I am currently trying to add a CodeBuild Action Step (Invoking a Step Function) in my CodePipeline deployment process. Specifically, I have a Codepipeline resource in Account A and I have a stepfunction defined in Account B. I want to be able to call my Stepfunction by using the CodeBuild Action step, but I am getting a "Insufficient Permissions Error". The error is below:
Insufficient permissions
An API call to StepFunctions.describeStateMachine (RequestId: XXX) returned a AccessDeniedException error: User: arn:aws:sts::ACCOUNTA:assumed-role/SplitUnitMainStack-pipelinePipelinesplitdeployunit-YVFTJZ8E0Z5U/1640984444652 is not authorized to access this resource
Here is what the permissions looks like for Role : arn:aws:iam::782665913187:role/SplitUnitMainStack-pipelinePipelinesplitdeployunit-YVFTJZ8E0Z5U
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNTB:role/ExecuteUnitStepFunction"
}
]
}
And here is what the ExecuteUnitStepFunction Role looks like, which is defined in Account B
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"states:StartExecution",
"states:StartSyncExecution",
"states:DescribeStateMachine"
],
"Resource": "arn:aws:states:us-west-1:ACCOUNTB:stateMachine:SimpleStateMachineE8E2CF40-TzPjbhdrazrn",
"Effect": "Allow"
}
]
}
The Trust Relationship for this role is this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTA:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
I am not sure what I am missing in order to give CodeBuild cross-account permissions to execution my Step function. One thing I am not sure about is that in the error, there is set of numbers following the role (1640984444652). I am not sure if this is impacting the permissions or if I am missing a step in order to execute a Step Function across accounts using a CodeBuild action.
Related
In the CI/CD section of the AWS SAM tutorial workshop, when I ran
sam pipeline init --bootstrap and went through the configurations, a role was created with this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Resource": "*",
"Effect": "Allow"
}
]
}
Doesn't this grant the role complete permission over my AWS account which is a big no no? Or is it fine because the permission is granted to an AWS service, and not a user?
This is the trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Having a role that exists with those permissionsis fine.
When you create a vanilla AWS Account (in other words I am not including those created by enterprise landing zones like Control Tower) it comes with a policy called AdministratorAccess and a role called Administrator.
The best practice is in who or what you allow to use that policy and when.
Roles are preferred over users, since roles provide security credentials. With a user you have durable credentials you need to secure.
In this case you are allowing CloudFormation to assume this role. This makes sense since CloudFormation often needs to be able to create and modify any resources including IAM roles. If you know you will not be creating or modifying IAM resources you can user a more restrictive role (least privilege), for example using the PowerUserAccess policy which looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": [
"iam:*",
"organizations:*",
"account:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:DeleteServiceLinkedRole",
"iam:ListRoles",
"organizations:DescribeOrganization",
"account:ListRegions"
],
"Resource": "*"
}
]
}
I have two AWS accounts (account A, and account B). Account A has an EC2 instance, and that instance wants to do a put item to a dynamodb located in account B.
Since it is cross-account access, I created an IAM role on account B to allow account A to do put_item, an IAM role on account A to assume that role and attached the IAM role on the EC2 instance
When I run my program, I get an error message saying that I am trying to use the assume role to put an item to a table that in the same account. (in my code i just sepcified the Account B table name)
It seems that the instance doesn’t realize that the table is on account B even I have the assumerole setup. What am I missing here?
I have also verified that I can put item using AWS CLI (after performing the STS call).
Is there any Java API that I can to specify which dynamodb arn that I want to put the item to?
Error message:
User: arn:aws:sts::ACCOUNT_A:assumed-role/Assume-role/INSTANCE_ID is not authorized to perform: dynamodb:PutItem on resource: arn:aws:dynamodb:us-east-1:ACCOUNT_A:table/TABLE_NAME (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException)
Policy on account A:
{
"Version": "2012-10-17",
"Statement": [ {
"Effect": "Allow",
"Action": [ "sts:AssumeRole", "sts:GetFederationToken" ],
"Resource": "arn:aws:iam::AccountA:role/PutItem" },
{ "Effect": "Allow",
"Action": [ "sts:DecodeAuthorizationMessage", "sts:GetAccessKeyInfo", "sts:GetCallerIdentity" ],
"Resource": "*" } ]
}
Policy on Account B:
{
"Version": "2012-10-17",
"Statement": [ {
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [ "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:UpdateTable" ],
"Resource": "arn:aws:dynamodb:region:accB:table/table name" },
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "*" } ]
}
I need to assume a cross account role to get access to an ElasticSearch domain for logging on AWS. Here's what I've done:
First, I have created a cross account role in ACCOUNT1. The role name is LoggerAccessToES and the trust relationship is something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT1:root",
"arn:aws:iam::ACCOUNT2:root"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Then, on ACCOUNT2, I have created a Lambda function to assume the above role with this code:
sts_client = boto3.client('sts', region_name=Config.AWS_ES_REGION)
assumed_role_object=sts_client.assume_role(
RoleArn="arn:aws:iam::ACCOUNT1:role/LoggerAccessToES",
RoleSessionName="AssumeLoggerAccessToESSession1"
)
When I invoke the lambda (basically the lambda is attached to an SNS topic), I get the error:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
I've already tried everything was suggested by other guys in other questions and I also googled the problem but I couldn't find the resolution. What am I doing wrong here?
From what i understand, you want to assume a role in Account 1 using the lambda in account 2.
This would require two roles to be created -
The first role needs to be created in the Account 2 which is to be attached to the Lambda. This role needs to have the following permission attached -
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT1:role/LoggerAccessToES"
}
}
The above policy can be added to your existing lambda execution role.
For the second part, only the trust relationship of the Role LoggerAccesstoEs needs to be addedin Account 1 shown below-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT2:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
The first role policy allows the lambda to use the AssumeRole.
The second policy allows the Account 1 to trust the AssumeRole request from Account 2.
I'm relatively new to AWS and am trying to figure out how the role policies work. I've read the AWS documentation, which is very comprehensive, but the policy I'm applying still isn't doing what I expect... let me explain
I'm trying to grant access to a role so that, when it is assumed, it can do stuff with lambda
I've create a role called "deployer".
I've then attached the below policy to that role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": "lambda:*"
"Resource": "arn:aws:iam::<account_id>:role/deployer"
}
]
}
My expectation here is that the Policy says... The specified resource (the deployer role) is "Allowed" to do any action with the Lambda service
However, when I switch to that role in the front end, I get the following error in the Lambda dashboard:
You are not authorized to perform: lambda:GetAccountSettings.
The only solution I've found is to wildcard the Resource attribute in the Policy... however that sort of negates the purpose of trying to restrict access to only that role
Example of the Policy that does what I want
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": "lambda:*"
"Resource": "*"
}
]
}
Could someone explain to me what is actually happening here? I've clearly not understood what the Resource attribute is used for... To me that second Policy says any resource can do anything with Lambda...
Thanks
You're attempting to define the role to apply the policy to in the resource attribute - that's not what the resource attribute is for. The resource attribute relates to the Lambda functions you want the user to be able to call.
To assign this policy to a role, simply create the policy as above (defining your Lambda resources appropriately, which could be a wildcard if you really want to apply this to all your Lambda functions) then assign the policy to a role in the IAM console.
See here for more information on defining resources.
Change
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": "lambda:*"
"Resource": "arn:aws:iam::<account_id>:role/deployer"
}
]
}
to
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": "lambda:*"
"Resource": "arn:aws:lambda:<region>:<account_number>:function:my-awesome-lambda-function"
}
]
}
I have two AWS account , I was able to set AWS integration for the first account using Terraform, but when I try to create AWS integration for my second account I am having an error.
I have created a role with in-line policy and we do not have a cross account set up.
! Datadog is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxx:role/DatadogAWSIntegrationRole. See http://docs.datadoghq.com/integrations/aws/
Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxxxx:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "xxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}
}
]
}
Can anyone please guide me how to solve this error?
The role arn:aws:iam::xxxxxxxxxx:role/DatadogAWSIntegrationRole also has to have permission to assume the role on the other account.
You'll have to update the DatadogAWSIntegrationRole on the primary account to include:
{
"Version": "2012-10-17",
"Statement": [
...
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxxxxxxxxxxx:role/AssumedRoleForDataDogInOtherAccount"
}
]
}