I am a bit new to AWS
I am trying to create AccessKey using a Lamdba function
but it gives an error like this
An error occurred (AccessDenied) when calling the CreateAccessKey operation: User: arn:aws:sts::12345645465446:assumed-role/mySecretRotate-role-4x67t1v9/mySecretRotate is not authorized to perform: iam:CreateAccessKey on resource: user test_user: ClientError
Q: How to resolve this problem
enter image description here
You can add inline policy with iam:CreateAccessKey permission into your mySecretRotate-role role: For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:CreateAccessKey",
"Resource": "*"
}
]
}
If you want to be more explicit, you can specify arn of test_user instead of "*" for Resource.
Your Lambda function role does not have the iam:CreateAccessKey permission. There are different ways to grant this permission to your lambda, see the full documentation here. You can for example add the permission to your "mySecretRotate" role as an inline policy, click on the role and on "Add inline policy" and the visual guide will take your through the process. The resulting policy will look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:CreateAccessKey",
"Resource": /*user arn goes here"*/
}
]
}
Related
I'm trying to add this as an inline policy, with arn for user (principle) and arn for bucket (resource).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::00000000:user/name"
},
"Action": ”s3:ListBucket”
"Resource": "arn:aws:s3:::bucket name"
}
]
}
error: Unsupported Principal: The policy type IDENTITY_POLICY does not support the Principal element. Remove the Principal element
tried adding this snippet as an inline policy but I have to find another way due to error Unsupported Principal: The policy type IDENTITY_POLICY does not support the Principal element. Remove the Principal element
Just remove the principal element.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ”s3:ListBucket”
"Resource": "arn:aws:s3:::bucket name"
}
]
}
This should be working for you, just replace the user with correct AWS user.
{
"Id": "Policy1673568063233",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1673568062150",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket name",
"Principal": {
"AWS": [
"arn:aws:iam::00000000:user/name"
]
}
}
]
}
AWS policy generator is always a great place for dealing with policy generation
https://awspolicygen.s3.amazonaws.com/policygen.html
There are two places you might place such a policy:
Bucket Policy
Policy on an IAM User
If you are creating a Bucket Policy, it will require a Principal.
However, if you are wanting to assign rules to a specific IAM User, then it is better to create a policy on the IAM User themselves. When doing this, there should not be a Principal because this is inferred by the IAM User on which the policy is placed.
I need to assume a cross account role to get access to an ElasticSearch domain for logging on AWS. Here's what I've done:
First, I have created a cross account role in ACCOUNT1. The role name is LoggerAccessToES and the trust relationship is something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT1:root",
"arn:aws:iam::ACCOUNT2:root"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Then, on ACCOUNT2, I have created a Lambda function to assume the above role with this code:
sts_client = boto3.client('sts', region_name=Config.AWS_ES_REGION)
assumed_role_object=sts_client.assume_role(
RoleArn="arn:aws:iam::ACCOUNT1:role/LoggerAccessToES",
RoleSessionName="AssumeLoggerAccessToESSession1"
)
When I invoke the lambda (basically the lambda is attached to an SNS topic), I get the error:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
I've already tried everything was suggested by other guys in other questions and I also googled the problem but I couldn't find the resolution. What am I doing wrong here?
From what i understand, you want to assume a role in Account 1 using the lambda in account 2.
This would require two roles to be created -
The first role needs to be created in the Account 2 which is to be attached to the Lambda. This role needs to have the following permission attached -
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT1:role/LoggerAccessToES"
}
}
The above policy can be added to your existing lambda execution role.
For the second part, only the trust relationship of the Role LoggerAccesstoEs needs to be addedin Account 1 shown below-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT2:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
The first role policy allows the lambda to use the AssumeRole.
The second policy allows the Account 1 to trust the AssumeRole request from Account 2.
I'm relatively new to AWS and am trying to figure out how the role policies work. I've read the AWS documentation, which is very comprehensive, but the policy I'm applying still isn't doing what I expect... let me explain
I'm trying to grant access to a role so that, when it is assumed, it can do stuff with lambda
I've create a role called "deployer".
I've then attached the below policy to that role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": "lambda:*"
"Resource": "arn:aws:iam::<account_id>:role/deployer"
}
]
}
My expectation here is that the Policy says... The specified resource (the deployer role) is "Allowed" to do any action with the Lambda service
However, when I switch to that role in the front end, I get the following error in the Lambda dashboard:
You are not authorized to perform: lambda:GetAccountSettings.
The only solution I've found is to wildcard the Resource attribute in the Policy... however that sort of negates the purpose of trying to restrict access to only that role
Example of the Policy that does what I want
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": "lambda:*"
"Resource": "*"
}
]
}
Could someone explain to me what is actually happening here? I've clearly not understood what the Resource attribute is used for... To me that second Policy says any resource can do anything with Lambda...
Thanks
You're attempting to define the role to apply the policy to in the resource attribute - that's not what the resource attribute is for. The resource attribute relates to the Lambda functions you want the user to be able to call.
To assign this policy to a role, simply create the policy as above (defining your Lambda resources appropriately, which could be a wildcard if you really want to apply this to all your Lambda functions) then assign the policy to a role in the IAM console.
See here for more information on defining resources.
Change
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": "lambda:*"
"Resource": "arn:aws:iam::<account_id>:role/deployer"
}
]
}
to
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": "lambda:*"
"Resource": "arn:aws:lambda:<region>:<account_number>:function:my-awesome-lambda-function"
}
]
}
I'm trying to allow a group i defined to have invalidation privliges
I defined a policy on the group that looks like this
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1511787279000",
"Effect": "Allow",
"Action": [
"cloudfront:CreateInvalidation",
"cloudfront:ListInvalidations"
],
"Resource": [
"*"
]
}
]
}
ultimately i'd like to lock the resource down to specific Cloudfront arns. but even at this point it doesn't work. when i use the aws cli tool i get
An error occurred (AccessDenied) when calling the CreateInvalidation operation: User: arn:aws:iam::5555555555:user/username is not authorized to perform: cloudfront:CreateInvalidation
What am i doing wrong?
I am using following CLI command to create a role and attach a policy :
aws iam create-role --role-name SMS-Role --assume-role-policy-document file://D:\AWS\Cognito\SMSRolePolicy.txt
SMSRolePolicy.txt contains following policy :
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Resource": "*",
"Action": "sns:publish"
}
}
On executing CLI script I do get following error :
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Has prohibited field Resource
what? where is your trust relationship policy document?
Your code works for adding policies to an existing attached role. To attach the role, you need to have AssumeRole permission for the resource. it should be something like:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}
follow the amazon link to set it up correctly.