After setting up AWS Organizations, I created a member account with a custom IAM role name. I've now forgotten the role name used and I'm unable to assume role as root into that account. I need to create IAM users in the member account but without the ability to assume role using the custom OrganizationAccountAccessRole it seems I'm unable to.
I've tried getting access by
Using the member account root user but it doesn't have permissions to IAM
Signing in to member account using AWS SSO user with IAMFullAccess and AdministratorAccess policies attached to the policy set but user cannot access IAM.
Attempting to describe member account using the master account admin user but the role isn't there
At this point, I'm thinking the only way out is to recreate the member account. Please tell me there is a better way.
UPDATE:
- Found that 1 & 2 didn't work because of a restrictive Service Control Policy (SCP) on the account which didn't include IAM access permissions.
Based on the comments.
The solution was to inspect CloudTrial logs to find the API call used to create the role.
Related
I just created a new account in my organization and I provided a custom IAM role.
The problem is that I can't find the role in IAM, I remember then name and in any case there are few roles there so I can check.
I double checked in cloud trail the IAM role name, and I search for it in IAM and I still can't find it.
Is there something I'm missing or some workaround?
Background:
According to the documentation:
How can I access an AWS account that was created in my organization?
As part of AWS account creation, AWS Organizations creates an IAM role
with full administrative permissions in the new account. IAM users and
IAM roles with appropriate permissions in the master account can
assume this IAM role to gain access to the newly created account.
Update:
The steps of the link below also helped me understand the issue
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
As per the documentation, the role is created in the New account. You can assumeRole by sts service to the role from the master account, so this is the reason you cannot find the role in your account.
You first assumeRole and then you can do the administrative job for the new account. You can log in through this link with your role and account.
https://signin.aws.amazon.com/switchrole?roleName=<roleName>&account=<newAccountId>
Be aware that you should be logged in to your master account first. Replace <roleName> and 12-digits <newAccountId> for yours.
Suppose, I am AWS IAM user, is there any way so that I can check what resource permission has been given to me, using CLI or Console.
Unfortunately, there is no comprehensive tool for that. In IAM console you can only check your user's IAM profile or group permission you belong to.
But full set of privileges is a very complex thing to get. Apart from obvious IAM user or group permissions you can have:
IAM roles which you can assume,
resource policies which you are listed as a principle (e.g. bucket policy, kms key policy),
resource policies where a role you can assume is a principle,
cross-account permissions in IAM roles or resource policies,
AWS Organization level SCP permissions.
If the reason for asking this question is related to security, e.g., to check what resources were accessed by a compromised IAM user credentials, you suspend the credentials or delete the user. Also can inspect the CloudTrial history to check what resources a given IAM user accessed.
I am writing an application for AWS platform, which was planned to be launched from the root account, with root credentials. At this point I need to stop some of the machines started by the AWS organizations member accounts.
By default AWS organizations doesn't give access to root account to look or manage resources to other member's account. So I tried using temporary credentials and tried to assume a role created by the target account.
More on that here.
https://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempSessionTokenJava.html
On the other hand it doesn't allow root account to assume roles, and throws such exception.
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Roles may not be assumed by root accounts. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 7bee7537-48e0-11e9-bb1a-bb36134736e4)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1695) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1350) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1101) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:758) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:732) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:714) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:674) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:656) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:520) ~[aws-java-sdk-core-1.11.475.jar:na]
at...
Is there any way get around this problem? For example, somehow to give the root access to everything or let it assume roles?
Firstly, please don't use your Root account! Best practice is to remove access keys from the root account, add an MFA token and lock it away. We have a large AWS Organization structure and we don't use the root accounts for anything other than where it's absolutely required.
See the IAM Best Practices user guide, specifically the section: Lock Away Your AWS Account Root User Access Keys
For your described administrative purposes, use IAM Users
IAM Users can assume Roles. Recommended steps:
Create IAM Group and attach the required policy for admin permissions. The AdministratorAccess policy is an easy pre-built policy that gives full admin access within the current account, but to assume roles into sub-accounts, all you really need to allow is the sts:AssumeRole action.
Creating Your First IAM Admin User and Group
Granting a User Permissions to Switch Roles
Create an IAM User and assign it to the IAM Group.
Adding and Removing Users in an IAM Group
Create the target Role in your sub-accounts with a Policy to allow actions in that sub-account and with a Trust Relationship defined for your IAM user in the master Org account.
Creating a Role to Delegate Permissions to an IAM User
NOTE: Sounds like you may already have this, but check the trust relationship to make sure.
Authenticate your app via IAM user credentials, temp credentials, etc.
NOTE: The temp credentials doc that you linked is for IAM Users, I'd recommend trying it again once you have a proper IAM user setup.
There are many ways to authenticate to AWS services, as another example see: Assuming an IAM Role in the AWS CLI
Additional: Not sure what you're building, but if appropriate, Consider Using Service-linked Roles to directly provide the app the specific permissions it needs--rather than dealing with user credentials.
According to the offical AWS documentation, IAM Roles can also be attached to IAM Users, and not only services.
What would be a valid use case to assign an IAM Role to an IAM User?
Aren't all the cases covered by directly granting (allow/deny) IAM Policies to the users?
TBH my initial impression was thar IAM Roles served the purpose of authorization for the AWS services (so that they can interact with other services), since the latter cannot be addressed in the User context
As you clearly understood, AWS Roles serves the purpose of authentication (with IAM policies for authorization) for AWS services. In contrast, AWS IAM users directly maps towards human user who obtains credentials to login to the AWS Management Console.
However, when granting access to an User outside the AWS Account (e.g; Cross Account Access, AD Authentication Federation) it will require an IAM Role to Assume the permission.
Referring to the documentation you shared, its not a direct IAM User who is getting permission, rather an Active Directory user (External) assuming an IAM Role (Not direct IAM User) to get access to the AWS Resources.
It is an IAM best practice is to assign Roles to AWS users from other AWS accounts in order to delegate permissions. This is to avoid sharing credentials between AWS accounts.
I also wanted to point out, your initial impression about Roles as authorization is not correct. The only IAM resource that is considered authorization are IAM Policies.
This can be seen in the AWS documentation on Understanding IAM and in the following AWS training video: Authentication and Authorization with AWS Identity and Access Management (login required)
The other three basic IAM resources: Users, Groups and Roles are considered part of Authentication.
Question
What does exactly "Assume" a role mean in AWS and where is the definitive definition provided?
Background
Assuming a role is frequently used and trying to understand the definition and what it actually means.
I suppose when a principal (IAM user, application running in an EC2 instance, etc which invokes an action to access AWS resource(s)) needs to invoke an action to access an AWS resource:
AWS (API? or some Authorisation runtime in AWS?) identifies the roles which the principal can be granted. e.g. if an EC2 user is specified to execute the assume-role API call and run an application which accesses an AWS resources in an EC2 instance to which IAM profile is attached, then:
All the IAM roles from the EC2 IAM profile
IAM roles and policies requested in the assume-role call
IAM roles which the EC2 user is granted
AWS finds a role from the roles which has the policy (action, resource) that allows the principle to do the action on the resource.
AWS switches the role of the principle to the role identified.
When the step 3 has happened, it is said "the principal has assumed the role". Is this correct?
Research
Using IAM Roles
Before an IAM user, application, or service can use a role that you created, you must grant permissions to switch to the role. You can use any policy attached to one of an IAM user's groups or to the user itself to grant the necessary permissions.
Assuming a Role
AssumeRole
Using IAM Roles
Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances
Assuming a role means asking Security Token Service (STS) to provide you with a set of temporary credentials -- role credentials -- that are specific to the role you want to assume. (Specifically, a new "session" with that role.)
You can optionally include a policy with this request, which will serve to limit the permissions of the temporary credentials to only a subset of what the role's policies would have allowed.
You then use these credentials to make further requests. These credentials look similar to IAM user credentials with an access-key-id and secret, but the access key begins with ASIA instead of AKIA and there's a third element, called the security token, which must be included in requests signed with the temporary credentials.
When you make requests with these temporary credentials, you have the permissions associated with the role, and not your own (if you have one) because you have taken on a new identity. CloudTrail can be used to trace the role credentials back to the user who assumed the role, but otherwise the service is unaware of who is using the credentials.
tl;dr: Assuming a role means obtaining a set of temporary credentials which are associated with the role and not with the entity that assumed the role.
AWS (API? or some Authorisation runtime in AWS?) identifies the roles which the principal can be granted.
No. You specify the role you want to assume.
When "you" are code running on an EC2 instance, and the instance has an instance role, the EC2 infrastructure actually calls assume-role on behalf of the instance, and you can fetch the temporary credentials from the instance metadata service. These credentials are accessible only from within the instance, but they are not stored on the instance.
When running a Lambda function, the Lambda infrastructure contacts STS and places your temporary credentials in environment variables. Again, these credentials are accessible to the function, without being stored inside the function.
In either case, you could call assume role with these credentials and assume a different role, but that should not be necessary in most environments.
e.g. if an EC2 user is specified to execute the assume-role API call and run an application which accesses an AWS resources in an EC2 instance to which IAM profile is attached, then:
AWS has no awareness of EC2 users. Instance roles are accessible to everything running on the instance.
All the IAM roles from the EC2 IAM profile
An instance profile can only include one role.
IAM roles and policies requested in the assume-role call
You request to assume exactly one role. You do not need to request a policy -- you only specify a policy if you want the temporary credentials to have fewer privileges than the role credentials would allow. This might be something you would do if you needed code running in an untrusted place -- such as code in a browser or an app -- to be able to sign requests with credentials.
AWS finds a role from the roles which has the policy (action, resource) that allows the principle to do the action on the resource.
No. As noted above, you ask for a specific role when you call assume-role.
AWS switches the role of the principle to the role identified.
No. You make the switch by using the temporary credentials provided.
I have created the following diagram for myself to understand what is exactly assume a role in AWS. Hopefully, you will also find it helpful.
In the diagram, I put it in 3 steps:
Prepare the roles (ExecutionRole and AssumedRole)
Create a Lambda Function on Account A (in your case it is EC2)
Execute the LambdaFunction.
The diagram uses cross-account as an example, if it is within the same account step 1.3 is not required.
Typically, you use AssumeRole within your account or for cross-account access.
...
Users in the same account as the role do not need explicit permission to assume the role. Source: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html
When step 3 has happened, it is said: "the principal has assumed the
role". Is this correct?
The steps you mentioned in assuming a role are correct.
Here the important point is the IAM role's Trust Relationship configuration where you grant each of the IAM user, application, or service to assume the role. That is where you grant the permission to assume the particular role.
This is important in many aspects, where it controls who can assume the role and it is important to provide not only least access to the role but also grant the least amount of entities who can assume the role.