When I write the following code:
const somePolicy: PolicyStatement = new PolicyStatement({
effect: Effect.ALLOW,
resources: ["someData/*"],
actions: ["es:*"],
principals: [
new ArnPrincipal("*")
],
conditions: {
IpAddress: {
SourceIp: ["*"]
}
}
});
I receive following access policy in the Elastic-Domain:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "es:*",
"Resource": "someData/*",
"Condition": {
"IpAddress": {
"SourceIp": "*"
}
}
}
]
}
My goal is to get this principal:
"Principal": {
"AWS": "*"
},
How can I receive this with cdk?
Thanks
"Principal": "*" is same as "Principal": {"AWS": "*"}. So it does not matter how you write it. CDK uses the first option, because there is no reason to make it longer than it needs to be.
Related
The below S3 bucket policy to access alb logs from another account of same region with Deny policy doesn't work, I tried with a Condition but no luck
If I use "Allow" it works but I need to use Deny as per my company policy and allow based on condition
127311923021 - us-east-1
Any ideas please?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "arn:aws:s3:::myelbogs/prefix/*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myelbogs/prefix/*",
"Condition": {
"StringNotLike": {
"AWS": "arn:aws:iam::127311923021:root"
}
},
},
{
"Effect": "Deny",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::myelbogs/prefix/*",
"Condition": {
"StringNotLike": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
},
},
{
"Effect": "Deny",
"Principal": {
"Service": "delivery.logs.amazonaws.com"
},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::myelbogs",
"Condition": {
"StringNotLike": {
"AWS": "arn:aws:iam::127311923021:root"
}
},
}
]
}
I'm having issues with calling a lambda in account B from a different lambda in account A.
Account A's role arn is arn:aws:iam::ACCOUNT_A:role/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP
Account A's role name is DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP
Account B's role name is Chris-APIStack1-Q6AJ1PZ8V-LambdaCrossAccountExecut-1N3JU88L5AON1
Account B's role arn is arn:aws:lambda:us-east-1:462087996972:function:GetActiveDeviceIdsLambdaChris
For account A my lambda role has the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_B:role/Chris-APIStack1-Q6AJ1PZ8V-LambdaCrossAccountExecut-1N3JU88L5AON1",
"Effect": "Allow"
},
{
"Action": "lambda:InvokeFunction",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:iam::ACCOUNT_B:role/Chris-APIStack1-Q6AJ1PZ8V-LambdaCrossAccountExecut-1N3JU88L5AON1",
"Effect": "Allow"
}
]
}
My lambda in account B has the following role as defined using cloudformation:
"CrossAccountExecutionRoleDemo": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::ACCOUNT_A:role/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": { "Service": ["lambda.amazonaws.com"] },
"Action": ["sts:AssumeRole"]
}
]
}
}
},
"CrossAccountExecutionPolicyDemo": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": { "Fn::GetAtt": ["GetActiveDeviceIdsLambdaDemo", "Arn"] }
}
]
},
"Roles": [
{
"Ref": "CrossAccountExecutionRoleDemo"
}
]
}
}
When I make the following request I get an error
let roleArn = 'arn:aws:iam::ACCOUNT_B:role/Chris-APIStack1-Q6AJ1PZ8V-CrossAccountExecutionRol-1ANKXFZ6YS23'
sts.assumeRole(
{
RoleArn: roleArn,
RoleSessionName: 'NightlySimService',
}, function(err, res){ ... }
Error:
'
AccessDenied: User: arn:aws:sts::ACCOUNT_A:assumed-role/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP/DeviceApiStack-nightlySimServiceLambdaA51B2AFE-JSUFU8F5BZGC is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::ACCOUNT_B:role/Chris-APIStack1-Q6AJ1PZ8V-CrossAccountExecutionRol-1ANKXFZ6YS23F
'
I can spot two apparent issues in the roles, which could be the cause of your errors.
First. Incorrect principle:
"Principal": {
"AWS": "arn:aws:sts::ACCOUNT_A:role/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP"
},
As you wrote the role arn is arn:aws:iam::ACCOUNT_A:role/DeviceApiStack-simServiceRole427DA44E-1WS2T3INIV6IP, which does not match of what you provided in the Principal.
Second. Incorrect resource:
{
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:iam::ACCOUNT_B:role/Chris-APIStack1-Q6AJ1PZ8V-LambdaCrossAccountExecut-1N3JU88L5AON1",
"Effect": "Allow"
}
The action lambda:InvokeFunction applies to lambda functions, not IAM roles. Thus, the Resource should be ARN of the lambda.
There could be more issues, which are not that obvious at present.
i have the following policy on an IAM role which i'm assuming into:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::mybucket/${aws:RequestTag/personalid}/*"
}
]
}
When performing assume role, i'm passing the tag:
response = sts_client.assume_role(
RoleArn=arn,
RoleSessionName=role_session_name,
Tags=[
{
'Key': 'personalid',
'Value':'a'
},
])
but i get access denied when trying to read an object under folder 'a':
s3 = boto3.resource(
's3',
aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken'],
region_name=client_main_region
)
obj = s3.Object('mybucket', f'a/file.txt')
print(obj.get()['Body'].read().decode('utf-8'))
I've replaced the policy with "principalTag", while adding a tag to the role, and it works - what am i doing wrong?
=====
Another thing i tried, is to tag the s3 object with that ID, and with the following policy:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Condition": {
"StringEqualsIfExists": {
"aws:RequestTag/personalid": "${s3:ExistingObjectTag/personalid}"
}
},
"Resource": "arn:aws:s3:::mybucket/*"
}
Not working
If anyone ever looks for this - apparently the trust relationship should declare those tags - so they will be available:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123:role/lambda_role"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123:role/lambda_role"
},
"Action": "sts:TagSession",
"Condition": {
"StringLike": {
"aws:RequestTag/personalid": "*"
}
}
}
]
}
Then, i could use this tag as principal tag in the assumed role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::mybucket/${aws:PrincipalTag/personalid}/*"
}
]
}
I need to give permission for all logged users on my application.
This is my code:
this.amplifyService.auth().currentUserCredentials().then(credentials => {
const lambda = new Lambda({
credentials: this.amplifyService.auth().essentialCredentials(credentials)
});
lambda.invoke({
FunctionName: 'my-function',
}, res => {
console.log(res);
});
});
And this is the return:
authRole/CognitoIdentityCredentials is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-2:function:my-function
I already try to create a IAM role manually:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "arn:aws:logs:us-east-2:XXXXXXXXX:*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-east-2:XXXXX:log-group:/aws/lambda/my-function:*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:*"
],
"Resource": [
"arn:aws:lambda:us-east-2:XXXXXXXXX:function:my-function"
]
}
]
}
But doesn't work yet.
How to create AWS policy giving access to some IPs addresses OR Lambda for Elasticsearch service.
So, that have access to ES from IPs and that Lambda have access to.
This no working for me:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-central-1:xxx:domain/xxx/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"xxx",
"xxx"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "es:*",
"Resource": "arn:aws:es:eu-central-1:xxx:domain/xxx/*",
"Condition": {
"ArnEquals": {
"aws:SourceArn": "arn:aws:lambda:eu-central-1:xxx:function:xxx"
}
}
}
]
}
Thanks for help.