I am following this tutorial: https://bernhardwenzel.com/articles/using-clojure-with-aws-lambda/
the json for the policy is as shown:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
but when I run
aws iam create-role \
--role-name basic_lambda_role \
--assume-role-policy-document fileb://resources/trust_relationship.json
I get
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json
Not sure what the problem is here.
I tried fixing the file path or removing the b but I can't seem to figure it out.
Your policy is fine.
I think the error comes from fileb which should be used for binary data, such as UserData in ec2.
The following form should be used (use file, not fileb):
aws iam create-role \
--role-name basic_lambda_role \
--assume-role-policy-document file://resources/trust_relationship.json
Related
I'm getting an error when trying to create a new role using aws cli.
Here is the error message.
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json
In other to crate a role, I run following command.
aws iam create-role --path /role-service/ --role-name Test-Role --assume-role-policy-document policy.json
and the policy.json is
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "cognito-idp.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "d611c8fd-0fd1-469a-a5ea-b02186042023"
}
}
}
]
}
You should be using file:// as explained in:
Loading AWS CLI parameters from a file
Therefore, you can try the following if policy.json in your current working directory:
aws iam create-role --path /role-service/ --role-name Test-Role --assume-role-policy-document file://policy.json
I am following this tutorial:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-cli-tutorial-fargate.html
the json for a policy is as shown:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
but when I run:
aws iam --region us-west-2 create-role --role-name ecsTaskExecutionRole --assume-role-policy-document task-execution-assume-role.json
I get:
An error occurred (MalformedPolicyDocument) when calling the
CreateRole operation: This policy contains invalid Json
I know the filepath is right, because if it's wrong I get a different error. At first I thought it was "invalid json" because "sid" is an empty string, I removed that property and got the same error.
anyone know what's wrong here?
You need to specify the assume-role-policy-document as file://task-execution-assume-role.json.
From the documentation you linked
aws iam --region us-west-2 create-role --role-name ecsTaskExecutionRole --assume-role-policy-document file://task-execution-assume-role.json
it's not a very intuitive error that the cli throws because of the missing file://...
aws iam --region us-west-2 create-role \
--role-name ecsTaskExecutionRole \
--assume-role-policy-document task-execution-assume-role.json
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json
With the added file:// the create goes through
aws iam --region us-west-2 create-role \
--role-name ecsTaskExecutionRole \
--assume-role-policy-document file://task-execution-assume-role.json
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
]
},
"RoleId": "AROA2ZHAP3GUV5UTOV5ZF",
"CreateDate": "2019-07-31T23:15:04Z",
"RoleName": "ecsTaskExecutionRole",
"Path": "/",
"Arn": "arn:aws:iam::*******:role/ecsTaskExecutionRole"
}
}
Yes, this is not clearly documented - you need to provide the file path to the json AFTER the file:// tag
For example file:///Users/user/Desktop/trust-policy.json
If you have the file in the same folder you can execute it as follows.
aws iam create-role --role-name TestRole --assume-role-policy-document file://./IAM_Trust_Policy.json --profile XXX-XXX
Here the file IAM_Trust_Policy.json is located in the same folder and being referred as file://./IAM_Trust_Policy.json
{
"Id": "Policy1650533705078",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1650533484709",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::mys3staticwebstiehosting/",
"Principal": ""
}
]
}
I am using following CLI command to create a role and attach a policy :
aws iam create-role --role-name SMS-Role --assume-role-policy-document file://D:\AWS\Cognito\SMSRolePolicy.txt
SMSRolePolicy.txt contains following policy :
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Resource": "*",
"Action": "sns:publish"
}
}
On executing CLI script I do get following error :
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Has prohibited field Resource
what? where is your trust relationship policy document?
Your code works for adding policies to an existing attached role. To attach the role, you need to have AssumeRole permission for the resource. it should be something like:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}
follow the amazon link to set it up correctly.
I have the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "StmtXXX",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::MYBUCKET"
]
}
]
}
(yes, I intend to scope back the s3:* when I get it working)
The following list bucket operation works OK:
$ aws s3 ls s3://MYBUCKET/test --profile MYPROFILE --region eu-west-1
2016-11-30 15:21:13 16712119 test
But a PUT won't work
$ aws s3 cp /tmp/test2 s3://MYBUCKET/test2 --profile MYPROFILE --region eu-west-1
upload failed: ../../../../tmp/test2 to s3://MYBUCKET/test2
A client error (AccessDenied) occurred when calling the CreateMultipartUpload operation: Access Denied
Parameter validation failed:
Invalid type for parameter UploadId, value: None, type: <type 'NoneType'>, valid types: <type 'basestring'>
I've tried this in the IAM Policy Simulator and it seems like it should work. I've verified that the keys correspond to the correct user.
(I've also tried with my own credentials and the operations work fine, so I don't think it's a syntax error)
Should this work? Any ideas why it isn't?
You need to enter the bucket contents as a resource separately from the bucket itself if you are specifying the bucket and object actions in the same statement
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "StmtXXX",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::MYBUCKET",
"arn:aws:s3:::MYBUCKET/*"
]
}
]
}
The answer to this seems to be that the IAM policy can take some time to propagate. This went from not working, to being intermittent, to working.
So if you face an inexplicable situation, wait a few minutes.
I am trying to set an AWS group policy via the AWS CLI like so:
aws iam put-group-policy --group-name my-group --policy-name \
s3-full-access --policy-document /tmp/policy.json
This is the content of /tmp/policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket*"
}
]
}
I keep getting the following error:
A client error (MalformedPolicyDocument) occurred when calling the PutGroupPolicy operation: The policy is not in the valid JSON format.
I do not know how to proceed, the error is too unspecific. Anyone able to help?
Solved this riddle!
There has to be a file:// prefix in front of the policy file name:
aws iam put-group-policy --group-name my-group --policy-name s3-full-access --policy-document file:///tmp/policy.json
The original error message is very misleading, as you get the same message if you provide a filename that does not exist at all.
So it is not the syntax of the policy in the file but the fact that the CLI does not see the file at all, that causes the error.
I was facing the same issue on window 10 and this help me.
**file** : followed by **two Forward slash** like :"file://"
**Path on window 10** : followed by **Backward slash** like
:"c:\Users\Anand\Desktop\anand-jan19.json"
C:\Users\Anand>aws iam create-policy --policy-name anand-jan19 --policy-document file://c:\Users\Anand\Desktop\anand-jan19.json
{
"Policy": {
"PolicyName": "anand-jan19",
"PolicyId": "EQWEQBV33ewrwYCRCS",
"Arn": "arn:aws:iam::56433378:policy/anand-jan19",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2019-02-10T04:03:32Z",
"UpdateDate": "2019-02-10T04:03:32Z"
}
}
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PS command: Example 1.
aws iam create-role --role-name vmimport --assume-role-policy-document file:///policy/trust-policy.json
****Actual path******: C:\policy\trust-policy.json
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PS command: Example 2.
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file:///policy/role-policy.json
****Actual path******: C:\policy\role-policy.json
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++