I use the module, terraform-aws-modules/eks/aws provision EKS. By default, the module provisions three policies to the EKS EC2 IAM role, AmazonEKSWorkerNodePolicy, AmazonEC2ContainerRegistryReadOnly and AmazonEKS_CNI_Policy. I would like to attach an additional policy, CloudWatchLogsFullAccess to the IAM role. I read the doc. I did not find a way to attach it. I had to logon to the AWS console, manually attach CloudWatchLogsFullAccess to the IAM role. Is there a way to use terraform code to attach it when I use this EKS module provisioning EKS?
I added the code below.
resource "aws_iam_role_policy_attachment" "cloudWatch" {
role = module.eks.cluster_iam_role_arn
policy_arn = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
}
But, it complains "The specified value for roleName is invalid".
Error: Error attaching policy arn:aws:iam::aws:policy/CloudWatchLogsFullAccess to IAM Role arn:aws:iam::678515134618:role/my-eks20210303061731134400000005: ValidationError: The specified value for roleName is invalid. It must contain only alphanumeric characters and/or the following: +=,.#_-
status code: 400, request id: aee57a35-ae72-499e-8653-e61e795818e4
Once you create your eks cluster, you can get cluster_iam_role_arn_from its outputs. Having the ARN you can attach extra policies to it using aws_iam_role_policy_attachment:
resource "aws_iam_role_policy_attachment" "test-attach" {
role = module.myeks.cluster_iam_role_arn
policy_arn = "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
}
Related
I've looked at this question and this one but I'm not able to deploy a role into a child account which allows an ECS task running in the parent account to AssumeRole into it.
Terraform code:
data "aws_iam_policy_document" "cross-account-assume-role-child" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = [
"arn:aws:sts::${var.master_account_ID}:assumed-role/${var.cross_account_role_name}"
]
}
}
}
When I try to run terraform the plan succeeds but the apply fails with such an error:
Error: failed creating IAM Role (ECS-cross-account-child-role):
MalformedPolicyDocument: Invalid principal in policy:
"AWS":"arn:aws:sts::<AWS Account ID>:assumed-role/ECS-cross-account-master-role"
I get the same error if I try to manually update the policy like above in the AWS console so this isn't due to terraform.
What am I doing wrong?
The arn you need to specify in the policy is the one of the IAM role, not of the assumed credentials:
arn:aws:iam::${var.master_account_ID}:role/${var.cross_account_role_name}
Instead of of sts and assumed-role
I'm trying to deal with some terraform scripts that are held across different git repo's.
One of the repo's is used for provisioning eks infrastructure and the other is to hold generic tf scripts.
In the generic repo, I've created a custom iam policy. I want this to be attached to the iam role when the eks infrastructure repo is created. Is there a way to do this?
resource "aws_iam_role_policy_attachment" "eks-worker-node-data-access" {
policy_arn = "arn:aws:iam::aws:policy/base-data-capture"
role = "${module.eks-control-plane.worker_node_role_name}"
}
The policy arn field is set to the name of the policy that would be created, however this fails as it hasn't been imported...
What I'd like to do is something like
resource "aws_iam_role_policy_attachment" "eks-worker-node-data-access" {
source = "my-git-repo.policy"
policy_arn = "arn:aws:iam::aws:policy/base-data-capture"
role = "${module.eks-control-plane.worker_node_role_name}"
}
I suppose the obvious answer would be to just have the policy created in the same tf folder, but all other policies have been created in the generic repo.
I configuring an Autoscaling group in CloudFormation and I'm trying to start all the ec2 nodes with an IAM role attached to them (one that can allow access to s3 for example).
I know that in CloudFormation there is the ServiceLinkedRoleARN key. According to the docs this key is using by default the AutoScalingServiceRolePolicy role and it doesn't have S3 access. I can't create a Custom role that contains both S3 role and the AutoScalingServiceRole role because I'm getting an error:
Cannot attach a Service Role Policy to a Customer Role.
So should I attach to the scaling group only a custom role of s3 ? What is the best practice way to do it ?
You specify the instance role for instances in your ASG in either LaunchConfiguration (LC) or LaunchTemplate (LT):
LC: IamInstanceProfile:
Provides the name or the Amazon Resource Name (ARN) of the instance profile associated with the IAM role for the instance. The instance profile contains the IAM role.
LT: IamInstanceProfile
The IAM instance profile.
I found out that in AWS::AutoScaling::LaunchConfiguration there is a property called IamInstanceProfile that can be used exactly for that.
Please notice, in the role's page, there are 2 arns : profile-role-arn and role-arn. I first didn't notice that and used the role-arn. The right arn to use is the profile-arn.
I want to attach an AWS managed Role to my EC2 instance in CloudFormation. Here for I need to attach the managed role to an instance profile and attach the instance profile to the EC2.
How can I attach the managed role to the instance profile?
I tried:
ASGIAMInstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
InstanceProfileName: asg-instance-profile
Roles:
- AWSServiceRoleForAutoScaling
But I got:
Cannot perform the operation on the protected role 'AWSServiceRoleForAutoScaling' - this role is only modifiable by AWS (Service:
I know I can recreate a comparable role and attach it to an instance profile but that seems a bit overkill.
The only "managed roles" are service-linked roles. These are special roles that are directly attached to a service itself and cannot be attached to other entities.
You can, however, associate a Managed Policy with roles. These are the policies shown in the "Policies" section of the IAM management console.
I was wondering how to use simulate-principal-policy using the AWS CLI for an assumed role.
To provide some context, as part of my application's startup, I want to ensure that the application has the necessary permissions to access all the AWS resources it needs. I do this by getting the caller identity using aws sts get-caller-identity and use the returned caller identity as the policy source arn for the simulate-principal-policy request.
When our application runs on EC2, it uses an assumed role. so, get-caller-identity returns an assumed role arn.
If I try to execute simulate-principal-policy using my user arn as the policy source arn, the command works fine.
aws iam simulate-principal-policy --action-names "sqs:Receivemessage" --policy-source-arn "arn:aws:sts::123456789021:user/divesh"
However, trying to execute the command above by using an assumed role reports an error.
aws iam simulate-principal-policy --action-names "sqs:Receivemessage" --policy-source-arn "arn:aws:sts::123456789021:assumed-role/development/development-session"
An error occurred (InvalidInput) when calling the SimulatePrincipalPolicy operation: Invalid Entity Arn: arn:aws:sts::123456789021:assumed-role/development/development-session does not clearly define entity type and name.
Our application runs on a Kubernetes cluster and uses kiam to associate IAM roles to pods.
The problem with your request is that you are using the "Profile ARN" instead of the "Role ARN". To get the Role Arn, you can do the following:
Pull the Role Name from the Instance Profile Arn:
arn:aws:sts::123456789021:assumed-role/development/development-session becomes development/development-session
Get the instance profile based on that name:
aws iam get-instance-profile --instance-profile-name Instance Profile Arn
Find the Role Arn in the resulting document:
{
"InstanceProfile":{
"Roles":[
{
"Arn":"arn:aws:iam::992863558783:role/YourRole"
}
]
}
}
Use this ARN in simulate-principal-policy
aws iam simulate-principal-policy --action-names "sqs:Receivemessage" --policy-source-arn "arn:aws:iam::992863558783:role/YourRole"
In Python, the script would look like this:
import boto3
iam= boto3.client('iam')
profileArn = 'arn:aws:sts::123456789021:assumed-role/development/development-session'
iamProfileName = iamInstanceProfileArn.split(':assumed-role/')[1]
profile = iam.get_instance_profile(InstanceProfileName=iamProfileName)
policySourceArns = []
for role in profile['InstanceProfile']['Roles']:
policySourceArns.append(role['Arn'])
retval = iam.simulate_principal_policy(
PolicySourceArn = policySourceArns[0],
ActionNames = ['sqs:Receivemessage']
)