Is there a way to pass a wildcard user ARN to
aws cloud9 create-environment-membership --user-arn arn:aws:blah
Looking at https://docs.aws.amazon.com/cli/latest/reference/cloud9/create-environment-membership.html it looks like I can only pass specific user ARNs but I'd like to be able to put wildcards in there rather than having a list of specific user ARNs.
This is not possible today. You have to specify a fully matched ARN for an IAM Principal (IAM User or STS Session)
Related
I have a centralized CloudTrail bucket which contains the CloudTrail logs of multiple accounts. Is it possible to write a bucket policy which allows that account 123456789112 can only download logs from Awslogs/123456789112 and that account 456789012345can only download logs from Awslogs/456789012345etc ? I don't want to hardcode this for each account since I have a lot of accounts. Is there a way to do this?
AWS IAM policies (and bucket policies) support a few policy variables that you can use as dynamic values such as aws:SourceIp, however account ID is not one of them. There is a aws:userid variable but it's the account ID only for the root user, for other principals like IAM user/role it is the user/role name. Technically if you used the AWS root user to access this bucket, you could use the userid variable in the Resource element to achieve what you want but it is strongly recommended not to use the root user for such everyday tasks (AWS recommendation).
There are also policy condition keys like aws:PrincipalAccount but without a relevant policy variable these cannot be used to dynamically compare the requesting account ID with the resource. There are no other IAM feature that could be used to achieve this.
I don't know your exact environment but a few things to consider:
I'd recommend to explicitly list the allowed principal ARNs anyway because even if you have many accounts, you should allow only specific IAM users/roles to read the bucket to follow the least privilege principle. Granting access based on account ID would allow all users/roles in that account to read these files and not just specific services. (unless this is the objective)
since this is a cross-account access (principal in account A wants to read from the bucket located in account B), you will need to allow this access on both sides, both in the requester's IAM policy and the target bucket's policy. Just a heads up. More info on AWS.
I would consider using Terraform to simplify the management of these resources
Hope this helps, let me know if you have more questions!
I am new to AWS.
Having a list of AWS SSO account aliases and account IDs, I need to iterate through those and check whether they have a specific role assigned to them.
What is the best way to do it? Note that, every account has a specific role associated to it, which I can assume in order to access everything in that account.
For example, given the account ID 999999999999, I guess I could do something like the following:
aws sts assume-role --role-arn "arn:aws:iam::999999999999:role/CommonMemberAccess" --role-session-name "MY-SESSION"
The above will print a JSON object with AccessKeyId, SecretAccessKey and SessionToken.
I could then export the above as env variables, for example,
export AWS_ACCESS_KEY_ID=AccessKeyId
export AWS_SECRET_ACCESS_KEY=SecretAccessKey
export AWS_SESSION_TOKEN=SessionToken
And finally, list the roles within the specific account as follows
aws iam list-roles
Eventually, I will need to do the above by connecting to the AWS API using Go (I am also new to Go). But as a starting point, I would like to know what I can do using the command line aws client.
Is the above a reasonable approach? How would you do this better?
You may try this cli command.
aws iam list-roles —-path-prefix /aws-reserved/sso.
In otherway, you can filter IAM roles associated with SSO by checking their ‘AssumeRolePolicyDocument’.
The ‘Principal’ attribute has to be the ARN of a federated identity provider which has its metadata document issued by AWS SSO
(you can check its SAML metadata XML document with the following cli command),
aws iam get-saml-provider —-saml-provider-arn “arn:of:federated:saml-provider:from:AssumeRolePolicy”
I'm wondering if something is possible at all, or I'm trying to build something that is not possible from the start.
Let's say within Account A there is an RDS DB Password, (can be any AWS resource ID or value) that I have stored in Secrets Manager or Parameter Store.
Now I want to use that value in AWS CDK in Account B, is this possible?
It is possible to retrieve the value based on ARN, see: https://bobbyhadz.com/blog/get-secrets-manager-values-aws-cdk#get-secrets-manager-value-by-arn---alternative but would this work cross-account?
You can attach a policy to your secret granting access to other AWS account. Check https://aws.amazon.com/premiumsupport/knowledge-center/secrets-manager-share-between-accounts/
IAM group path is a way to organize groups following an enterprise structure. Looking at the IAM Console I cannot find a way to set or modify the path of a group. Is it possible from the console or is there another way programmatically or through the CLI?
As far as I know, you must use the AWS cli or a programming language, e.g,
aws iam create-group --path "/company/team/project/" --group-name "your-group"
The groups are not listed in the Console in hierarchical form, but the ARN includes the path.
arn:aws:iam::111111111:group/company/team/project/your-group
I'm new to programming. I need to figure out how I can create AWS users, roles and policies programmatically using code.
That task I'm after :
Create a User, Role and Policy
Assign Policy to the Role
Assign Role to the User
Set condition on the Role, that only Users with MFA can assume that Role
Config's should live in S3 bucket
configure a LAMBDA to check the user's role membership and output the result to S3 bucket.
Just trying to figure out where do I start from ? I have a very limited programming experience (can do a bit of PHP).
I have a AWS account, created a user and gave him 'AdministratorAccess' also have user keys for CLI access.
Should I be suing 1)AWS CLI 2) Powershell 3) AWS SDK's 4) AWS API?
Appreciate any help/direction to achieve the above.
Thanks
S
To programmatically create IAM Roles you can use AWS PHP SDK. Refer the IAM Create User section in SDK API reference for more details.
Aside from using specific language AWS SDKs such as suggested by #Ashan, you can do so by using AWS REST API with the following example request:
https://iam.amazonaws.com/?Action=CreateUser
&Path=/division_abc/subdivision_xyz/
&UserName=Bob
&Version=2010-05-08
&AUTHPARAMS
Source - CreateUser