We Keep Coding

I'm able to assume AWS role in Console but not in cli

I have AWS organization with users (id: 111111111111) and dev (id: 222222222222) accounts. Users first login to the users account, and then able to switch to the dev account.
The problem: Users are able to switch role via console (website), but NOT via the CLI...
This is how I switch via the CLI:
export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
$(aws sts assume-role \
--role-arn arn:aws:iam::222222222222:role/administrator \
--role-session-name TestSessionName \
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
--output text))
And I get the following error:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::111111111111:user/gitlab-ci-user is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::222222222222:role/administrator
Made sure which user i'm logged in via cli:
> aws sts get-caller-identity
{
"UserId": "...",
"Account": "111111111111",
"Arn": "arn:aws:iam::111111111111:user/gitlab-ci-user"
}
The user gitlab-ci-user is member of the AdminsDevAssumeRole group, and the following policy:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": [
"arn:aws:iam::222222222222:role/administrator"
]
}
],
"Version": "2012-10-17"
}
In the dev account (222222222222), I got role administrator, with the following trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
Any idea why i'm not able to switch role via cli (but do in console)?

Invalid policy role due to malformed Json? AWS

I am following this tutorial: https://bernhardwenzel.com/articles/using-clojure-with-aws-lambda/
the json for the policy is as shown:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
but when I run
aws iam create-role \
--role-name basic_lambda_role \
--assume-role-policy-document fileb://resources/trust_relationship.json
I get
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json
Not sure what the problem is here.
I tried fixing the file path or removing the b but I can't seem to figure it out.

Your policy is fine.
I think the error comes from fileb which should be used for binary data, such as UserData in ec2.
The following form should be used (use file, not fileb):
aws iam create-role \
--role-name basic_lambda_role \
--assume-role-policy-document file://resources/trust_relationship.json

An error occurred (ValidationError) when calling the PutRolePolicy operation: The specified value for policyDocument is invalid

I am about creating a aws cluster so I wanted to set Up an IAM Role for the Cluster. I have followed the tuto but once I typed this command
aws iam put-role-policy --role-name UdacityFlaskDeployCBKubectlRole --policy-name eks-describe --policy-document file:///tmp/iam-role-policy
I got this error -_-:
An error occurred (ValidationError) when calling the PutRolePolicy operation: The specified value for policyDocument is invalid. It must contain only printable ASCII characters.
This is the command I used to create the policy
echo '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:Describe*", "ssm:GetParameters" ], "Resource": "*" } ] }' > /tmp/iam-role-policy
I still stack here any help!

I have used another way to encounter the error.
Using Git bash Terminal
Create a role policy document that also allows the actions "eks:Describe*" and "ssm:GetParameters". You can do this by setting an environment variable with the role policy:
I have used the var instead of redirecting to a file that caused the issue for me.
EKS_DESCRIBE="{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Action\": [ \"eks:Describe*\", \"ssm:GetParameters\" ], \"Resource\": \"*\" } ] }"
Check if EKS_DESCRIBE was really created by running this command echo $EKS_DESCRIBE
$ echo $EKS_DESCRIBE
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:Describe*", "ssm:GetParameters" ], "Resource": "*" } ] }
Attach the policy to role
aws iam put-role-policy --role-name UdacityFlaskDeployCBKubectlRole --policy-name eks-describe --policy-document "$EKS_DESCRIBE"
Another possible way using windows cmd is
Using Windows cmd
Crate the policy using set cmd
set EKS_DESCRIBE="{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Action\": [ \"eks:Describe*\", \"ssm:GetParameters\" ], \"Resource\": \"*\" } ] }"
check the var
echo %EKS_DESCRIBE%
Attach the policy to the 'UdacityFlaskDeployCBKubectlRole'. You can do this using awscli:
aws iam put-role-policy --role-name UdacityFlaskDeployCBKubectlRole --policy-name eks-describe --policy-document %EKS_DESCRIBE%

Invalid policy role JSON

I am following this tutorial:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-cli-tutorial-fargate.html
the json for a policy is as shown:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
but when I run:
aws iam --region us-west-2 create-role --role-name ecsTaskExecutionRole --assume-role-policy-document task-execution-assume-role.json
I get:
An error occurred (MalformedPolicyDocument) when calling the
CreateRole operation: This policy contains invalid Json
I know the filepath is right, because if it's wrong I get a different error. At first I thought it was "invalid json" because "sid" is an empty string, I removed that property and got the same error.
anyone know what's wrong here?

You need to specify the assume-role-policy-document as file://task-execution-assume-role.json.
From the documentation you linked
aws iam --region us-west-2 create-role --role-name ecsTaskExecutionRole --assume-role-policy-document file://task-execution-assume-role.json
it's not a very intuitive error that the cli throws because of the missing file://...
aws iam --region us-west-2 create-role \
--role-name ecsTaskExecutionRole \
--assume-role-policy-document task-execution-assume-role.json
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json
With the added file:// the create goes through
aws iam --region us-west-2 create-role \
--role-name ecsTaskExecutionRole \
--assume-role-policy-document file://task-execution-assume-role.json
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
]
},
"RoleId": "AROA2ZHAP3GUV5UTOV5ZF",
"CreateDate": "2019-07-31T23:15:04Z",
"RoleName": "ecsTaskExecutionRole",
"Path": "/",
"Arn": "arn:aws:iam::*******:role/ecsTaskExecutionRole"
}
}

Yes, this is not clearly documented - you need to provide the file path to the json AFTER the file:// tag
For example file:///Users/user/Desktop/trust-policy.json

If you have the file in the same folder you can execute it as follows.
aws iam create-role --role-name TestRole --assume-role-policy-document file://./IAM_Trust_Policy.json --profile XXX-XXX
Here the file IAM_Trust_Policy.json is located in the same folder and being referred as file://./IAM_Trust_Policy.json

{
"Id": "Policy1650533705078",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1650533484709",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::mys3staticwebstiehosting/",
"Principal": ""
}
]
}

AWS malformed policy error

I am trying to set an AWS group policy via the AWS CLI like so:
aws iam put-group-policy --group-name my-group --policy-name \
s3-full-access --policy-document /tmp/policy.json
This is the content of /tmp/policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket*"
}
]
}
I keep getting the following error:
A client error (MalformedPolicyDocument) occurred when calling the PutGroupPolicy operation: The policy is not in the valid JSON format.
I do not know how to proceed, the error is too unspecific. Anyone able to help?

Solved this riddle!
There has to be a file:// prefix in front of the policy file name:
aws iam put-group-policy --group-name my-group --policy-name s3-full-access --policy-document file:///tmp/policy.json
The original error message is very misleading, as you get the same message if you provide a filename that does not exist at all.
So it is not the syntax of the policy in the file but the fact that the CLI does not see the file at all, that causes the error.

I was facing the same issue on window 10 and this help me.
**file** : followed by **two Forward slash** like :"file://"
**Path on window 10** : followed by **Backward slash** like
:"c:\Users\Anand\Desktop\anand-jan19.json"
C:\Users\Anand>aws iam create-policy --policy-name anand-jan19 --policy-document file://c:\Users\Anand\Desktop\anand-jan19.json
{
"Policy": {
"PolicyName": "anand-jan19",
"PolicyId": "EQWEQBV33ewrwYCRCS",
"Arn": "arn:aws:iam::56433378:policy/anand-jan19",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2019-02-10T04:03:32Z",
"UpdateDate": "2019-02-10T04:03:32Z"
}
}

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PS command: Example 1.
aws iam create-role --role-name vmimport --assume-role-policy-document file:///policy/trust-policy.json
****Actual path******: C:\policy\trust-policy.json
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PS command: Example 2.
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file:///policy/role-policy.json
****Actual path******: C:\policy\role-policy.json
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++