As per AWS documentation,
A user who wants to access a role in a different account must also
have permissions that are delegated from the user account
administrator. The administrator must attach a policy that allows the
user to call AssumeRole for the ARN of the role in the other account.
I understand this requirement. However, I am not sure as to why an 'AssumeRole' action still need to be specified again in the 'Trust Relationship' of the role. It makes sense to allow/restrict a Principal (using 'AssumeRole' action) to assume a specific role and also the role being assumed to trust the assuming Principal (in its 'Trust Relationship'), but not sure why the role itself has to specify 'AssumeRole' action in its Trust relationship. The roles are always meant to be assumable - isnt it? Or alternately, what is the significance of specifying 'AssumeRole' action in the 'Trust relationship' of a role?
I'm not an AWS Roles expert, but as far as I know, the Trust Relationship Policy Document makes sense for two main reasons:
A role can be assumed not only with sts:AssumeRole action, but also with sts:AssumeRoleWithSAML and sts:AssumeRoleWithWebIdentity (docs here).
As the name "Trust Relationship Policy Document" says, it's also a policy document. So instead of creating a different template for Trust Relationship, AWS create a single policy template and uses it in all cases - this way we only need to learn the policy template once (docs here).
Related
every time i try to create an environment from my cli it pop up this error
ERROR Unable to assign role. Please verify that you have permission to pass this role: aws-elasticbeanstalk-service-role.
and give me failed to launch environment
even though i setup the aws access key and secret access key and give the user the permissions of administrator
AWS has a strictly defined policy evaluation logic.
Deny evaluation – By default, all requests are denied. This is called an implicit deny. The AWS enforcement code evaluates all policies within the account that apply to the request. These include AWS Organizations SCPs, resource-based policies, identity-based policies, IAM permissions boundaries, and session policies. In all those policies, the enforcement code looks for a Deny statement that applies to the request. This is called an explicit deny. If the code finds even one explicit deny that applies, the code returns a final decision of Deny. If there is no explicit deny, the code continues.
As you can see, the first step checks for an explicit deny in all policies within the account that apply to the request. Although you have the admin permissions there could be Organizations SCPs, resource-based policies, IAM permissions boundaries, or another IAM policy attached to your IAM account or group that explicitly deny passing a role. If you have access just check them one by one. Or ask your administrator to do that.
If a user in AWS is having AdministratorAccess policy attached, he has full AWS access for that account. But with permission boundaries attached to that user his access can be confined. For example say the user has permission boundaries set to AmazonDynamoDBFullAccess, then the full access is just confined to DynamoDB.
What is real benefit of above approach, one could have just removed the AdministratorAccess policy and attached AmazonDynamoDBFullAccess to the user to achieve the same restrictions/permissions.
Is there anything more to understand?
That is not not purpose of IAM Permission Boundaries, nor is it the way it operates.
From Permissions boundaries for IAM entities - AWS Identity and Access Management:
AWS supports permissions boundaries for IAM entities (users or roles). A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
To explain via an example, let's say that a developer needs permission to create an IAM Role in their software development duties. This can be a very dangerous permission to assign because they could create a Role that has full Admin permissions, thereby granting themselves even more permission that desired.
To limit their abilities, a permission boundary could be added to the developer such that they are only able to create an IAM Role if the role they define is attached to a permission boundary that limits the permissions of the Role (eg so it can only be used to access S3 and DynamoDB, but not other services). It can be a little confusing, but think of it as a set of rules that must be attached to any permissions they give, so that they can't grant full permissions. It's a way to grant them permissions, but limits what permissions they can on-grant to other entities.
This concept is totally separate to assigning IAM managed policies that you mention in your question. In most circumstances, assigning an IAM managed policy is perfectly sufficient. Permissions boundaries only really apply when somebody has permission to create new IAM entities.
Objective
Clear the confusion of what/who is the principal of an action being executed in AWS with assuming an IAM role.
Background
A IAM role has the tab of Trust relationships that defines who can assume the role.
It is described as in JSON.
statement {
sid = "1"
effect = "Allow"
principals {
identifiers = ["elastictranscoder.amazonaws.com"]
type = "Service"
}
actions = ["sts:AssumeRole"]
}
According to Roles Terms and Concepts, those who can assume the role must be either a user or a role.
Principal
An entity in AWS that can perform actions and access resources. A principal can be an AWS account root user, an IAM user, or a role. You can grant permissions to access a resource in one of two ways:
Trust policy
A document in JSON format in which you define who is allowed to assume the role. This trusted entity is included in the policy as the principal element in the document.
Question
Who/what is the principal if I issue the assume-role command using my AWS account to get a temporary credential, and then run an action e.g. transcode video files? According to the AWS document, it must be either a user or a role.
elastictranscoder.amazonaws.com?
The role that defines the trusted relationship with elastictranscoder.amazonaws.com?
My user account?
If it is elastictranscoder.amazonaws.com, then:
Is it this a user or a role?
From Audit perspective, is elastictranscoder.amazonaws.com recorded as the principal who executed the action? Where can I identify who became elastictranscoder.amazonaws.com when and how?
AWS IAM can be thought as an abstraction over 3 things:
Identity (Role, User, User group)
Policy (Identity based policy, resource based policy)
Resource (AWS resources).
A json is composed of elements and 'Principal' is one of the json element in the 'Policy' json document. Principal elements are only present in resource based policy jsons.
Principal abstraction is at the same abstraction level as Identity abstraction. It extends Identity abstraction and is identified by a granular identity i.e. Amazon Resource Name (ARN).It is used only with resource based policy.
Principal elements are used to specify entities like AWS account, AWS services, IAM role, IAM user, federated user and the actions elements specify what operation principals can perform.
AFAIK,
In your context,
When you issue the assume-role command using my AWS account to get a temporary credential, there is no Prinicipal involved sine there is no resource policy involved it is just identity based policy which gives your IAM role to assume role.
When you issue AssumeRole API via CLI or other means, the principal is the identity whose credentials are being used. For example, if you are assuming a role using IAM user's credentials, the principal is the IAM user.
You receive temporary credentials as a result of successful AssumeRole API and when you perform any action using these temporary credentials, the principal will be the IAM role.
In your example, you are trusting the "elastictranscoder.amazonaws.com" i.e. Elastic Transcoder service itself. You can audit how the service is using the role in CloudTrail logs.
There is a policy attached to user/role which is allowed to create other policies and roles, but, for example, original role doesn't have permissions to do s3:PutObject. Is there any way I can prevent this role/user from creating another policy which allows s3:PutObject and elevating it's own permissions by that?
If you grant users the ability to create policies and roles, then you trust them not to abuse it. Very few admins should have this ability.
The way to solve your case is for an uber-admin to create policies and roles, and for your user to be restricted to which policies/roles he can attach (see related article). You can also implement automation to validate the policies created by your uber-admins meet certain conditions.
This page https://www.terraform.io/docs/providers/aws/r/iam_role.html mentions:
NOTE: This assume_role_policy is very similar but slightly different
than just a standard IAM policy and cannot use an aws_iam_policy
resource. It can however, use an aws_iam_policy_document data source,
see example below for how this could work.
Is there any reason why the assume_role_policy is different from the standard IAM policy?
Any why?
An assume role policy is a special policy associated with a role that controls which principals (users, other roles, AWS services, etc) can "assume" the role. Assuming a role means generating temporary credentials to act with the privileges granted by the access policies associated with that role.
An assume role policy differs from a normal policy in the following ways:
It is a property of the role itself, rather than a separate object associated with the role. There is only one assume role policy per role.
The only Action values that have any meaning in an assume role policy are sts:AssumeRole and some other variants on it (at the time of writing, sts:AssumeRoleWithSAML and sts:AssumeRoleWithWebIdentity). Those are the API operations used to obtain the temporary credentials for the role.
It is the first of these differences that creates the difference mentioned in the Terraform documentation: since a role has exactly one IAM policy and it is declared directly as part of the role, its policy document must be provided as an attribute of the aws_iam_role resource. The aws_iam_policy_document data source is just a simple transform of its input into an IAM JSON policy document format, so it can be used to generate the value of the assume_role_policy attribute.
When an AWS service makes calls to another API service on your behalf, it is internally obtaining temporary credentials for the role you designate, which it can then use to make calls to other service APIs. It is for this reason that it is necessary to create roles and assign them to services such as AWS Lambda, EC2 (via instance profiles), Kinesis Firehose, etc.
I wrote a more elaborate description of this as part of an answer to another question, which gives some examples of practical IAM roles, assume role policies and regular policies.