I have a json file bucketPolicy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:DeleteBucket"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::$${aws_s3_bucket.destination.id}",
"Principal": {
"AWS": ["*"]
}
}
]
}
And I've created a template_file as such
data "template_file" "test" {
template = file("./templates/destinationBucketPolicy.json")
vars = {
(aws_s3_bucket.destination.id) = var.destination_bucket_name
}
}
But when I try to use this for my bucket policy
resource "aws_s3_bucket_policy" "destination" {
bucket = aws_s3_bucket.destination.id
policy = data.template_file.test.rendered
}
The value for var.destination_bucket_name does not not get expanded into the policy, instead it appears literally as "Resource": "arn:aws:s3:::${aws_s3_bucket.destination.id}"
Is there a way to get this to expand so that it picks up the actual value for the variable?
These days its better to use templatefile:
locals {
test = templatefile("${path.module}/destinationBucketPolicy.json",
{
bucket_name = var.destination_bucket_name
})
}
with template of:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:DeleteBucket"
],
"Effect": "Deny",
"Resource": "arn:aws:s3:::${bucket_name}",
"Principal": {
"AWS": ["*"]
}
}
]
}
Related
I'm trying to create a job in AWS Glue using the Windows AWS Client and I'm receiving that I'm not authorized to perform: iam:PassRole as you can see:
Console>aws glue create-job --name "aws_glue_test" --role "My_Role" --command "Name=glueetlpythonshell,ScriptLocation=s3://mys3bucket/jobs/aws_glue_test.py,PythonVersion=3"
An error occurred (AccessDeniedException) when calling the CreateJob operation: User: arn:aws:iam::1111:user/My_User is not authorized to perform: iam:PassRole on resource: arn:aws:iam::1111:role/My_Role because no identity-based policy allows the iam:PassRole action
The configuration in AWS is set by using Terraform, something like this:
resource "aws_s3_bucket" "mys3bucket" {
bucket = "mys3bucket"
tags = {
Name = "mys3bucket"
ITOwnerEmail = "my#email.com"
}
}
resource "aws_s3_bucket_acl" "mys3bucket_acl" {
bucket = aws_s3_bucket.mys3bucket.id
acl = "private"
}
#=========IAM user======#
resource "aws_iam_user" "My_User" {
name = "My_User "
path = "/"
}
resource "aws_iam_user_policy" "My_User-p" {
name = "My_User-p"
user = "My_User"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::mys3bucket"
},
{
"Action": "glue:*",
"Effect": "Allow",
"Resource": "*"
},
#-- THIS IS THE SOLUTION -- #
{
"Action":[
"iam:GetRole",
"iam:PassRole"
],
"Effect":"Allow",
"Resource": "*"
}
]
}
EOF
}
#===========S3-Bucket-policy=======#
resource "aws_s3_bucket_policy" "mys3bucket-p" {
bucket = aws_s3_bucket.mys3bucket.id
policy = <<POLICY
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111:user/My_User"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::mys3bucket/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111:user/My_User"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mys3bucket"
}
]
}
POLICY
}
#===========Glue-policy=======#
resource "aws_iam_role" "My_Role" {
name = "My_Role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"glue.amazonaws.com"
]
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
### Attach policy to above Role ###
resource "aws_iam_role_policy_attachment" "My_Role_GlueService_attach" {
role = aws_iam_role.My_Role.name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"
}
#===========IAM-Pass-Role=======#
resource "aws_iam_policy" "My_IAMPass_policy" {
name = "My_IAMPass_policy"
description = "IAM Pass Role Policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": "arn:aws:iam::1111:role/My_Role"
}
]
}
EOF
}
resource "aws_iam_role_policy_attachment" "My_IAMPass_attach" {
role = aws_iam_role.My_Role.name
policy_arn = aws_iam_policy.My_IAMPass_policy.arn
}
I tried to attach IAM Pass Role but it still failing and I don't know why.
Any help is welcomed. Thank you in advance
SOLUTION: Added in the Code.
You need to add iam:PassRole action to the policy of the IAM user that is being used to create-job. Something like:
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::1111:role/My_Role"
],
"Condition": {
"StringLike": {
"iam:PassedToService": [
"glue.amazonaws.com"
]
}
}
}
I am creating a Cloudtrail and referencing an exisisting S3 bucket with policy that was created manually.I am getting an error when i do terraform apply.below is my code for the cloudtrail resource and the current S3 bucket policy that was created manually.please help
resource "aws_cloudtrail" "data_event_trail"{
name = var.trail_name
s3_bucket_name = var.cloudtrail_data_event_log_bucket_name
s3_key_prefix = var.organization_id
enable_log_file_validation = true
kms_key_id = var.kms_key_data_arn
event_selector {
read_write_type = "All"
include_management_events = false
data_resource {
type = "AWS::S3::Object"
values = ["arn:aws:s3:::${var.cloudtrail_data_event_log_bucket_name}"]
}
}
tags = var.default_tags
}
exisiting bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::cloudtrail-data-event-logs"
},
{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::cloudtrail-data-event-logs/AWSLogs/123456789012/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
error message:
Error: Error creating CloudTrail: InsufficientS3BucketPolicyException: Incorrect S3 bucket policy is detected for bucket: cloudtrail-data-event-logs
so here what I'm trying to do: is to create inline policies and attach it to an existing user?
aws_iam_user does create but instead, I would want to attach it to an existing user.
thanks
resource "aws_iam_user" "user" {
name = "arthur"
}
#Create Inline Policies for de-test
resource "aws_iam_user_policy" "arthur" {
name = "arthur inline"
user = aws_iam_user.user.name
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "s3inline",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:GetBucketLocation"
],
"Resource": "*"
},
{
"Sid": "s3inline",
"Effect": "Allow",
"Action": [
"s3:GetBucketPublicAccessBlock",
"s3:GetBucketPolicyStatus",
"s3:ListBucket",
"s3:GetBucketAcl"
],
"Resource": "arn:aws:s3:::arthur-store"
}
]
}
EOF
}
Change this:
resource "aws_iam_user" "user" {
name = "arthur"
}
To this:
data "aws_iam_user" "user" {
user_name = "arthur"
}
Or, since you only need the name, there isn't much use to looking up the user at all, so you could just do this in the aws_iam_user_policy:
resource "aws_iam_user_policy" "arthur" {
name = "arthur inline"
user = "arthur"
...
i have the following policy on an IAM role which i'm assuming into:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::mybucket/${aws:RequestTag/personalid}/*"
}
]
}
When performing assume role, i'm passing the tag:
response = sts_client.assume_role(
RoleArn=arn,
RoleSessionName=role_session_name,
Tags=[
{
'Key': 'personalid',
'Value':'a'
},
])
but i get access denied when trying to read an object under folder 'a':
s3 = boto3.resource(
's3',
aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken'],
region_name=client_main_region
)
obj = s3.Object('mybucket', f'a/file.txt')
print(obj.get()['Body'].read().decode('utf-8'))
I've replaced the policy with "principalTag", while adding a tag to the role, and it works - what am i doing wrong?
=====
Another thing i tried, is to tag the s3 object with that ID, and with the following policy:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Condition": {
"StringEqualsIfExists": {
"aws:RequestTag/personalid": "${s3:ExistingObjectTag/personalid}"
}
},
"Resource": "arn:aws:s3:::mybucket/*"
}
Not working
If anyone ever looks for this - apparently the trust relationship should declare those tags - so they will be available:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123:role/lambda_role"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123:role/lambda_role"
},
"Action": "sts:TagSession",
"Condition": {
"StringLike": {
"aws:RequestTag/personalid": "*"
}
}
}
]
}
Then, i could use this tag as principal tag in the assumed role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::mybucket/${aws:PrincipalTag/personalid}/*"
}
]
}
I'm attempting to attach an aws_iam_role_policy to an aws_iam_role using Terraform variables: ${aws_iam_role.AutoTagMasterRole.id}
I'm using the TF docs found at: iam_role_policy.html
Terraform error message:
aws_iam_role_policy.AutoTagMasterPolicy: Resource
'aws_iam_role.AutoTagMasterRole' not found for variable
'aws_iam_role.AutoTagMasterRole.arn'
Here's my Terraform configuration:
resource "aws_iam_role_policy" "AutoTagMasterPolicy" {
name = "AutoTagMasterPolicy"
role = "${aws_iam_role.AutoTagMasterRole.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketTagging",
"s3:PutBucketTagging",
"ec2:CreateTags",
"elasticloadbalancing:AddTags",
"autoscaling:CreateOrUpdateTags",
"rds:AddTagsToResource",
"elasticmapreduce:AddTags",
"datapipeline:AddTags"
],
"Resource": [
"*"
]
}
]
}
EOF
}
resource "aws_iam_role" "AutoTagMasterRole" {
name = "AutoTagMasterRole"
path = "/gorillastack/autotag/master/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": { "${aws_iam_role.AutoTagExecutionRole.arn}" }
},
"Action": [
"sts:AssumeRole"
]
}
]
}
EOF
}
Can someone tell me what it is I've done incorrectly?
UPDATE I've been told this relates to my attempt at porting the cloudformation function to it's equivalent in terraform.
This is what cloudformation lists:
"Principal": {
"AWS" : { "Fn::GetAtt" : [ "AutoTagExecutionRole", "Arn" ] }
},
I am trying to find the equivalent in terraform. This is what I used, but it's throwing the error.
"Principal": {
"AWS": { "${aws_iam_role.AutoTagExecutionRole.arn}" }
}
The definition of Principal is wrong in aws_iam_role
Here is the sample for you.
resource "aws_iam_role" "test_role" {
name = "test_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
So your codes should be changed to
resource "aws_iam_role" "AutoTagMasterRole" {
name = "AutoTagMasterRole"
path = "/gorillastack/autotag/master/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": [
"sts:AssumeRole"
]
}
]
}
EOF
}
Refer: terraform aws_iam_role
After troubleshooting realized I had incorrect syntax:
"Principal": {
"AWS": { "${aws_iam_role.AutoTagExecutionRole.arn}" }
},
Should be:
"Principal": {
"AWS": "${aws_iam_role.AutoTagExecutionRole.arn}"
},
The incorrect syntax (although not accurately reported by Terraform) caused the aws_iam_role to fail writing to the tf.state file which caused the error message reporting the failure to find the resources.