I have bootstrapped CDK toolkit stack in this way
npx cdk bootstrap \
--trust 158******206 \
--toolkit-stack-name **** \
--qualifier ****\
--cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess \
As a result, CDK toolkit stack has these resources:
ContainerAssetsRepository
DeploymentActionRole
FileAssetsBucketEncryptionKey
FileAssetsBucketEncryptionKeyAlias
FilePublishingRole
FilePublishingRoleDefaultPolicy
ImagePublishingRole
ImagePublishingRoleDefaultPolicy
StagingBucket
StagingBucketPolicy
Then I try to deploy CDK stack via IAM user and it's work correctly. I use this command:
cdk deploy --require-approval never --toolkit-stack-name **** --profile user-1
If I try deploy via STS I received this error
Error: Could not assume role in target account (did you bootstrap the environment with the right '--trust's?): User: arn:aws:sts::448*****770:assumed-role/cdktoolkit-test-role/91cb8d5a-57e9-4d73-9f66-ddc630b637f2 is not authorized to perform: sts:TagSession on resource: arn:aws:iam::448*****770:role/cdk-event-proc-deploy-role-448******770-us-east-1
My iam-sts-config.yml
---
aws_iam:
- type: sts-access-keys
version: V2
config:
iam_assume_role_name: cdktoolkit-test-role
Then I add
AWS_ACCESS_KEY_ID=***
AWS_SECRET_ACCESS_KEY=***
AWS_SESSION_TOKEN=***
AWS_DEFAULT_REGION=***
There is my trust relationship policy for the role cdk-event-proc-deploy-role:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::448******770:root"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::158*****206:root"
},
"Action": "sts:AssumeRole"
}
]
}
If I edit and add manually "Action": "sts:TagSession" in to trust relationship policy. I can deploy my stack.
So, my question is, could I set up a custom trust relationship policy when I bootstrap CDK toolkit stack for my roles?
I found only this parameter --trust but it's added only a new Principal could I add additional Actions?
Related
I already have an existing service account with IAM role that is currently able to pull in secrets in my application pod - so I know this is setup correctly.
However, I also want to give additional s3 policies to the same service account that will enable my pod to write and read to s3 bucket, but this fails to work as I get 403 forbidden error?
I'm able to exec into my pod and run aws s3 ls s3://my-bucket and can see the contents of my s3 bucket and can also push to the bucket from within the pod (which tells me the service account has been configured correctly), but strangely I can't do this from the actual application UI due to this 403 forbidden error message? I know the service account is still being used because it's still pulling in the secrets fine but fails to use the additional s3 policies.
I should also note that when I attach the exact same policy on the EKS worker node level the application works fine and this 403 s3 error goes away but doesn't work when using service account. Any ideas on what this could be?
My bucket isn't using any encryption at this stage.
Trust relationship for IAM role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-num>:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/<oidc-num>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.eu-west-1.amazonaws.com/id/<oidc-num>:sub": "system:serviceaccount:<app-namespace>:<service-account>"
}
}
}
]
}
IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": [
"arn:aws:secretsmanager:eu-west-1:<account>:secret:<secret>"
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutLifecycleConfiguration",
"s3:ListBucket",
"s3:GetObject",
"s3:GetLifecycleConfiguration",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::bucket/*",
"arn:aws:s3:::bucket"
]
}
]
}
Service account is annotated with IAM role
kubectl describe sa service-account
Name: service-account
Namespace: app-namespace
Labels: app.kubernetes.io/managed-by=Helm
Annotations: eks.amazonaws.com/role-arn: arn:aws:iam::account:role/IAM-role-to-attach
meta.helm.sh/release-name: release
meta.helm.sh/release-namespace: app-namesapce
Image pull secrets: <none>
Mountable secrets: secret
Tokens: token
Events: <none>
I'm trying to run kubectl in a EKS Cluster created from a third-party (Gitlab), and I need to access this cluster with kubectl to install metrics server.
But I can't access this cluster with kubectl.
I did everything from the documentation.
I have setted the trust relationship in the IAM Role of the cluster like above:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com",
"AWS": [
"arn:aws:sts::123456789012:assumed-role/AzureAD_AWS_Admin/me#mycompany.com",
"arn:aws:iam::123456789012:root"
]
},
"Action": "sts:AssumeRole"
}
]
}
And I have tested assume-role with the external-id like the command above, and everything run seamlessly!
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/eksServiceRole --external-id 2ffd8b2c3d8edaf02104a081af4b78d82f6e770f --role-session-name my_test
So, I followed these steps to assume role and grant permission to my user (For the step: Add designated_user to the ConfigMap if the cluster_creator is an IAM role) to use kubectl.
But when I run kubectl get pods I have this message again:
error: You must be logged in to the server (Unauthorized)
I had the same problem when following the Gitlab instructions. This guide helps out:
In the aws-services -> IAM -> Roles -> select the role you defined for gitlab.
Now you could either (1) simply add your user to the trusted entities, or (2) update them only temporarily and edit the aws-auth config.
(1) Add another statement with your account ID without the external ID condition:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[account]:user/username"
},
"Action": "sts:AssumeRole"
},
{
// Leave untouched
}
]
}
(2) Edit the trusted entities by removing the externalId condition and change it to your user-account id (which you configured aws-cli with):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[gitlabsaccount]:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "[externalId]"
}
}
}
]
}
->
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[account]:user/username"
},
"Action": "sts:AssumeRole"
}
]
}
Then run the cli-command to reconfigure your kubectl cluster access with this role:
aws --region [region] eks update-kubeconfig --name [cluster-name] --role-arn arn:aws:iam::[account]:role/[role-name]
Lastly, use the permissions to add yourself to the aws-auth config map:
kubectl edit -n kube-system configmap/aws-auth
and then add your account:
apiVersion: v1
data:
mapRoles: |
...
mapUsers: |
---
- userarn: arn:aws:iam::[account]:user/[username]
username: [username]
groups:
- system:masters
...
Do not forget to change back the gitlab-user for the role and external condition.
Hi I have created CDK project with jenkins. I want to deploy with role. For example cdk deploy with role. For example In cloudformation I was doing like below.
cfn_manage deploy-stack \
--stack-name "$CFN_CDK_STACK" \
--template-file "cloudformation/templates/cdk.yml" \
--parameters-file "$PARAMS_FILE" \
--role-name infra-cfnrole-location-nonprivileged
Now I have CDK project as below.
checkout scm
withCredentials([[$class: 'AmazonWebServicesCredentialsBinding',credentialsId: "${env.PROJECT_ID}-aws-${CFN_ENVIRONMENT}"]]) {
abc = docker.build('cdkimage', "--build-arg http_proxy=${env.http_proxy} --build-arg https_proxy=${env.https_proxy} .")
abc.inside{
sh 'ls -la'
sh "bash ./scripts/build.sh"
}
Then inside build.sh
NONPRIV_ROLE_NAME='infra-cfnrole-location-nonprivileged'
aws sts assume-role --role-arn 'arn:aws:iam::id:role/infra-cfnrole-location-nonprivileged' --role-session-name jenkins --query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text
cdk synth
cdk deploy
This is throwing error
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::id:user/infra-prjauth-location is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::187628286232:role/infra-cfnrole-location-nonprivileged
For the role cfnrole-location-nonprivileged in trusted relationships I have below policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Can someone help me to deploy with role? Any help would be appreciated. Thanks
I think the issue is that you haven't specifically trusted your IAM User in the IAM Role's trusted relationships.
Assuming that this role has the correct permissions needed for a CDK deploy (see here for more info on that), you need to allow your IAM user to access the role, not cloudformation. Cloudformation already has access to your account resources.
I think this version of the trusted relationships policy should do the trick:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "<full ARN of the relevant user>",
"Action": "sts:AssumeRole"
}
]
}
Let me know if it works!
I am trying to create a a DMS (Database Migration Service) Instance but I am getting the following error:
SYSTEM ERROR MESSAGE:The IAM Role arn:aws:iam::<account_id>:role/dms-vpc-role is not configured properly
What role should I create and to what I should assign it to?
Seems like they changed the IAM roles, if anyone is trying to do this now, the simplest solution is to create a replication instance in the AWS console and the dms-vpc-role will be automatically created.
Then you can delete that 'temporal' instance and run the cloudformation/aws cli to create the instance that you want.
If you want to create the role by hand, the policy attached has to be AmazonDMSVPCManagementRole
And contains the following permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": "*"
}
]
}
You will need to allow DMS to assume a role:
create a file dmsAssumeRolePolicyDocument.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "dms.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Create the Role:
aws iam create-role --role-name dms-vpc-role --assume-role-policy-document file:///tmp/dmsAssumeRolePolicyDocument.json
Attach the role:
aws iam attach-role-policy --role-name dms-vpc-role --policy-arn arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole
Now you can go ahead and create the DMS instance in the console or using the awscli
I am attempting to auto-deploy DAX for DynamoDB, but keep getting the following error from both python and CLI:
An error occurred (InvalidParameterValueException) when calling the CreateCluster operation: No permission to assume role: arn:aws:iam::xxxxxxxxxxxx:role/service-role/230e772f-DAXServiceRole
The CLI command i use is:
aws dax create-cluster --region some.region --cluster-name some.dax_name --node-type some.node_type --replication-factor 1 --subnet-group-name some.subnet_group_name --security-group-ids some.security_group_id --iam-role-arn some.iam_role_arn
Running this directly from the cli, works fine, running it manually through console also works fine. Anyone else had this issue?
OK, looks like my script was attempting to create the DAX cluster too soon after it created the role. This caused it to not be able to find it. I added time between and it was able to find the role.
The IAM role needs to be created with service or else you will face the same error, for example I have created role with below policy and I faced the same issue.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "some role arn"
},
"Action": "sts:AssumeRole"
}
]
}
Basically the above policy will add trust entities under Principal.
Dax IAM role need to create with below policy method to avoid above error.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "dax.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
For more details please check aws doc https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.create-cluster.cli.create-service-role.html