How to require users to set their role_session_name with scp - amazon-web-services

Using scp, I would like to require role_session_name to users who assume roles in my organization accounts when running terraform template. The role_session_name value need to be equals to their iam username.
I have attached below scp in my organization
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "sts:AssumeRole",
"Resource": "*",
"Condition": {
"StringNotLike": {
"sts:RoleSessionName": [
"${aws:username}"
]
}
}
}
]
}
Below the ~/.aws/config file content
[profile my_profile]
region = us-west-3
role_arn = arn:aws:iam:ACOUNT_ID:role/role_name
output = json
below provider section of terraform template
provider "aws" {
shared_credentials = "~/.aws/credentials"
region = "eu-west-3"
profile = "my_profile"
}
Without specifying role_session_name = my_aws_user_name` inside the config file, I am able to run the template without being blocked by the scp.
How to achieve this please ?
Thanks

EDIT
I finally setup an AWS organization to test. The SCP as you now have is working fine. Role is in account A. SCP attached to account B:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "sts:AssumeRole",
"Resource": "*",
"Condition": {
"StringNotLike": {
"sts:RoleSessionName": [
"${aws:username}"
]
}
}
}
]
}
Using a user in account B, I tried to assume a Role in Account A using a random session name. Got access denied.
>aws sts assume-role --profile accountB --role-arn arn:aws:iam::<account-A>:role/<rolename> --role-session-name abc
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::<account-B>:user/<username> is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<account-A>:role/<rolename>
But when I use a session name that is same as my username, I am able to.
>aws sts assume-role --profile accountB --role-arn arn:aws:iam::<account-A>:role/<rolename> --role-session-name username
{
"Credentials": {
"AccessKeyId": "xxx",
"SecretAccessKey": "xxx",
"SessionToken": "xxx",
"Expiration": "2022-03-23T10:31:52Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "xxx:username",
"Arn": "arn:aws:sts::xxx:assumed-role/xxx/yyy"
}
}

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam:::user/ is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam:::role/T
this issue is your profile account doesnt has permission attach policy for other account, so I give the IAM full access of role then run fine.

Related

I'm able to assume AWS role in Console but not in cli

I have AWS organization with users (id: 111111111111) and dev (id: 222222222222) accounts. Users first login to the users account, and then able to switch to the dev account.
The problem: Users are able to switch role via console (website), but NOT via the CLI...
This is how I switch via the CLI:
export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
$(aws sts assume-role \
--role-arn arn:aws:iam::222222222222:role/administrator \
--role-session-name TestSessionName \
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
--output text))
And I get the following error:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::111111111111:user/gitlab-ci-user is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::222222222222:role/administrator
Made sure which user i'm logged in via cli:
> aws sts get-caller-identity
{
"UserId": "...",
"Account": "111111111111",
"Arn": "arn:aws:iam::111111111111:user/gitlab-ci-user"
}
The user gitlab-ci-user is member of the AdminsDevAssumeRole group, and the following policy:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": [
"arn:aws:iam::222222222222:role/administrator"
]
}
],
"Version": "2012-10-17"
}
In the dev account (222222222222), I got role administrator, with the following trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
Any idea why i'm not able to switch role via cli (but do in console)?

How to assign a role to an iam user?

I am trying to assign a role to a user using the AWS console but not having a whole lot of success with it. So i created a user David and i created a role with a trust policy in which i am assigning the David i.e. IAM user as the principal which looks like this :-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account-ID:user/David"
},
"Action": "sts:AssumeRole"
}
]
}
and i also attached a policy to the role which lets the user listbuckets and getobject. The policy looks like this :-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allowsusertotolistbuckets",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::*"
}
]
}
Now when i run aws configure and authenticate as David user with the right access key and secret access key and run aws s3 ls. I run into the following: An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied. How can i have the user assume the role. Any help will be appreciated.
IAM Roles are not 'attached' to a user. Rather, an IAM User can be permitted to assume an IAM Role.
Using the AWS CLI, they would assume an IAM Role like this:
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/xaccounts3access --role-session-name s3-access-example
In response, AWS STS will return a set of temporary credentials:
{
"AssumedRoleUser": {
"AssumedRoleId": "AROA3XFRBF535PLBIFPI4:s3-access-example",
"Arn": "arn:aws:sts::123456789012:assumed-role/xaccounts3access/s3-access-example"
},
"Credentials": {
"SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
"SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
"Expiration": "2016-03-15T00:05:07Z",
"AccessKeyId": "ASIAJEXAMPLEXEG2JICEA"
}
}
These credentials can then be used to call AWS service 'as the IAM Role' rather than 'as the IAM User'.
See: assume-role — AWS CLI Command Reference
To make things easier, it is possible to define a profile that uses an IAM Role. The AWS CLI will automatically use IAM User credentials to call AssumeRole(), then use the resulting credentials to make the desired API call.
Here is an example profile entry:
[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
source_profile = user1
This is saying: "Use the IAM User credentials from profile user1 to call AssumeRole() on the marketingadminrole"
It can then be used like this:
aws s3 ls s3://marketing-bucket --profile marketingadmin
See: Using an IAM role in the AWS CLI - AWS Command Line Interface

Why can't I access my bucket from an assumed role?

I have an S3 bucket with no attached ACLs or policies. It was created by terraform like so:
resource "aws_s3_bucket" "runners_cache" {
bucket = var.runners_cache.bucket
}
I created a role and attached a policy to it; see the following console log for details
$ aws iam get-role --role-name bootstrap-test-bootstrapper
{
"Role": {
{
"Role": {
"Path": "/bootstrap-test/",
"RoleName": "bootstrap-test-bootstrapper",
"RoleId": "#SNIP",
"Arn": "arn:aws:iam::#SNIP:role/bootstrap-test/bootstrap-test-bootstrapper",
... #SNIP
$ aws iam list-attached-role-policies --role-name bootstrap-test-bootstrapper
{
"AttachedPolicies": [
{
"PolicyName": "bootstrap-test-bootstrapper",
"PolicyArn": "arn:aws:iam::#SNIP:policy/bootstrap-test/bootstrap-test-bootstrapper"
},
... #SNIP
$ aws iam get-policy --policy-arn arn:aws:iam::#SNIP:policy/bootstrap-test/bootstrap-test-runner
{
"Policy": {
"PolicyName": "bootstrap-test-runner",
"PolicyId": "#SNIP",
"Arn": "arn:aws:iam::#SNIP:policy/bootstrap-test/bootstrap-test-runner",
"Path": "/bootstrap-test/",
"DefaultVersionId": "v7",
... #SNIP
$ aws iam get-policy-version --policy-arn arn:aws:iam::#SNIP:policy/bootstrap-test/bootstrap-test-runner --version-id v7
{
"PolicyVersion": {
"Document": {
"Statement": [
{
"Action": [
"s3:AbortMultipartUpload",
"s3:CompleteMultipartUpload",
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::#SNIP-runners-cache/*",
"arn:aws:s3:::#SNIP-cloud-infrastructure-terraform-states/*"
]
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
}
],
"Version": "2012-10-17"
},
"VersionId": "v7",
"IsDefaultVersion": true,
"CreateDate": "2022-08-18T14:16:33+00:00"
}
}
tl;dr this role has an attached policy that allows full access to s3 within the account.
I can successfully assume this role:
$ aws sts assume-role --role-arn arn:aws:iam::#SNIP:role/bootstrap-test/bootstrap-test-bootstrapper --role-session-name test123
{ ... #REDACTED }
$ export AWS_ACCESS_KEY_ID=ASIA2 #REDACTED
$ export AWS_SECRET_ACCESS_KEY=8 #REDACTED
$ export AWS_SESSION_TOKEN=IQoJb #REDACTED
$ aws sts get-caller-identity
{
"UserId": "#SNIP",
"Account": "#SNIP",
"Arn": "arn:aws:sts::#SNIP:assumed-role/bootstrap-test-bootstrapper/test123"
}
However, once I do this, I no longer have access to S3:
$ aws s3 ls #SNIP-runners-cache
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
$ aws s3 ls
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
What am I missing? Is there some default behavior that prevents access to S3? How should I go about debugging these 403 errors?
It is easy to get over-obsessed with the details of the policy and forget about the role itself. In this case the permissions boundary went unnoticed in the CLI, but it is quite easy to see in the web console:
Indeed, #luk2302 was right, the limiting factor was a permissions boundary. After removing it from the role, access to S3 was restored.

Unable to use terraform with AWS IAM role with MFA configuration

My organisation uses a gateway account for which i have aws credentials.
We also have our personal account, in order to access our personal account users in gateway account assume IAM roles ( created in the personal account).
With such configuration i am trying to create terraform resource but somehow keep on getting error -> Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: xxxxxxx, api error AccessDenied: User: arn:aws:iam::xxxxxx:user/xx-xxxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxx2:role/xxxxxx
Here is the provider configuration i am trying.
provider "aws" {
alias = "mad"
profile = "personal account"
region = "ap-south-1"
assume_role {
role_arn = "arn:aws:iam::xxxxxxx:role/personal account"
}
}
Update :- the role uses mfa too.
Personal account has trust relationship which allows gatgeway account iam user to assume to role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::gateway-account-id:user/user"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
The user user/xx-xxxxxx which you use to run the TF script which is going to assume role role/xxxxxx must have sts:AssumeRole.
You can add such permission to the user, by adding the following inline policy to it:
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::xxxxxxx2:role/xxxxxx"
]
}
UPDATE
Also for MFA you need to use token option in your provider configuration, or use any of the workarounds provided in TF github issue.

Amazon aws cli: assumed role returns access denied error

I am trying to use aws cli to run some commands. I do not have a user account in the target region, but I am trying to use a role called "AssumedAdministrator" which has sts:assumerole.
I can log into the aws web console OK using the "switch role" option.
but when I run a CLI command like :
aws --profile $profile sts get-caller-identity --region $region
I am getting the following error:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::111111111111:user/john.smith is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::222222222222:role/AssumedAdministrator
Here's the Trusted Entities tied to that role:
AssumedAdministrator role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
What am I doing wrong? How can I run aws cli commands
my sections in the credentials file:
[default]
aws_access_key_id = ##########################
aws_secret_access_key = ############################
region = ##########
[assumed-#####-admin]
role_arn = arn:aws:iam::222222222222:role/AssumedAdministrator
source_profile = default
Thanks