If I have a role named OperationAdmins which grants the AdministratorAccess Policy to anyone that assumes the role, how can I find a list of all users or groups that can assume the OperationAdmins role?
Just to give you an example, and you can customize it to fit your own needs. You can use the IAM policy simulator API to achieve this.
import boto3
iamc = boto3.client('iam')
iamr = boto3.resource('iam')
iam_paginator = iamc.get_paginator('list_users')
iam_page_iterator = iam_paginator.paginate()
operation_admins_iam_role = iamr.Role('OperationAdmins')
operation_admins_iam_role_arn = operation_admins_iam_role.arn
for page in iam_page_iterator:
users = page['Users']
for user in users:
user_arn = user['Arn']
resp = iamc.simulate_principal_policy(
PolicySourceArn=user_arn,
ActionNames=['sts:AssumeRole'],
ResourceArns=[operation_admins_iam_role_arn]
)
decision = resp['EvaluationResults'][0]['EvalDecision']
print(user_arn, decision)
There are two sides to trust.
The identity asking to assume
The identity allowing the assume
(Asker) Users/Groups can have permissions. The important one being sts:AssumeRole.
(Allowing) In your case OperationAdmins role. They will have a trust relationship which defines who is allowed to assume itself.
Read more: https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/
This trust relationship Allow anyone in account 111122223333 and with permissions sts:AssumeRole to assume it.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
This trust relationship Allow user LiJuan if he has sts:AssumeRole permissions.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/LiJuan"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Related
I am trying to assume a role in a different account to give me read access. The role (ROLE_IN_TARGET_ACCOUNT) has the permissions I need, however I am getting an error that my user (SOURCE_USER) is not allowed to assume the role.
The ROLE_IN_TARGET_ACCOUNT also has the following trust relationships
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE_ACCOUNTID:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE_ACCOUNTID:user/SOURCE_USER"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
The following policy has been added to an IAM user group in SOURCE_ACCOUNTID
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::TARGET_ACCOUNT:role/ROLE_IN_TARGET_ACCOUNT"
}
and SOURCE_USER is a member of this user group. So ROLE_IN_TARGET_ACCOUNT should trust SOURCE_USER, and SOURCE_USER should have permissions to assume ROLE_IN_TARGET_ACCOUNT.
However, I get the error
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::SOURCE_ACCOUNTID:user/SOURCE_USER is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::TARGET_ACCOUNT:role/ROLE_IN_TARGET_ACCOUNT
What am I missing here?
The policies you've shared seem fine (other than the second trust policy being redundant - root includes all auth'd and auth'z principals in SOURCE_ACCOUNTID, which includes SOURCE_ACCOUNTID).
Are there any SCPs, Permissions Boundaries, or Session Policies in your environment? An explicit Deny anywhere in the policy evaluation flow will prevent an otherwise good Allow configuration from working.
What I am trying to is using my IAM user udagram-xue-dev to assume the role of eksClusterRole. This is my policies configures:
This policy has been add to my IAM user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::111111111111:role/eksClusterRole"
}
]
}
This trust policy has been added to my eskClusterRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/udagram-xue-dev",
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
but I still get this problem:
I have read a lot of relevant details about this assuming role problem, but I still can't figure out how to fix it. It seems that they all just need to add these policies, then it'll be OK.
According to your configuration, everything seems to be in place. However, there might be a different policy (permission boundary, service control policy, or another IAM policy applied to the user) that overrides the permissions.
You can test your policies and find out if there’s anything interfering with your permissions using the IAM Policy Simulator.
I'm a little confused about the requirements for assuming a role from an IAM user in the same AWS account.
Per this document: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html:
If the user is in the same account as the role, then you can do either
of the following:
Attach a policy to the user (identical to the previous user in a
different account).
Add the user as a principal directly in the role's trust policy.
I explicitly added an assume-role policy to the group granted to my user and it could not assume the noted role:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123456789:role/some-role-name"
}
}
Once I added the account number as a principal to the trust policy of the target role, it started working though:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com",
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "sts:AssumeRole"
}
]
}
So, I'm confused for 2 reasons:
Why didn't the first policy alone work given the documentation I've quoted?
The second bullet in the documentation says "add the user as a principal". I think I added the whole account though instead of the user. What is the syntax for adding just this user? I didn't come across it in the documents I read.
1) That looks fine to me, given that the account ID and the role name are correct. Can you add the exact error you're getting?
This is an actual example of one of my policies which let users who are granted this policy to assume the role developer in the accounts acc1, acc2, and acc3:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::acc1:role/developer",
"arn:aws:iam::acc2:role/developer",
"arn:aws:iam::acc3:role/developer"
]
}
]
}
2) Instead of root, use the arn for the IAM user. Something along the lines of "arn:aws:iam::123456789:user/John"
I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently.
I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix, but it doesn't work (access is denied):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix"
}
},
"Action": "sts:AssumeRole"
}
]
}
On the other hand, this policy works but it's too open, as it allows any user/role in account A to assume my role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Action": "sts:AssumeRole"
}
]
}
So, is there any way to allow only a set of roles without being explicitly specified?
I encountered the same use-case recently. None of the responses resolved this for me.
Charli, your original solution is valid but I needed some tweaks get it to work, namely, I needed to replace 'ArnLike' with 'stringLike' and switch 'aws:SourceArn' to use 'aws:PrincipalArn':
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::<ACCOUNT_ID>:role/test-role-name-*"
}
}
}
It is not possible to use wildcard in the trust policy except "Principal" : { "AWS" : "*" } . The reason being when you specify an identity as Principal, you must use the full ARN since IAM translates to the unique ID e.g. AIDAxxx (for IAM user) or AROAxxx (for IAM role). Below is the from document:
If your Principal element in a role trust policy contains an ARN that
points to a specific IAM user, then that ARN is transformed to the
user's unique principal ID when the policy is saved. This helps
mitigate the risk of someone escalating their privileges by removing
and recreating the user. You don't normally see this ID in the
console, because there is also a reverse transformation back to the
user's ARN when the trust policy is displayed.
This seems to an issue with delegating access to trusting account(your account) and not the trusted account(_my_suffix - AWS account). These are few things that you can check in the following URL.
Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
Thanks
I have two AWS accounts(Account A & B). I want to allow few IAM users of Account B to access resources of Account A via AWS IAM roles.
I have created the role and it works fine. However, I see that any IAM user who gets hold of the role name is able to switch roles and access the resources.
Is there a way to allow only specific users of Account B to be able to switch to the role?
The trust policy statement is as follows-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account-B:root"
},
"Action": "sts:AssumeRole"
}
]
}
You can add the users who should be restricted to assume the role to a group. Then you can attach IAM policy to the IAM group with an explicit Deny.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::Account_A_ID:role/Rolename"
}
}
http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html#tutorial_cross-account-with-roles.html#tutorial_cross-account-with-roles-2