I have tried setting up a permissions policy granting ssm:GetParameter and ssm:GetParameters to a role, but I get that error that "ssm:GetParameter is not allowed for this role". The only way I've found to eliminate the error is to grant ssm:* however I'd like to keep my permissions to a minimum. What am I missing here?
failing permission (account_id obscured):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:us-east-1:{redacted}:parameter/*"
}
]
}
working permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:*",
"Resource": "arn:aws:ssm:us-east-1:{redacted}:parameter/*"
}
]
}
Try using
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
]
If that does not help, allow "ssm:DescribeParameters".
Related
I have created a user and grant three permissions to it.
IAMFullAccess, AmazonSageMakerFullAccess and AmazonS3FullAccess
Now when i try to setup sagemaker domain, it throw following exceptions
ValidationException
Access denied in getting/accepting the portfolio shared by SageMaker. Please call withservicecatalog:AcceptPortfolioShare & servicecatalog:ListAcceptedPortfolioShares permission.
AccessDeniedException
User: arn:aws:iam::117609614511:user/tac-sagemaker is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker:us-east-1:117609614511:domain/d-bpq1nh2g5t9l because no identity-based policy allows the sagemaker:CreateDomain action
First, I did not understand, though i granted full sagmaker access, why its not picking createDomain policy,
Second, i go to my role and manually added these policies.
Here are policies for my sagemaker role
AmazonSageMaker-ExecutionPolicy-20220813T004513
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s34sagemaker"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s34sagemaker/*"
]
}
]
}
SagemakerCreateDomain
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sagemaker:CreateDomain",
"Resource": "arn:aws:sagemaker:*:117609614511:domain/*"
}
]
}
sagemakerportfolioservices
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "servicecatalog:AcceptPortfolioShare",
"Resource": "arn:aws:catalog:*:117609614511:portfolio/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "servicecatalog:ListAcceptedPortfolioShares",
"Resource": "*"
}
]
}
But still it giving me same error
Edit
I added two new policy to my user
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
AWSServiceCatalogAdminFullAccess
Now ValidationException is gone, but still having AccessDeniedException
EDIT2:
I have attached a new custom policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"sagemaker:CreateDomain"
],
"Resource": "*"
}
]
}
But still the error is same
I would recommend using the CloudFormation template in this blog to help create the Domain and User Profile.
https://aws.amazon.com/blogs/machine-learning/automate-a-centralized-deployment-of-amazon-sagemaker-studio-with-aws-service-catalog/
I want to have an IAM user that has the ability to create an IAM Organization and nothing more.
To achieve this, I need to create a policy that is using SLR.
I am attaching the policy to the group that my IAM belongs to.
If I use the general SLR permission policy I can create an Organization with any user.
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/*"
}
When I specify the exact user resource that I want to have those permissions I can't do it anymore.
this is the template provided in the aws docs
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/SERVICE-NAME.amazonaws.com/SERVICE-LINKED-ROLE-NAME-PREFIX*",
"Condition": {"StringLike": {"iam:AWSServiceName": "SERVICE-NAME.amazonaws.com"}}
},
this is mine
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::000056397000:user/root_name:role/aws-service-role/organizations.amazonaws.com/*"
}
the error I get is:
An error occurred (AccessDeniedForDependencyException) when calling the CreateOrganization operation: The
request failed because your credentials do not have permission to create the service-linked role required
by AWS Organizations.
What am I missing?
I found a work around.
Not ideal, maybe someone has a better idea.
Group with 2 policies
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "organizations.amazonaws.com"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "organizations:CreateOrganization",
"Resource": "*"
}
]
}
Still new to AWS. I'm trying to grant a user access to only S3 buckets that have a particular naming convention. I've got a basic policy like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowActionsForProjectbucket",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": [
"arn:aws:s3:::bucket-*/*",
"arn:aws:s3:::bucket-*"
]
},
}
However I'm getting Access Denied errors when running.
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
I'm confused I guess by the error message, as I assumed that the s3:* Action covered the ListBuckets, but perhaps it's something else.
Add below policy to your AWS IAM user.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::YOUR-BUCKET",
"arn:aws:s3:::YOUR-BUCKET/*"
]
}
]
}
https://www.serverkaka.com/2018/05/grant-access-to-only-one-s3-bucket-to-aws-user.html
I have a domain: domain1 and trying to allow user1 to access it. This is the policy:
{ "Version": "2012-10-17", "Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::340539148951:user/user1"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:340539148951:domain/domain1/*"
} ] }
When the user1 tries logs in the Console and tries to go to ElasticSearch content, he gets this error:
ListDomainNames: {"Message":"User:
arn:aws:iam::340539148951:user/user1 is not authorized to perform:
es:ListDomainNames on resource:
arn:aws:es:us-east-1:340539148951:domain/*"}
So the question is where do I set this? At the user level? What would the policy be?
Dima.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1504015454000",
"Effect": "Allow",
"Action": [
"es:*"
],
"Resource": [
"arn:aws:es:us-east-1:340539148951:domain/*"
]
}
]
}
Probably too much es:* - but it worked
I have attached the following policy with an IAM user that should allow the user to create a snapshot of the EC2 instance (EBS backed).
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1473146965806",
"Action": [
"ec2:CreateSnapshot"
],
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:MY_ACCOUNT_ID:*/*"
}
]
}
But when the user tries to execute the command to create a snapshot, the following error occurs:
An error occurred (UnauthorizedOperation) when calling the CreateSnapshot
operation: You are not authorized to perform this operation.
What is incorrect in the policy?
CreateSnapshot doesn't support resource-level permissions, you can use a wildcard for the "Resource":"*":
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1473146965806",
"Action": [
"ec2:CreateSnapshot"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions