I have a codepipeline on Account A and codedeployment group on Account B. I'm seeing the below error once the codedeployment group start the trigger
The IAM role arn:aws:iam::accountb:role/testcrss does not give you permission to perform operations in the following AWS service: Amazon S3. Contact your AWS administrator if you need help. If you are an AWS administrator, you can grant permissions to your users or groups by creating IAM policies.
I was referring to this document provided by aws for aws cross-account deployment using codepipeline, do I need to configure anything other than the info provided in the document?
policies attached to testcrss role
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-east-2:AccountA:key/valuetest"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::AccountA bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::AccountA bucket"
]
}
]
}
Bucket policy on Account A
{
"Version": "2012-10-17",
"Id": "SSEAndSSLPolicy",
"Statement": [
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::AccountAbucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "aws:kms"
}
}
},
{
"Sid": "DenyInsecureConnections",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::AccountAbucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": [
"s3:Get*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::AccountAbucket/*"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::AccountAbucket"
},
{
"Sid": "Cross-account permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:role/testcrss"
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "arn:aws:s3:::AccountAbucket/*"
}
]
}
Trust Relationship for Role testcrss
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
The issue was the KMS key which was added to Account B was incorrect, this key is required to access the s3 bucket on Account A.
KMS key should be the same as the KMS key attached to the codepipeline on Account A
Related
Im using aws sdk go to create role using CreateRole() and policy using CreatePolicy() and then attach role to policy using AttachRolePolicy() api and when i call CreateDeliveryStream() api
I get the below error
InvalidArgumentException: Firehose is unable to assume role arn:aws:iam::<no>:role/<name>. Please check the role provided.
After looking in AWS console policy and roles is properly created.
So ran lambda again with only CreateDeliveryStream() as the permissions were already created and it created successfully .
Tried running again the same flow create permissions and then create delivery stream. It throws the same error.
Role trust policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "firehose.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
policy attached
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "kinesis",
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards"
],
"Resource": [
"arn:aws:kinesis:<>:stream/<>"
],
"Principal": {}
},
{
"Sid": "s3",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<>",
"arn:aws:s3:::<>/*"
],
"Principal": {}
},
{
"Sid": "kms",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:<>:key/<>"
],
"Principal": {}
},
{
"Sid": "cloudwatch",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:<>:log-group:/aws/kinesisfirehose/<>:log-stream:*"
],
"Principal": {}
}
]
}
Any idea what is happening here?
I would like to create an AWS policy to limit the s3:PutObject access on a path in a bucket.
Easy would you say, but:
I need to set the path with a regex MyBucket/*/Folder1/Folder1-1/Object
It's a cross-account access
I try to do this but it's not working.
On Source Account User policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::MyBucket",
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:GetObjectVersion",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::MyBucket/*",
]
},
{
"Sid": "",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::MyBucket/*",
],
"Condition": {
"StringLike": {
"s3:prefix": "/*/Folder1/Folder1-1/*"
}
}
}
]
}
On Destination Account bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MyAccountID:user/MyUser"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::MyBucket",
"Condition": {
"StringLike": {
"s3:prefix": "*/Folder1/Folder1-1/*"
}
}
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MyAccountID:user/MyUser"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MyBucket/*/Folder1/Folder1-1/*"
}
]
}
To clarify my Bucket structure :
|MyBucket
|-Client1
|-|-Folder1
|-|-|-Folder1-1
|-|-|-|-Object
|-Client1
|-|-Folder1
|-|-|-Folder1-1
|-|-|-|-Object
|-ClientXX
|-|-Folder1
|-|-|-Folder1-1
|-|-|-|-Object
I would like my user get PutObject access only not the path Client*/Folder1/Folder1-1/ could you please help me?
Wildcards are not supported in the middle of a string. However, you could use an IAM policy variable:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:ListBucket"],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket"],
"Condition": {"StringLike": {"s3:prefix": ["${aws:username}/Folder1/Folder1-1/*"]}}
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::mybucket/${aws:username}/Folder1/Folder1-1/*"]
}
]
}
The ${aws:username} variable will insert the username of the user. This way, the wildcard is at the end of the string, which is valid.
This is a common way to allow multiple IAM Users to access the same bucket, but each only receives access to their folder within the bucket. This policy could be created on an IAM Group, and the IAM Group could then be assigned to each IAM User without the need to modify it for their particular folder.
I'm trying to create a policy that allows access to only 1 bucket for our clients' WordPress backups using BackWPUp
This is after noticing that the default S3 Full Access policy allows full access to ALL buckets!
I tried following this article here:
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket-console.html
The policy looks like this (replaced the bucket name to an appropriate one) and it's not working:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ConsoleAccess",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": ["arn:aws:s3:::bucket-name"]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::bucket-name/*"]
}
]
}
Receiving Error: S3 Service API: Access Denied
Then, I tried a simplified version:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PolicyID",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucket-name/*"
]
}
]
}
Still no luck, with the same error. Any ideas? What am I missing?
Turns out I needed s3:ListBucketMultipartUploads and s3:GetBucketLocation to get it working properly.
Final version below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::bucket-name"
},
{
"Effect": "Allow",
"Action": "s3:*"
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
I'm trying to access to one of my S3 storage buckets from my EC2 instance deployed by ElasticBeanstalk. My EC2 instance belongs to aws-elasticbeanstalk-ec2-role and I have granted this role with AmazonS3FullAccess policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
Then the bucket policy is as follows:
"Version": "2008-10-17",
"Statement": [
{
"Sid": "eb-ad78f54a-f239-4c90-adda-49e5f56cb51e",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-XXXXXX/resources/environments/logs/*"
},
{
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX",
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX/resources/environments/*"
]
},
{
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX"
}
]
}
When I try to access the bucket from an SSH connection or through a script inside .ebextensions I receive an Access Denied 403 error. I tried making the files public and using the same commands and I worked perfectly, but the files I need can't be public.
I think I have the correct policies for both the bucket and the EC2 role. I might be forgetting some detail though.
Any help will be welcomed. Thank you folks in advance!
So based on my knowledge and previous issues I experienced, your bucket policy is incorrect.
It isn't valid because ListBucket and ListBucketVersions actions must be applied to bucket name, not prefix.
Here is my corrected policy that should work;
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "eb-ad78f54a-f239-4c90-adda-49e5f56cb51e",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-XXXXXX/resources/environments/logs/*",
"arn:aws:s3:::elasticbeanstalk-us-east-XXXXXX/resources/environments/logs"
]
},
{
"Sid": "eb-af163bf3-d27b-4712-b795-d1e33e331ca4",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX/resources/environments",
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX/resources/environments/*"
]
},
{
"Sid": "eb-af163bf3-d27b-4712-b795-anything",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:role/aws-elasticbeanstalk-ec2-role"
},
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX"
]
},
{
"Sid": "eb-58950a8c-feb6-11e2-89e0-0800277d041b",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:DeleteBucket",
"Resource": "arn:aws:s3:::elasticbeanstalk-us-east-2-XXXXXX"
}
]
}
Useful docs to reference to for the future -> AWS s3 docs
I'm trying to restrict access to an S3 bucket to a single EC2 role. I've attached the following bucket policy to the bucket, and the bucket has public access turned off. However when the policy is applied, I can still get to the bucket using curl from an instance without the role attached. Can anyone let me know what I'm missing?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucketname",
"Condition": {
"StringLike": {
"aws:userid": [
"AROQQQCCCZZDDVVQQHHCC:*",
"123456789012"
]
}
}
},
{
"Sid": "",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:userid": [
"AROQQQCCCZZDDVVQQHHCC:*",
"123456789012"
]
}
}
},
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucketname/*",
"arn:aws:s3:::bucketname"
],
"Condition": {
"StringNotLike": {
"aws:userid": [
"AROQQQCCCZZDDVVQQHHCC:*",
"123456789012"
]
}
}
}
]
}
I believe the following S3 policy should do the job. Remember to replace role arn with the correct one which I assume it attached to your EC2 instance. Also, make sure your ec2 role has correct policy to perform list,get,put,delete actions.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExplicitDenyAllActions",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucketname/*",
"arn:aws:s3:::bucketname"
]
},
{
"Sid": "AllowListForIAMRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/ROLENAME"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucketname"
},
{
"Sid": "AllowDeleteGetPutForIAMRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/ROLENAME"
},
"Action": [
"s3:Delete*",
"s3:Get*",
"s3:Put*"
],
"Resource": [
"arn:aws:s3:::bucketname/*",
"arn:aws:s3:::bucketname"
]
},
{
"Sid": "AllowAllActionForUser",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111111:user/USERNAME"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucketname/*",
"arn:aws:s3:::bucketname"
]
}
]
}
Useful docs where you can find more info -> AWS docs on s3 policies