I am trying to access an IAM role which I created using aws console. The role was simple as I had to give in ecs taskexcutionrole so that it has the permission to pull the image from ECR. I have come up with this code what am I missing in this code?
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ec2.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::02004621356:role/ecs-ec2-task
2- What if I want to create a new task execution role and give only permission to pull the image from ECR what changes I should make?
The trust principle should be ecs-tasks.amazonaws.com:
Role:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- ecs-tasks.amazonaws.com
Action:
- 'sts:AssumeRole'
Path: /
ManagedPolicyArns:
- arn:aws:iam::02004621356:role/ecs-ec2-task
Policies:
- PolicyName: AccessECR
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- ecr:BatchGetImage
- ecr:GetAuthorizationToken
- ecr:GetDownloadUrlForLayer
Resource: '*'
Related
IamRoleForConfig:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: 'Allow Config to record resources'
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action:
- sts:AssumeRole
Path: /
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWS_ConfigRole
I added this under properties
Statement:
- Effect: Allow
Action:
- 'ses:SendEmail'
- 'ses:SendRawEmail'
Resource: '*'
It works, but i also want to add - AWSLambdaBasicExecutionRole but i get an error if i add it under Policies at the same level with Statement, before or after
Is there a way to have both?
Here is an example of an IAM role that includes specific SES permissions and also leverages the AWSLambdaBasicExecutionRole managed policy.
MyLambdaRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: ses-access
PolicyDocument:
Statement:
Effect: Allow
Action:
- ses:SendEmail
- ses:SendRawEmail
Resource: *
I am creating an IAM role in order to send logs from a stack to kinesis stream in another stack.
When I add permission policy, it fails with the error :
"Value of property PolicyDocument must be an object".
This is my cloudformation.template.yml :
KinesisRole:
Type: AWS::IAM::Role
Properties:
RoleName: {'Fn::Sub': 'Kinesis-Role-${AWS::Region}'}
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [logs.amazonaws.com]
Action: ['sts:AssumeRole']
Policies:
- PolicyName: KinesisPolicy
PolicyDocument:
- Version: '2017-10-17'
Statement:
- Action: ['kinesis:PutRecord']
Effect: Allow
Resource: '*'
Your current PolicyDocument is a list of objects due to - in front of Version. Also your Version is wrong. So it should be:
KinesisRole:
Type: AWS::IAM::Role
Properties:
RoleName: {'Fn::Sub': 'Kinesis-Role-${AWS::Region}'}
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Principal:
Service: [logs.amazonaws.com]
Action: ['sts:AssumeRole']
Policies:
- PolicyName: KinesisPolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action: ['kinesis:PutRecord']
Effect: Allow
Resource: '*'
In AWS cloud formation template how to create a new lambda(test_lambda_role) role
which is having access to s3:getObject, RDS access(rds-db:connect),
Resources:
Role:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub test_lambda_role
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Lambda:
- !Sub "arn:aws:iam::${AWS::AccountId}:saml-provider/${pSamlProviderAdmin}"
Action:
- rds-db:connect
Lambda function not creating with above template
AssumeRolePolicyDocument is for a trust policy, as explained in:
Creating a role to delegate permissions to an AWS service
Thus a template with only a lambda execution role could be:
AWSTemplateFormatVersion: 2010-09-09
Parameters:
testlambdarole:
Type: String
Default: role-name
Resources:
Role:
Type: AWS::IAM::Role
Properties:
RoleName: !Ref testlambdarole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: {'Service': ['lambda.amazonaws.com']}
Action: ['sts:AssumeRole']
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AWSLambdaExecute
Policies:
- PolicyName: S3Access
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- s3:getObject
Resource: "*"
- PolicyName: RdsAccess
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- rds-db:connect
Resource: "*"
You would need to adjust Policies to exactly what you require.
I was able to get this to work with the serverless.yml:
iamRoleStatements:
- Effect: "Allow"
Action:
- "sqs:SendMessage"
- "sqs:ListQueues"
Resource: "arn:aws:sqs:us-east-1:*:*"
But I want to apply it only to a certain function. How can I do this?
From docs, you need to create the function role under resources and reference this new role inside your function.
Example:
service: my-test
provider:
name: aws
runtime: nodejs6.10
functions:
hello:
role: mySQSRole
handler: handler.hello
resources:
Resources:
mySQSRole:
Type: AWS::IAM::Role
Properties:
RoleName: mySQSRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: myPolicyName
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- sqs:SendMessage
- sqs:ListQueues
Resource: "arn:aws:sqs:us-east-1:*:*"