I have been trying to create a custom IAM role attached with the permission apikeys.keys.getKeyString which is in alpha stage. I am not able to see this permission listed under the options to add it to the custom role.
This is the error I am getting when running a script -
ERROR: (gcloud.alpha.services.api-keys.get-key-string) PERMISSION_DENIED: Permission 'apikeys.keys.getKeyString' denied on resource 'xxxxxxxxx'
However, when attaching the predefined role - API Keys Viewer, I am able to successfully run my script without an error. I assume that the permission apikeys.keys.getKeyString is added to the predefined role by default. Is there any way I can have this permission added to my custom role? Alternatively, is there another way I can get the API Key string using a standard permission instead of an alpha stage permission?
According to the current Understanding Roles, the predefined role, API Keys Viewer includes just:
apikeys.keys.get,
apikeys.keys.list,
apikeys.keys.lookup.
You could try adding those permissions to your custom role to see if it works.
If not, you can make your custom role based on an existing role that does work, then add and remove any permissions you wish to change.
When the feature comes out of alpha, there may be other options.
Related
After discovering that a user (principal) needs an additional permission to perform a task, I would like to know what standard roles include that permission so I can add the role to the user. I would also like to know what other permissions each of those roles provide so I can select the one with permissions that match the user's needs. I am not able to use custom roles, and I am avoiding the basic roles as they are too wide.
At present, I am using https://cloud.google.com/iam/docs/understanding-roles#support-roles.
I search for the permission, then scroll up to the see the role name and all the other permissions in that role.
It works but is slow for what must be a common task.
Is there a better web page or a gcloud api command that would work better.
The GCP documentation offers a (huge) page that allows you to identify the different roles that grant them.
In addition to the page you cited you can later, using the gcloud CLI, describe a role and see the different permissions it grants. For example:
gcloud iam roles describe roles/iam.roleViewer
The command will output:
description: Read access to all custom roles in the project.
etag: AA==
includedPermissions:
- iam.roles.get
- iam.roles.list
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
name: roles/iam.roleViewer
stage: GA
title: Role Viewer
AFAIK, the gcloud CLI doesn't give you the opportunity to, given a certain permission, get the roles that grant it.
Based on GCP documentation one can check the pre-defined roles given a permission
GlueJobRunnerSession is not authorized to perform: glue:GetJob on resource
It is difficult to determine the issue without having more details about your specific scenario. Either not all permissions are correctly set, or there is another policy in place that overrides the permissions.
In order to troubleshoot this yourself, you can use the AWS IAM Policy Simulator to test and find out if the permissions are set and if there are conflicting policies interfering.
I cloned this solution azure-devops-on-aws and used dotnet lambda deploy-serverless ... to deploy the MyLizardApp to my personal AWS account.
During the learning curve, I created an S3 bucket my-lizard-test, IAM user group MyLizardGroup with user lizard-user and group policy MyLizardApp-Policy. Included in the policy are these services:
API Gateway (full access, all resources)
CloudFormation (full access, all resources)
Lambda (full access, all resources)
S3 (full access, all resources)
(Eventually) the deployment succeeded and I had a Lambda application serving the simple razor page showing the time.
I then copied the LambdaEntryPoint.cs, aws-lambda-tools-defaults.json and serverless.template files to my own dotnet core webapp (also a razor project) and attempted to deploy it to the same AWS account with the same command. The only changes made were the namespace of the LambdaEntryPoint class (reflected in the serverless.template file) and the .csproj file to include:
<AWSProjectType>Lambda</AWSProjectType>
and:
<PackageReference Include="Amazon.Lambda.AspNetCoreServer" Version="5.0.0" />
The dotnet lambda deploy-serverless ... command failed with the message:
User: arn:aws:iam::123456789120:user/lizard-user is not authorized to perform: iam:PassRole on resource: arn:aws:iam::123456789120:role/MyLizardAppServiceRole (Service: AWSLambdaInternal; Status Code: 403; Error Code: AccessDeniedException; Request ID: 12345678-1234-1234-1234-123456789012; Proxy: null)
I got the command to succeed by adding the IAM service to the MyLizardApp-Policy with the PassRole (all resources).
Why was this necessary for my personal app and not the demo solution from github? If the answer is not clear, what should I be looking for as differences? My personal app is not significantly different from the demo solution and I don't think the functional differences (in C#) would matter.
Whenever an AWS Service assumes (uses) an IAM Role, the service must have iam:PassRole permission to grant permission to use the Role. This required to prevent users from gaining too much permission.
For example, imagine a normal (non-Admin) user who launches an Amazon EC2 instance. When launching the instance, they can nominate an IAM Role to be assigned to the instance. If this user was permitted to select any IAM Role, they could select an Admin role and assign it to the EC2 instance. They could then login to the instance and use the credentials to make API calls as an Admin. This is an unwanted "privilege escalation".
Similarly, when an AWS Lambda function executes, it uses an IAM Role to obtain permissions. The iam:PassRole permission is used to control which roles a user can assign to the Lambda function.
So, there is something in that project that is trying to use an IAM Role and needs appropriate permissions.
First of all, we need to know what PassRole is:
iam:PassRole is the permission that controls which users can delegate an IAM role to an AWS resource.
As I can see in the repo, there is a file for CodeDeploy which already have credentials so maybe you are using CodeDeploy.
But btw, you are using an instances to deploy a Lambda function, and you need to pass the role to that Lambda so that is what PassRole do
AWS Services cannot directly assume service-linked roles. The role must be passed to the service by a user with the iam::PassRole permission.
The role-passing needs to be done only once, when a resource (e.g. EC2 instance) is created. After that the resource can assume the role repeatedly.
EC2 Instance profile is implemented this way. When a user launches an instance, it passes a role to the instance to act as an instance profile (it in addition needs iam:AddRoleToInstanceProfile for this case).
Other service-linked roles are also passed in this way.
Do not confuse it with the iam::CreateRole permission. A user may freely create service-linked roles, but is unable to pass the role to a service when needed.
In the management console, and to some extent in the CLI commands, role-passing is implicit, so you may encounter it without clear error messages when using non-root accounts.
As for why sometimes you need this permission, ands sometimes you don't, that is because when you use the root user, it will have AdministratorAccess which basically allows all actions on all resources.
If you create a new IAM user or account with blank permissions then you will need to add this permission manually.
I'm trying to do gsutil ls however that results in:
ubuntu#ip:~$ gsutil ls
AccessDeniedException: 403 xxxxxxxxxxxx#xxxxxxxxxx.iam.gserviceaccount.com does not have storage.buckets.list access to project xxxxxxxxxxxxxxx.
Can I give this permission with only read / viewer access IAM roles?
You certainly can. At a minimum, you can always create a custom role with exactly the permissions you want. You do this by clicking the Create Role button at the top of the roles tab. Then, once it is created, apply that role to your service account on the IAM page, like any other role.
Alternatively, you can use the same roles tab in the cloud console to search for that permission explicitly to see which roles contain it and see if any would work for you.
In this case, I don't see an obvious default one that is limited, however. That said,you could look at Storage Legacy Bucket Reader (roles/storage.legacyBucketReader) as a starting point for a custom role in this case -- if you select this role on the roles tab, you can 'Create Role from Selection' to use it as a starting point).
The command gsutil ls lists the buckets in your project.
To list buckets you need the permission storage.buckets.list.
To list the objects in a bucket you need the permission storage.objects.list.
Neither of those permissions allows you to read an object. To read an object you need the permission storage.objects.get.
To only read an object, you do not need the list permissions. However, since you are using the gsutil command, you do.
There are several predefined roles that you can attach to your service account to grant the necessary permissions for gsutil.
Recommended:
roles/storage.objectViewer
Or the following two roles:
roles/storage.legacyObjectReader
roles/storage.legacyBucketReader
If you ONLY want to assign a role to read an object but not list them:
roles/storage.legacyObjectReader
Read only permissions for a GCP GCS bucket as of January 2022:
storage.buckets.get
storage.buckets.list
storage.objects.get
storage.objects.list
The "Viewer" role for the project is probably what you are looking for to view all the buckets in a project.
Otherwise, by giving only the "storage object viewer" role, you can only view the content INSIDE the bucket, by going to the correct URL of the bucket.
I am receiving this error message when trying to upload to an AWS Lambda. This is from the AWS Example - example
In particular it says IAM is not authorized to perform iam:ListRoles nor iam:ListPolicies.
I checked my IAM user's AWS Lambda ListFunctions in the AWS policy simulator which says it is working , although I do not know if this is relevant to my problem.
thanks
Error Message
Policy Simulator
Your IAM user which is being used here might not be having permissions to perform operations like iam:ListRoles. Please try out the following steps:
Go to your AWS Console. And select the IAM service.
Then choose the Users tab on the left hand side.
Select the particular user(it's named General I guess).
In the permissions tab, click on Add Permissions
A new view should be present where you need to select Attach existing policies directly option on the top.
Select the option Create Policy.
Now create a new policy by selecting service as IAM, and Actions as required(List actions) and select All resources, and create the policy.
Then select this newly created policy in the step 5 view and add permissions.
Now retry with the uploading of Lambda.