We Keep Coding

AWS IAM. How allow all resources with some tag?

I need to write policy to allow see all Secrets with some tag. But when I use condition, user with this policy loses all access. What am I doing wrong?
Here is my policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecrets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/ProjectName": "Test"
}
}
}
]
}
Here is my Secret
But in result I have this message: You don't have permission to view or select from existing secrets in your account. Contact your administrator to obtain ListSecrets access.

AWS CrossAccount S3 PutObject from Lambda in another account

I am trying to put a text file from Lambda which is in Account A to S3 bucket in account B. S3 bucket(test-bucket) is having AWS-KMS encryption enabled. I added below permissions :
Added below bucket policy to S3 bucket in Account B:
{"Version": "2012-10-17",
"Id": "ExamplePolicy",
"Statement": [
{
"Sid": "ExampleStmt",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:role/Lambda-Role"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test-bucket/*"
}
]
}
Added below policy in KMS key:
"Version": "2012-10-17",
"Id": "key-default-1",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountA:role/Lambda-Role"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
Added below Inline policy in Account A - Lambda Role and gave access to KMS key:
{"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:DescribeKey",
"kms:ReEncrypt*"
],
"Resource": [
"arn:aws:kms:us-west-2:AccountB:key/KMS-ID"
]
}
]
}
Files are also uploading in Account B S3 Bucket but not able to view/download any of those files. Gets this error:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>5H3KEXCJ7YSCJS</RequestId>
<HostId>hqwavZZo6D0asdddcvfff+prEtoBCwTFH0AYtzzzzzztqAaPflzs85aaaaa=</HostId>
</Error>
When I checks the file properties it has : Server-side encryption- Access denied.
Don't know what am I missing here. Someone please guide.

One thing missing in Account A - Lambda Role is - it should have permission to access the bucket in account B even though the bucket policy in Account-B allows it.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::AccountABucketName"
"arn:aws:s3:::AccountABucketName/*"
]
}
]
}
And to List the files in the bucket you should also add "Resource": "arn:aws:s3:::test-bucket as well

I found the solution. I only needed to add ACL='bucket-owner-full-control' in the put_object. Below is the complete boto3 cmd.
s3.put_object(
ACL='bucket-owner-full-control'
Body=processed_content,
Bucket=processed_bucket,
Key=processed_key)

What's the right way to write an amazon s3 bucket policy?

I'm trying to upload an image from a .NET webservice to an amazon s3 bucket.
By using this public policy on the bucket i can do that:
{
"Id": "Policyxxxxxxxx",
"Version": "yyyy-MM-dd",
"Statement": [
{
"Sid": "xxxxxxxxxx",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::(bucketName)/*",
"Principal": "*"
}
] }
But when i try to give access only to my user/credentials like this:
{
"Id": "Policyxxxxxxxx",
"Version": "yyyy-MM-dd",
"Statement": [
{
"Sid": "xxxxxxxxxx",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::(bucketName)/*",
"Principal": {
"AWS": [
"arn:aws:iam::(accountID):user/(userName)"
]
}
}
]
}
i get "Accces Denied".
So what im doing wrong with the policy?

If you wish to grant access to an Amazon S3 bucket to a particular IAM User, you should put the policy on the IAM User itself rather than using a bucket policy.
For example, see: Create a single IAM user to access only specific S3 bucket

trouble with AWS S3 Bucket policty

i've tried to add this policy to my newly created S3 Bucket
{
"Id": "Policy1548665682202",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1548665490985",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::darbazar-invoices-logs",
"Principal": {
"AWS": [
"fluentd.darbazar.invoices.user"
]
}
},
{
"Sid": "Stmt1548665526321",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::darbazar-invoices-logs",
"Principal": {
"AWS": [
"testavi.uzir"
]
}
}
]
}
here u can see 2 users, 1 user has full access and 1 user has only 1 Permission, but if i click save, the Invalid principal in policy warning has returned to my screen
why? i use the Official AWS S3 policy generator to generate this policy and this principal is exist in my IAM

S3 Policy to Allow Lambda

I have the following policy on an S3 bucket created with the AWS policy generator to allow a lambda, running with a specific role, access to the files in the bucket. However, when I execute the Lambda, I get 403 permission denied:
"errorMessage": "Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: <requestId>)",
"errorType": "com.amazonaws.services.s3.model.AmazonS3Exception",
The Policy on the S3 bucket:
{
"Version": "2012-10-17",
"Id": "Policy<number>",
"Statement": [
{
"Sid": "Stmt<number>",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account>:role/<roleName>"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::<bucketName>/*"
}
]
}
What is wrong with the policy? The Lamba is running with the role configured in the policy.

A role assigned to an AWS Lambda function should be created with an AWS Lambda role (that is selected when creating a Role in the IAM console).
Roles do not have a Principal since the permissions are assigned to whichever service (in this case, Lambda function) is using the role.
Also, you should assign permissions on the bucket itself (e.g. to list contents) and on the contents of the bucket (e.g. to GetObject).
It would be something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123XXX:role/service-role/LAMBDA_ROLE_NAME"
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}

After looping for I while i could make it work, the process is:
create the s3 bucket.
create the IAM policy (bucket name needed)
Create IAM role (IAM policy needed)
Create lambda Function (IAM Role needed)
Create s3 bucket policy (lambda function name needed)
IAM Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt*******",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"s3:PutObjectVersionAcl",
"s3:PutObjectVersionTagging"
],
"Resource": [
"arn:aws:s3:::<bucket-name>"
]
}
]
}
and I use this policy on the s3 Bucket
{
"Id": "Policy************",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt********",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"s3:PutObjectVersionAcl",
"s3:PutObjectVersionTagging"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<bucket-name>/*",
"Principal": {
"AWS": [
"arn:aws:iam::*********:role/<lambda-function-name>"
]
}
}
]
}