws.com"
and all good now ...
For people that might be struggling to create a role via the console, the hack is to use EC2 or Lambda based IAM roles to create a generic role and then edit the Trust Relationships to have the service.
"apigateway.amazonaws.com"
What I want to do is attach an EC2 instance to an IAM group and give that group access to keys for an S3 bucket in CKMs.
What's the best way to do this?
When you create a Customer Master Key (CMK), you define a key policy that dictates who can manage and/or use the CMK. Specifically, you can configure the key policy to enable access to the CMK from IAM users and IAM roles in the account. The latter, IAM roles, is what you would use to confer these rights to an EC2 instance.