Is it possible to create a canned policy that prevents the user from changing the password?
minio:RELEASE.2020-06-22T03-12-50Z / Docker
Related
I'm trying to create an index management policy in Opensearch 1.3 on AWS using Terraform and the elasticsearch provider from phillbaker but I'm always getting a 403 forbidden exception when using an IAM master user. After several tries, I've changed to an internal database user and it worked straightaway once the domain access policy was open for any user.
These are the things I've tried so far:
Creating an IAM user with programmatic credentials, adding this user to the domain access policy and as a master user for the cluster and using the credentials in the provider (using aws_access_key and aws_secret_access_key parameters, not username and password).
Creating an IAM role with administrator access, adding this role as a master user. Configuring a Cognito user pool and identity pool as identity provider for the cluster and configuring authenticated users to use the role created before. Configuring the domain access policy to allow anyone to user the cluster.
Creating an internal user from the dashboard and adding this user to the all_access role. Configuring the domain access policy to allow anyone to use the cluster.
In all these cases, it didn't work. The last case, I tried after changing the configuration to use an internal database user as master and I verified both had the same rol mapping configuration. But only the credentials of the one I assigned through the AWS console worked.
I also tried changing the cluster security configuration on AWS so the domain access policy gets replaced with the fine-grained access control. But every time I save the changes, when I get back to the security tab, the domain access policy is still activated.
I lost access to my AWS account due to loss of my phone with Authenticator app, but I still have access to console. The problem is that somehow the phone number in my account was incorrect and I can't restore access automatically. Support said there is a typo in number and if I have another user with full access, I will be able to change it to correct number and proceed to restore my account via MFA troubleshooting form.
So, the question is how to create that user?
I already did this:
aws iam create-login-profile --user-name VeryAdmin --password verypassword
aws iam add-user-to-group --user-name VeryAdmin --group admin
And successfully logged in to console, but still has no access to changing the number. The article in documentation said that the user should have access to this:
The IAM user enabled on the AWS account has administrator access permission.
The IAM user has access to the AWS Billing console.
No idea how to correctly add them via CLI
Unfortunately to change any details belonging to your account you will need to be logged in as root user:
Change your account settings. This includes the account name, email address, root user password, and root user access keys. Other account settings, such as contact information, payment currency preference, and AWS Regions, don't require root user credentials
https://docs.aws.amazon.com/accounts/latest/reference/root-user-tasks.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_billing.html
im trying to get eb cli working.
in my cmd i do
>eb init
which opens up a new terminal, which then soon asks for aws-access-id and aws-secret-key
You have not yet set up your credentials or your credentials are incorrect
You must provide your credentials.
(aws-access-id): xxxx
(aws-secret-key): xxxxxxxxxx
ERROR: NotAuthorizedError - Operation Denied. The security token included in the request is invalid.
im not 100% sure whether aws-access-id referes to my username, the email address that created it or user id....
same goes for the aws-secret-key , im assuming right now that its the password for the account not some 1 off secret key.
I have used the console login link to register the iam account and change the password.
I have set the permissions of this user group to be AdministratorAccess
##################################
what is aws-access-id:
my username?
the email address?
user id?
is there anything that looks wrong?
You need to use Access keys.
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
If you have access to IAM and have sufficient privileges you can generate such keys for yourself. If not you need to contact your AWS administrator.
Please take a look at Managing access keys for IAM users for more information.
I want to setup IAM policy to grant permission for changing only RDS master password. I followed this document: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrds.html but I didn't find any strict policy for RDS master password.
I see we use this action: rds:ModifyDBInstance but this action is much larger than the requirement. Anyone can suggest for me
While creating Users in Cloud. In IAM, Password policy. If you set password policy in inner sub user then it affects to parent user as well.
How is it possible ?
Example . I created user called xyz under root. I will login in xyz and change the password policy. But it affects Root user password policy as well.
The password policy that you set is for the account, not for a specific user and not for a group of users. It applies to the passwords of all IAM users. It does not apply to the AWS root account password.