I have created an AWS Policy with the below definition. I have assigned this to an IAM User so the user can get a temporary access. However, the user gets this error: "User xxxx is not authorized to perform: sts:AssumeRole on ...".
The AWS documentation says this is the only policy that is required.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
]
}
In addition to the IAM policy that allows the user to assume a role, You also need to add a Trust Policy to the role. The trust policy tells who can assume the role. I think you are missing the trust policy.
Hope this helps.
Reference:
Assume an IAM Role Using the AWS CLI
Related
I am trying to set up CI/CD with AWS + EC2 and am stuck when creating Deployment Group. The role of CodeDeploy has policies AWSCodeDeployRole and AWSCodeDeployRoleForECS but it throws an error. I tried giving it Admin rights but it is still not enough. Am I missing something? Thanks for any help!
You have a role that has the permissions required for the codedeploy to perform the deployment. What you are missing here is, You should have a trust policy defined in the role that allows codedeploy to assume the role.
Goto IAM console and select the role from the roles section
Click Trust relationships
Click Edit trust Relationships
Add the following trust policy to allow code deploy service to assume this role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
Reference: Create a service role for CodeDeploy
Consider the following trust relationship configured for an IAM role in accountA:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Does this implicitly scope the access down to cloudformation running in accountA, or can cloudformation stack in any other account (B,C,D,etc) assume this role?
I've used sourceArn conditions previously to avoid deputy attacks, like this:
"Condition": {
"ArnLike": {
"aws:SourceArn": [
"xxxx"
]
}
}
Is this necessary, or is the initial policy sufficient to scope the trust relationship down to accountA?
This policy is allowing the CloudFormation service to assume a role that is in your account.
By default this is also scoped to your account, i.e. only CloudFormation in your account can assume the role and not CloudFormation from another account. You would have to explicitly add a Principal with another account ID to allow cross account access from CloudFormation in another account - that would look like this:
"Principal": {
"AWS": "123456789012"
"Service": "cloudformation.amazonaws.com"
},
To be clear the user would need to have the following permissions to allow them to pass the role to the service.
"iam:GetRole"
"iam:PassRole"
Without these permissions for your IAM role Arn they cannot pass it to the CloudFormation service to allow it to be assumed.
So in short the permissions to pass the IAM role arn are needed on a user/role in addition to the service being able to assume a role.
More information is available in the Granting a user permissions to pass a role to an AWS service documentation.
I want to send message from lambda function to SNS. When I am trying to add destination "SNS" then this error is coming. What are the IAM Policies, i am missing ? I have added AWSLambdaFullAccess and AmazonSNSFullAccess IAM policies.
The issue is not the lambda execution policy, but you (your IAM user) does not have permissions to perform iam:AttachRolePolicy.
The reason is that the lambda will add the following service-role policy to your function execution role, regardless the fact that you already have AmazonSNSFullAccess there:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:region:xxxx:testTopic"
}
]
}
You have to add the missing permissions to the IAM user you use when login to the console.
I am trying to write a batch file in windows to do below steps by CLI command(actual example), but I don't know how to create a role and set cli command for "Another AWS account" role type. Do you mind help me?
In the navigation pane on the left, choose Roles and then choose
Create role.
Choose the Another AWS account role type.
For Account ID, type the Development account ID.
This tutorial uses the example account ID 111111111111 for the
Development account. You should use a valid account ID. If you use an
invalid account ID, such as 111111111111, IAM does not let you create
the new role.
For now you do not need to require an external ID, or require users to
have multi-factor authentication (MFA) in order to assume the role. So
leave these options unselected. For more information, see Using
Multi-Factor Authentication (MFA) in AWS
Choose Next: Permissions to set the permissions that will be
associated with the role.
my codes for creating a role:
call aws iam create-role --role-name xxx-S3-Role --assume-role-policy-document file://trustpolicy.json
my trustpolicy.json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::222222075333:role/xxx-S3-Role"
}]
}
I am receiving below error:
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Has prohibited field Resource
I solve my problem by changing two parts.
1- by fix the path of policy
aws iam create-role --role-name xxx-S3-Role --assume-role-policy-document file://c:\foldername\trustpolicy.json
2- I change the format of the policy by reverse engineering a policy that I created from the console, the format is in below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::222222075333:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
I have a role ssm-role for EC2. I want another IAM user to launch EC2 instance with ssm-role attached.
Policy attached with ssm-role : AmazonEC2RoleforSSM
Trust relationship for ssm-role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com",
"AWS": "arn:aws:iam::<ACC_ID>:user/test-user"
},
"Action": "sts:AssumeRole"
}
]
}
I have added the following inline policy for the user who wants to assume ssm-role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "test",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::<ACC_ID>:role/ssm-role"
}
]
}
Despite these, test-user is not able to launch EC2 with ssm-role attached.
Any help will be greatly appreciated.
Note: test-user has EC2FullAccess
To launch an Amazon EC2 instance with an attached role, the IAM User making the request needs to have iam:PassRole permissions for the given role.
This is required to prevent a potential "elevation of authority" situation, such as:
A user has limited permissions
They launch an EC2 instance, specifying a Role that has elevated privileges
They login to the EC2 instance and use the privileges of the Role to perform functions that they would not normally be permitted to do
Thus, a user must have iam:PassRole permissions for the given role (at minimum) to be able to launch an instance that uses that role.
See: Granting a User Permissions to Pass a Role to an AWS Service - AWS Identity and Access Management