I followed the instructions here to set up and remove a python lambda function (and associated AWS resources).
When I try to clean up the function, role-policy and role, the instructions failed because the CLI does not manage to find the attached role policies. In particular, if I run:
aws iam list-role-policies --role-name myrolename
... I get an output of:
{
"PolicyNames": []
}
But when I look up the same role in the AWS console, I can see the policy is there.
So what is going on here? Is this an AWS bug (CLI version aws-cli/2.1.33 Python/3.9.2 Darwin/20.4.0 source/x86_64), or am I muddled up here somehow?
As i can see from the image, its a managed policy and unfortunately list-role-policies only Lists the names of the inline policies that are embedded in the specified IAM role.
Doc says
An IAM role can also have managed policies attached to it. To list the managed policies that are attached to a role, use ListAttachedRolePolicies
use this for example
aws iam list-attached-role-policies --role-name SecurityAuditRole
Related
Kind of a newbie still with AWS IAM. Is there a way to find all of the available Roles in a given account that have a specific Policy attached? i.e. if you only know the Policy, and you don't know the roles it's attached to, how do you find all of the roles that a given policy is attached?
If you're using API/CLI, you can make use of the ListEntitiesForPolicy call. A CLI command that you could run would be:
$ aws iam list-entities-for-policy --policy-arn <arn_of_policy> --entity-filter Role
Go to Identity and Access Management (IAM) -> Policies -> Choose a spesific policy. The info you are looking for is under Policy usage tab.
I am using metricbeat to monitor metrics from a few AWS accounts. I have read through the doc: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-aws.html
it says to configure the credential as environment variables or in aws credential file. But I'd like to use cross account IAM policy to access different AWS account. That means metricbeat needs to assume a role when it tries to query metrics. How can I achieve this in metrcibeat? I can't find related doc in their document.
So you can specify the IAM Role like this
Metricbeat Configuration Params
metricbeat.modules:
- module: aws
period: 300s
metricsets:
- ec2
role_arn: arn:aws:iam::123456789012:role/test-mb
I would say there is nothing like Cross Account Policy.
Your role has permissions based on the policies you assign to it via IAM Policies.
When you wanna use Cross-Account IAM Roles, you still have to assign IAM Policies on the role you create in the destination account + an IAM Trust Policy as well so that you can assume the role from another account, In addition to that your source IAM Role must have permissions to assume the destination IAM Role
IAM Role Delegation
How to use trust policies with IAM roles
IAM Tutorial: Delegate access across AWS accounts using IAM roles
This AWS CLI command:
aws lambda add-permission --function-name my_test_Lambda_fn --statement-id test_id --principal iotanalytics.amazonaws.com --action lambda:InvokeFunction
Gives the following output:
{
"Statement": "{\"Sid\":\"test_id \",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"iotanalytics.amazonaws.com\"}...
}
I wanted to see the above in IAM console, so I tried looking at the roles used by IoTAnalytics and Lambda; and in their respective policies; but the above output is not part of any policy. Where in the IAM can I see the policy configured by the above AWS CLI command? I think that it configured at principal level, but where do I see it in the IAM console?
This isn't actually an IAM policy (although it might resemble one). In fact it is a type of resource policy (in this case named Function policy).
Certain services such as S3, SNS, SQS and in this case Lambda have the ability to have a policy attached which dictates how other entities can interact with them such as other AWS accounts or services that do not support an attached IAM role.
From within the console on the Lambda function itself access the Permissions tab, then at the bottom of the page is a sub-item named Resource-based policy. This will contain the policy that you have added.
You have to go into the Lambda console, select your Function and then you can click on Permissions to see the permissions attached to your lambda.
These are resource-based permission for the lambda function. You can view them in AWS console -> Permissions -> Resource-based policy:
I am able to fetch one policy from all AWS accounts using below command.
aws --profile ${profile} iam list-policies --query 'Policies[?starts_with(PolicyName,`Policy-dynamo-db`)]'
Now I am trying to delete the policy using AWS-CLI from all my aws accounts using policy name. Is it possible to delete the policy using policy name? OR do I need to fetch the policy ARN for all the AWS accounts to delete. Any help with the command?
You can do this way :
Detach first policy from role.
aws iam delete-role-policy --role-name Test-Role --policy-name ExamplePolicy
And only way to delete policy is using ARN
aws iam delete-policy --policy-arn arn:aws:iam::123456789012:policy/MySamplePolicy
Reference : https://docs.aws.amazon.com/cli/latest/reference/iam/delete-role-policy.html
Note : if your AWS IAM user doesn't have access to policy then you will not able list or delete those policy.
I'm trying to export my table from DynamoDB to S3. Following the documentation here I created the two roles needed for the pipeline, DataPipelineDefaultRole and DataPipelineDefaultResourceRole. After trying to execute the pipeline, I discovered that my DataPipelineDefaultRole was not created with an instance profile.
I've been looking through forums and Amazon says that people receive errors like this when they create their IAM Roles through the CLI. Their recommendation is to create the roles through the console and then the instance profile will be attached to the roll automatically. I'm creating the role through the console but for the DataPipelineDefaultRole, there is no instance profile attached?
Is there a way to manually attach an instance profile? Or am I missing something that is causing this to not auto-generate?
This might help:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
It highlights info about instance profiles and namely how to create if you already have existing roles etc. I think this might be what you're looking for.
i.e .
aws iam create-instance-profile --instance-profile-name DataPipelineDefaultRole
then
aws iam add-role-to-instance-profile --role-name DataPipelineDefaultRole --instance-profile-name DataPipelineDefaultRole
I have test the solution by Liam and it's working fine.
aws iam create-instance-profile --instance-profile-name DataPipelineDefaultRole
aws iam add-role-to-instance-profile add-role-to-instance-profile --role-name DataPipelineDefaultRole --instance-profile-name DataPipelineDefaultRole
and there typo on the command provided should not repeat aws I am again.
reference: https://docs.aws.amazon.com/cli/latest/reference/iam/add-role-to-instance-profile.html