I am trying to create an IAM user and I want to assign the user for Full S3 Access using IAM role (via console access). I know I can do that using Group or attaching the S3FullAccessPolicy directly to the user. I am unable to do this and could not find any help regarding this. The articles I come across describes how you can attach IAM policies to EC2 instance etc.
I managed to create a role and attached a trust policy as below. I also attached the policy "AmazonS3FullAccess" to the role.
But it never worked if I login using AWS management console (browser). It still denies all permission to the user for S3 access. The trusted entities policy looks like below - the IAM username I am trying to use is s3AdminUserWithRole. Th eAWS account id is 6XXXXXXXXXXX0
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::6XXXXXXXXXXX0:user/s3AdminUserWithRole",
"arn:aws:iam::6XXXXXXXXXXX0:root"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Is it not possible to do like this for AWS Management console for a user? We have to use only Groups /managed policies/ inline policies and NOT roles for this? Confused about the AWS documentation then.
Based on the comments, the solution is to use sts service and its assume-role API.
For Console there is Switch Role option.
Related
Question
Please help understand the cause and solution for the problem.
Problem
SageMaker Studio domain creation fails due to KMS permissions. The IAM Role specified to the SageMaker arn:aws:iam::316725000538:role/SageMaker has the permissions for KMS required as specified in https://docs.aws.amazon.com/sagemaker/latest/dg/api-permissions-reference.html.
Domain creation failed
Unable to create Amazon EFS for domain 'd-1dq5c9rpkswy' because you don't have permissions to use the KMS key 'arn:aws:kms:us-east-2:316725000538:key/1e2dbf9d-daa0-408d-a290-1633b615c54f'. See https://docs.aws.amazon.com/sagemaker/latest/dg/api-permissions-reference.html for required permissions for CreateDomain action.
tells the IAM permissions
IAM Permission for CreateDomain action
Amazon SageMaker API Permissions: Actions, Permissions, and Resources Reference
The IAM permission required for the CreateDomain action have been attached to the IAM role.
I had the same problem when trying to use the aws/s3 key. I created my own Customer Managed Key (CMK) and it worked just fine.
I think it's related to the AWS assigned policy on the aws/s3 key.
This part:
"Condition": {
"StringEquals": {
"kms:CallerAccount": "120455730103",
"kms:ViaService": "s3.us-east-1.amazonaws.com"
}
I don't think SageMaker meets the kms:ViaService condition.
Apart from SageMakerFullAccess we need to create a new policy and attach that to your user.
Create a new policy with below json -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sagemaker:CreateUserProfile",
"sagemaker:CreateModel",
"sagemaker:CreateLabelingJob",
"sagemaker:CreateFlowDefinition",
"sagemaker:CreateDomain",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateProcessingJob",
"sagemaker:CreateTrainingJob",
"sagemaker:CreateNotebookInstance",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateImage",
"sagemaker:CreateMonitoringSchedule",
"sagemaker:RenderUiTemplate",
"sagemaker:UpdateImage",
"sagemaker:CreateHyperParameterTuningJob"
],
"Resource": "*"
}
]
}
I am checking the steps of setting up IAM auth in RDS: https://aws.amazon.com/premiumsupport/knowledge-center/users-connect-rds-iam/ And one of the steps is to attach the IAM role with proper permission: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:us-east-2:1234567890:dbuser:db-ABCDEFGHIJKL01234/db_user"
]
}
]
}
The resource follows this format:
arn:aws:rds-db:region:account-id:dbuser:DbiResourceId/db-user-name
If I understand correctly, as long as I know someone's account-id, DbiResourceId and db-user-name (or maybe db-user-name as I can use wildcard?), then I am able to connect to that DB instance, right?
This sounds insecure. Did I miss anything?
No this would not be possible. The only want to interact with this resource would be to assume a role in the target account.
You can use an IAM role to allow someone (a trusted principal) in a different account to access resources in your account. Roles are the primary way to grant cross-account access. However, with some AWS services, you can attach a policy directly to a resource (instead of using a role as a proxy). To learn the difference between roles and resource-based policies for cross-account access, see How IAM Roles Differ from Resource-based Policies in the IAM User Guide
I'm trying to set up Lightsail on AWS to run a Wordpress installation.
When I try to get in using my 'user' account, I get this error:
https://lightsail.aws.amazon.com/ls/error/access-denied
There might be a problem.
It looks like you aren't authorized.
If you're signed in as an IAM user, ask your administrator to create a permissions policy that grants access to Amazon Lightsail resources and related AWS services.
But when I log in with my admin user account, I can't see any Lightsail policies in the permissions policies lists.
Where can I enable the correct policy? Currently I can only set up my Lightsail server as the admin user, not with my user account.
You are correct, there is no Managed Policy for Amazon Lisghtsail access.
You will need to create your own inline policy to grant access.
To grant full permissions, use:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lightsail:*"
],
"Resource": "*"
}
]
}
For full instructions, see: Managing access to Amazon Lightsail for an IAM user | Lightsail Documentation
AWS allows you to invite AWS accounts into your organization and manage them with OUs. However, AWS accounts in the same OU do not seem to have access to the same resources. It seems like the only solution is to create IAM users under a common account and create resources as the account, but then human users have to share credentials to that main account. Is there a way to allow different human users to create resources with their own credentials and never share credentials? I do not understand the value of separating accounts from IAM and it is ultimately confusing my understanding of resource management security best practices.
AWS recommends that you give users access to roles in different account. As in have all your users in one "central" AWS account and then have your IAM users login to different AWS accounts using a role rather than using straight credentials. See below for an example IAM policy that you would attach to your IAM user.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "StmtXXXXXX",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::{AccountID}:role/{RoleName}"
]
}
]}
I am new to AWS IAM and I am learning to do a security audit for AWS.
For a specific user in AWS the JSON permissions policy looks like this (Account no changed of course)
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::111111111111:role/APP-NonProd-BC",
"arn:aws:iam::111111111112:role/APP-nonProd-Admins",
"arn:aws:iam::123456789011:role/APP-nonProd-AdminAccess-Role",
"arn:aws:iam::111111111111:role/App-NonProd-S3Ops",
"arn:aws:iam::111111111111:role/APY-nonProd-EC2Admin"
]
}
}
My question is - Where I can find the permissions for each of the resources. Means, for APP-nonProd-BC resource : what kind of permissions apply?
For APP-nonprod-AdminAccess-Role : is it really have Admin Access or its just named as AdminAccess and where I Can find the permissions definitions ?
I searched in permissions but not able to find relevent for each of the resources "App-nonProd-BC" or App-nonprod-adminaccess-role" etc. Kindly help.
These are rules to allow the User to assume these roles. Look within the IAM roles defined and you should be able to see the associated permissions. Permissions can be given to roles, and then user allocated to the roles, so that you can change all the permissions at once and simplify the permission process.