I want to create an access key in IAM-User, but I don't have permission to do that, so I want to use cloudformation to create an IAM user/role which I have permission, can anyone shows me a template for that? I couldn't find a correct one, Thanks
I don't have permission to do that
If you don't have permissions to create IAM users/roles you can't create them with CloudFormation either as it uses your permissions, which you lack, to create resources.
The only way would be if you were given a role which can be assumed by CloudFormation to create IAM entities, instead of using your permissions. But this is unlikely. You can ask your AWS admins if they can create/give you such a role for CloudFormation.
Related
I want to be able to specify an iam group as the principal within my policy but i have been reading that you cannot specify an iam group as part of a resource based policy. I could potentially add in a list of iam users but then my policy would look really messy. What is the best approach to take if i cannot add an iam group arn as the principal within my policy.
If you cannot specify an IAM group as the principal in a resource-based policy, you have a few options:
Attach the policy directly to the IAM users: In this case, you would
need to specify each IAM user ARN in the policy. This approach can
quickly become messy and difficult to manage as the number of IAM
users grows.
Use an IAM role: An IAM role is a way to grant permissions to AWS
services or applications that run on AWS. You can create an IAM role
that can be assumed by IAM users or IAM groups. You can then specify
the IAM role in the policy instead of the IAM users or IAM groups.
This approach provides a cleaner and more scalable way to manage
permissions.
Use a service control policy (SCP): An SCP is a type of policy that
is used to set permissions boundaries for an AWS account. You can
use an SCP to allow or deny access to AWS services for IAM groups,
IAM users, or IAM roles. This allows you to manage permissions for
multiple users in a centralized and organized manner.
I would recommend option 2 or 3 as the best approach, as they provide a cleaner and more scalable way to manage permissions compared to specifying individual IAM user ARNs in the policy.
Suppose, I am AWS IAM user, is there any way so that I can check what resource permission has been given to me, using CLI or Console.
Unfortunately, there is no comprehensive tool for that. In IAM console you can only check your user's IAM profile or group permission you belong to.
But full set of privileges is a very complex thing to get. Apart from obvious IAM user or group permissions you can have:
IAM roles which you can assume,
resource policies which you are listed as a principle (e.g. bucket policy, kms key policy),
resource policies where a role you can assume is a principle,
cross-account permissions in IAM roles or resource policies,
AWS Organization level SCP permissions.
If the reason for asking this question is related to security, e.g., to check what resources were accessed by a compromised IAM user credentials, you suspend the credentials or delete the user. Also can inspect the CloudTrial history to check what resources a given IAM user accessed.
I'm new to AWS and I have a task to add tags to different resources.
I'm getting this error on the CloudFormation
Did not have IAM permissions to process tags on AWS::CodePipeline::Pipeline resource.
Is anyone familiar with this? I just added Tags in Properties.
Thanks in advance!
Your Cloudformation is probably correct, but the IAM User or Role doesn't have the IAM permissions for codepipeline:TagResource
Checkout the available IAM actions for Codepipeline and ensure your IAM user/role has these permissions
The error says it all. Check the IAM permissions of the cloudformation role that they can assign tags to the codepipeline resource. If you are using specific permissions you will need to enable TagResource, otherwise if the role has permissions:
"codepipeline":"*"
Ensure that they are able to apply them to the resource in question.
I need to provide IAM role creation permission to a user but with a condition that if he does it only from some AWS service.
For example, if a user running cloudformation stack and attempting to create an IAM role, he should be allowed. if he manually creating role it should be denied. or if a person creating a codepipeline he should have permission to create the role.
The concept you are looking for sounds like service-linked roles.
https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html
https://aws.amazon.com/blogs/security/introducing-an-easier-way-to-delegate-permissions-to-aws-services-service-linked-roles/
However, I don't think it is supported for CloudFormation or CodePipeline
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
I want to create a S3 Bucket via CloudFormation template. I found there is a way to do it for EC2 instance on this link.
Do we have a way to create S3 bucket using existing IAM role via cloudformation?
It looks like what you're looking for is a service role. From AWS:
A service role is an AWS Identity and Access Management (IAM) role that allows AWS CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM role that allows AWS CloudFormation to create, update, or delete your stack resources. By default, AWS CloudFormation uses a temporary session that it generates from your user credentials for stack operations. If you specify a service role, AWS CloudFormation uses the role's credentials.
For more information, you might want to take a look at this, specifically the permission part to find out how to use an existing IAM role for creating a Cloudformation stack.
By the way: Unfortunately the link that you've provided doesn't seem to be accessible anymore.
When deploying infrastructure using creating Cloudformation template, you can have 2 ways to do it:
Cloudformation can deploy resources using the permissions of the current user who deploys the CF template. This is the default way
Secondly (Optional), you can choose an existing role that can be attached to the CF template. Cloudformation service will use the permissions of that attached role to deploy all the required services. Given that the attached role has permissions to S3, you can create an S3 bucket as can be seen in the attached screenshot