IAM Assume Role - Trust relationship between EKS Pod and Other IAM Role - amazon-iam

I am trying to assume a role (in Account B) from inside of an EKS Pod (in Account A). When running aws sts get-caller-identity from inside of the pod, I get:
/app # aws sts get-caller-identity
{
"UserId": "AROAXXXXXXXXXXXCQLF:botocore-session-1659114796",
"Account": "00ACCOUNTA00",
"Arn": "arn:aws:sts::00ACCOUNTA00:assumed-role/my-pod-role/botocore-session-1659114796"
}
The Trust Relationship configs I have tried in arn:aws:iam::00ACCOUNTB00:role/yolo-test-role (In Account B) which are not working:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::00ACCOUNTA00:role/my-pod-role"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
}
]
}
and
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::00ACCOUNTA00:root"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Condition": {
"StringLike": {
"aws:userId": "AROAXXXXXXXXXXXCQLF:*"
}
}
}
]
}
and
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "00ACCOUNTA00"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Condition": {
"StringLike": {
"aws:userId": "AROAXXXXXXXXXXXCQLF:*"
}
}
}
]
}
When I try to run a aws sts assume-role --role-arn 'arn:aws:iam::00ACCOUNTB00:role/yolo-test-role' --role-session-name metesting from the pod, I get:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::00ACCOUNTA00:assumed-role/my-pod-role/botocore-session-1659114796 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::00ACCOUNTB00:role/yolo-test-role

Related

AWS Role chaning for GitHub Actions

I am pretty new to AWS and struggling with role chaining for my github-actions-role.
I have a role “GithubActionsRole” which has the following Permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity"
],
"Resource": [
"arn:aws:iam::ACCOUNT_NO:role/cdk-contactupd-deploy-role-ACCOUNT_NO-REGION
],
"Effect": "Allow"
}
]
}
And this Trust relationships:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::ACC_NO:oidc-provider/token.actions.githubusercontent.com"
},
"Action": [
"sts:AssumeRoleWithWebIdentity",
"sts:SetSourceIdentity"
],
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:my-repo/sub-dir:*”
}
}
}
]
}
So now, the GithubActionsRole should assume the role “cdk-contactupd-deploy-role-ACCOUNT_NO-REGION”. This role is configured like this:
Persmissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet",
"cloudformation:CreateStack",
"cloudformation:UpdateStack"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormationPermissions"
}
]
}
Trust relationships:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NO:root"
},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity"
]
}
]
}
In my GitHub-action I execute the following:
…
- name: Set nonlive variables
run: |
echo "STAGE=nonlive" >> $GITHUB_ENV
echo "GITHUB_ROLE=arn:aws:iam::ACC_NO:role/GithubActionsRole" >> $GITHUB_ENV
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials#v1
with:
aws-region: MY_REGION
role-to-assume: ${{ env.GITHUB_ROLE }}
- run: aws sts get-caller-identity
- name: Deploy CDK Stacks
…
Unfortunately the last step is failing with the following Message:
failed: AccessDenied: User: arn:aws:sts::***:assumed-role/GithubActionsRole/GitHubActions is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:...:stack/MY_STACK/... because no identity-based policy allows the cloudformation:DescribeStacks action.
But the "cloudformation:DescribeStacks"-policy should be allowed through the role chaining from the ""cdk-contactupd-deploy-role-ACCOUNT_NO-REGION" role.
I appreciate any idea how to fix it. I tried already a lot the last few days :/

CodeBuild is not authorized to perform: sts:AssumeRole with condition

I am using Terraform to deploy a service role for CodeBuild using a trust policy from this guide.
The service role mentioned in the guide set conditions on the trust policy to avoid the confused deputy problem, but with those conditions CodeBuild is not able to assume the role with this error:
CodeBuild is not authorized to perform: sts:AssumeRole on arn:aws:iam::<account-ID>:role/<my-role>
Without the conditions everything works fine.
Any suggestions?
Trust policy from the guide:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "<account-ID>"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:codebuild:<region-ID>:<account-ID>:project/<project-name>"
}
}
}
]
}
Generated trust policy in my role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "<account-ID>"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:codebuild:us-west-2:<account-ID>:project/<my-project>"
}
}
}
]
}

Assume a role to an external account to access a specific instance of my account as Session Manager

I am a beginner studying AWS.
I'd like to give a role external account B so that It can access my account A.
I want to use Session Manager(System Manager) to record commands for external accounts.
My Account ID : A
External Account ID : B
So, In my Account A, I made ssm-accoutB-role.
connected policy is:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2:REGION:ACCOUNT-ID_A:instance/*"
],
"Condition": {
"StringLike": {
"ssm:resourceTag/ssm": [
"true"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:ResumeSession"
],
"Resource": [
"arn:aws:ssm:*:*:session/${aws:username}-*"
]
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"*"
]
}
]
}
and set the trust relationship with AccountB
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-ID_B:user/IAM-USER"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
and I attached Role for AmazonSSMManagedInstanceCore policy with Instance.
Using AWS-CLI, I send commands aws sts get-caller-identity, and export AWS_ACCESS_KEY_ID and so on...
success to assume Role.
and aws ssm start-session \ --target instance-id
// This instance in private subnet connected NAT Gateway
It appears error "An error occurred (AccessDeniedException) when calling the TerminateSession operation: User~~"
How to set the IAM ROLE for ssm...
Please help me!

aws s3api put-bucket-website - PutBucketWebsite operation: Access Denied

I'm trying to use this command to set the static website hosting:
aws s3api put-bucket-website --bucket XXXX --website-configuration file://assets/website.json
website.json
{
"IndexDocument": {
"Suffix": "index.html"
},
"ErrorDocument": {
"Key": "index.html"
}
}
bucket policy
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::XXXX/*"
}
]
}
I'm getting the error:
An error occurred (AccessDenied) when calling the PutBucketWebsite operation: Access Denied
What should I change in the bucket policy?
This PUT operation requires the S3:PutBucketWebsite permission:
Add bucket policy:
aws s3api put-bucket-policy \
--bucket XXXX \
--policy file://s3-bucket-policy.json
s3-bucket-policy.json:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::XXXX/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"S3:PutBucketWebsite"
],
"Resource": "arn:aws:s3:::XXXX"
}
]
}
Set the static website hosting
aws s3api put-bucket-website \
--bucket XXXX \
--website-configuration file://website.json
website.json
{
"IndexDocument": {
"Suffix": "index.html"
},
"ErrorDocument": {
"Key": "index.html"
}
}
Your bucket policy only allows you to perform a GET operation, but you want to do a PUT operation.
It looks like your IAM has Admin and full S3 access as you mentioned, but you don't have bucket level access for that specific bucket.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject",
"s3:PutObject
],
"Resource": "arn:aws:s3:::XXXX/*"
},
{
"Sid": "AllowPutBucket",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucketname",
"arn:aws:s3:::bucketname/*"
]
}
]
}

An error occurred (UnauthorizedOperation) when calling the ImportImage operation

I am getting following error when I am trying to import vhd file from s3 into EC2
I have following Policy attached to my profile:
IAMFullAccess
VMImportExportRoleForAWSConnector
AmazonEC2FullAccess
AmazonS3FullAccess
AmazonVPCFullAccess
IAMReadOnlyAccess
AmazonRoute53FullAccess
RegionRestrictions
And I have created trusted role as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": "vmie.amazonaws.com" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals":{
"sts:Externalid": "amosvmimport"
}
}
}
]
}
And I have created trusted policy as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:FullAccess"
],
"Resource": [
"arn:aws:s3:::cloudforms.vhd"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::cloudforms.vhd/*"
]
},
{
"Effect": "Allow",
"Action":[
"ec2:ModifySnapshotAttribute",
"ec2:CopySnapshot",
"ec2:RegisterImage",
"ec2:Describe*",
"ec2:FullAccess"
],
"Resource": "*"
}
]
}
Following command run successfully:
aws iam create-role --role-name amosvmimport --assume-role-policy-document file://trust-policy.json
aws iam put-role-policy --role-name amosvmimport --policy-name amosvmimport --policy-document file://role-policy.json
But when I an trying to run:
aws ec2 import-image --disk-containers file://containers.json --region ap-south-1
it is giving me error as below:
An error occurred (UnauthorizedOperation) when calling the ImportImage operation: You are not authorized to perform this operation.
Could you please let me know if I am missing any policy for this operation?