We have a terraform script to create a lambda function in aws. This lambda function uses a custom bucket from S3.
The script below runs perfectly when I put "Resource": "*".
We need to specify a custom resource that aws lambda function can access on S3.
Our aws_iam_policy is configured this way:
resource "aws_iam_policy" "lambda_policy" {
name = "lambda-s3-policy"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Resource": "arn:aws:s3:::my-mock-bucket/example-folder/*"
}
]
}
EOF
}
When the script runs, this error appears:
Error: Error applying plan:
1 error(s) occurred:
* aws_lambda_function.func_loader: 1 error(s) occurred:
* aws_lambda_function.func_loader: Error creating Lambda function: InvalidParameterValueException: The subnet subnet-xxxxxxxxxxxxxxxx is out of IP addresses.
{
RespMetadata: {
StatusCode: 400,
RequestID: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
},
Message_: "The subnet subnet-xxxxxxxxxxxxxxxx is out of IP addresses.",
Type: "User"
}
Terraform does not automatically rollback in the face of errors.
I already checked the permissions, the subnet ip range limits, but it is all good to go.
These permissions:
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
Can't be restricted to this resource:
"Resource": "arn:aws:s3:::my-mock-bucket/example-folder/*"
What you have done is given your Lambda function permission to call those EC2 actions, as long as it is calling those actions on an S3 bucket, which obviously makes no sense. You probably need to split the IAM policy into multiple statements, like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
],
"Resource": "arn:aws:s3:::my-mock-bucket/example-folder/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Resource": "*"
}
]
}
Related
I am setting up AWS Managed Active Directory and want to set up an EC2 instance (Windows Server 2019 R2) for managing the AD remotely and an AWS Workspace client with a user to log in. But unfortunately despite the appropriate permission, the Ec2 instance does not join the domain automatically.
According to the AWS article: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/launching_instance.html
Here are the roles assigned:
AmazonSSMManagedInstanceCore
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
}
]
}
And the other policy as:
AmazonSSMDirectoryServiceAccess
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ds:CreateComputer",
"ds:DescribeDirectories"
],
"Resource": "*"
}
]
}
With the two policies in place I launched an Instance with AMI ID: ami-041306c411c38a789
After a successful launch I use the set command to review the Domain join but unfortunately I have to do the same manually. Can someone advise why it is so?
You can review the Command page here
Just making sure that the Domain and the Instance are in the same VPC. I am able to check in with the DNS addresses of the domain the instance is recognizing.
I am creating and running a task on my ECS fargate cluster.
Task definition (with role) and fargate cluster is already created.
When I use run task step in step function, I am getting following error,
{
"Error": "ECS.AccessDeniedException",
"Cause": "User: arn:aws:sts::xxxxxxxxxx:assumed-role/StepFunctions-my-state-machine-role-xxxxxxxxxx/xxxxxxxxxx is not authorized to perform: iam:PassRole on resource: arn:aws:iam::xxxxxxxxxx:role/my-app-dev-exec because no identity-based policy allows the iam:PassRole action (Service: AmazonECS; Status Code: 400; Error Code: AccessDeniedException; Request ID: xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx; Proxy: null)"
}
The role attached to the step function has the following policies (as per the documentation provided by AWS https://docs.aws.amazon.com/step-functions/latest/dg/ecs-iam.html)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask"
],
"Resource": [
"arn:aws:ecs:eu-west-1:xxxxxxxxxx:task-definition/*:*"
]
},
{
"Effect": "Allow",
"Action": [
"ecs:StopTask",
"ecs:DescribeTasks"
],
"Resource": [
"arn:aws:ecs:eu-west-1:xxxxxxxxxx:task/*"
]
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Resource": [
"arn:aws:events:eu-west-1:xxxxxxxxxx:rule/StepFunctionsGetEventsForECSTaskRule"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeStateMachine",
"states:StartExecution",
"states:ListExecutions",
"states:UpdateStateMachine"
],
"Resource": [
"arn:aws:states:eu-west-1:xxxxxxxxxx:stateMachine:my-state-machine"
]
}
]
}
with following trusted entities
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "states.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Can someone help with what additional permission I need to give to resolve the above permission issue? From the error, I am not able to figure out what additional permission is required.
If I attach AmazonECS_FullAccess (aws managed) policy to the role, job works perfectly.
Because your task will use an IAM Role, you need to specify the additional permission 'PassRole'.
The best practice is to restrict which roles can be passed. So is recommended to add a condition limiting to only allow to pass roles to ECS tasks.
Try adding this statement to your policy:
{
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"StringLike": {
"iam:PassedToService": "ecs-tasks.amazonaws.com"
}
}
}
I am a newbie to AWS Lambda. I am trying out the Tutorial from https://docs.aws.amazon.com/lambda/latest/dg/with-s3-example.html. When the user uploads a jpg to a S3 bucket called greetingsproject, the lambda function is triggered.
Error: 9a62ff86-3e24-491d-852e-ded2e2cf5d94
INFO: error while getting object = AccessDenied: Access Denied
I am getting the Access denied error in the following code snippet:
try {
console.log("srcBucket=" + srcBucket);
console.log("srcKey=" + srcKey);
const params = {
Bucket: srcBucket,
Key: srcKey
};
var origimage = await s3.getObject(params).promise();
} catch (error) {
console.log("error while getting object = " + error);
return;
}
My Policy for the Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogGroup",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::greetingsproject"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::greetingsproject",
"arn:aws:s3:::greetingsproject/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::greetingsproject",
"arn:aws:s3:::greetingsproject/*"
]
}
]
}
Not sure what other permissions I need to add to the policy.
The comment by Marcin about Lambda execution role put me on the right track.
I had followed the below steps previously:
Created a policy called greetingsProjectPolicy (with the above mentioned permissions)
Attached this policy to greetingsProjectRole.
Assigned the greetingsProjectRole to my lambda function.
I assumed that was it and the policy should be available to my lambda function.
However when I assigned the greetingsProjectRole to the function, internally AWS created a Execution role called greetingsProject-role-zhcbt61o.
When I clicked on this role, I was surprised to see that only role it had was the AWSLambdaBasicExecutionRole and the greetingsProjectPolicy was missing.
I had to add the greetingsProjectPolicy as a inline policy to greetingsProject-role-zhcbt61o. Now I no longer get the access denied error.
Not sure, if this is how AWS works or I am missing something.
What I Want To Achieve
I am trying to grant an IAM user with a REST API token permission to described environment health on a specific elastic beanstalk application via the AWS CLI.
The Problem
When I run with the CLI command:
aws elasticbeanstalk describe-environment-health --environment-name my-env-name --attribute-names "Status" "Color" "Causes" "InstancesHealth" "HealthStatus" "RefreshedAt" --profile my-profile
I get the error: A client error (AccessDenied) occurred when calling the DescribeEnvironmentHealth operation: User: arn:aws:iam::myaccountid:user/myuser is not authorized to perform: elasticbeanstalk:DescribeEnvironmentHealth
with the --debug flag I can see a HTTP 403 response.
Extra Details
The IAM policy has the action "elasticbeanstalk:DescribeEnvironmentHealth" on the resource:
"arn:aws:elasticbeanstalk:eu-west-1:myaccountid:environment/my-app-name/my-env-name*"
I have double checked the account id, app and env name.
I can perform other actions just fine such as DescribeEnvironments when I add this action instead.
I have verified on the particular resource ARN with this policy using the IAM simulator when selecting the user and it says access is granted.
The version of the CLI is aws-cli/1.10.6 Python/2.7.11 Darwin/15.3.0 botocore/1.3.28
As a test I temporarily relaxed the policy to have the action elasticbeanstalk:* and it still doesn't work.
Questions
How can I further debug this issue?
Why does the IAM policy simulator say the policy does grant access but access is denied viu the CLI?
Full Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1455880772092",
"Action": [
"ec2:*",
"s3:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"rds:*",
"cloudformation:*",
"elasticbeanstalk:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:application/app-name",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:applicationversion/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1:{accountId}:environment/app-name/env-name*",
"arn:aws:elasticbeanstalk:eu-west-1::solutionstack/*",
"arn:aws:s3:::elasticbeanstalk-eu-west-1-{accountId}*"
]
},
{
"Sid": "Stmt1455891876139",
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:ListBucket",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:Get*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::elasticbeanstalk-eu-west-1-{bucketId}*"
}
]
}
For some reason elasticbeanstalk:DescribeEnvironmentHealth worked for me only with "Resource": "*".
So I've separated write/read permissions, allowing "Resource": "*" only for read. Here is my full policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:UpdateEnvironment"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-central-1:[account-id]:application/[application-name]",
"arn:aws:elasticbeanstalk:*:*:environment/*/*",
"arn:aws:elasticbeanstalk:*:*:applicationversion/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:ListPlatformVersions",
"elasticbeanstalk:DescribeEnvironmentManagedActions",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Resource": "*"
}
]
}
I am trying to restrict AWS IAM users to only be able to start t2.micro and t2.small instances. I've applied the following permissions but I am unable to start any instances with this configuration.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"ec2:InstanceType": [
"t2.micro",
"t2.small"
]
}
}
}
]
}
I expected this to give me full permission and then deny if the type isn't t2.micro or t2.small, however it seems to deny everything.