Hi I have created CDK project with jenkins. I want to deploy with role. For example cdk deploy with role. For example In cloudformation I was doing like below.
cfn_manage deploy-stack \
--stack-name "$CFN_CDK_STACK" \
--template-file "cloudformation/templates/cdk.yml" \
--parameters-file "$PARAMS_FILE" \
--role-name infra-cfnrole-location-nonprivileged
Now I have CDK project as below.
checkout scm
withCredentials([[$class: 'AmazonWebServicesCredentialsBinding',credentialsId: "${env.PROJECT_ID}-aws-${CFN_ENVIRONMENT}"]]) {
abc = docker.build('cdkimage', "--build-arg http_proxy=${env.http_proxy} --build-arg https_proxy=${env.https_proxy} .")
abc.inside{
sh 'ls -la'
sh "bash ./scripts/build.sh"
}
Then inside build.sh
NONPRIV_ROLE_NAME='infra-cfnrole-location-nonprivileged'
aws sts assume-role --role-arn 'arn:aws:iam::id:role/infra-cfnrole-location-nonprivileged' --role-session-name jenkins --query '[Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]' --output text
cdk synth
cdk deploy
This is throwing error
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::id:user/infra-prjauth-location is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::187628286232:role/infra-cfnrole-location-nonprivileged
For the role cfnrole-location-nonprivileged in trusted relationships I have below policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Can someone help me to deploy with role? Any help would be appreciated. Thanks
I think the issue is that you haven't specifically trusted your IAM User in the IAM Role's trusted relationships.
Assuming that this role has the correct permissions needed for a CDK deploy (see here for more info on that), you need to allow your IAM user to access the role, not cloudformation. Cloudformation already has access to your account resources.
I think this version of the trusted relationships policy should do the trick:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "<full ARN of the relevant user>",
"Action": "sts:AssumeRole"
}
]
}
Let me know if it works!
Related
When I try to start a DeviceFarm run via CLI or API with an IAM user, I'm always getting the following error:
An error occurred (AccessDeniedException) when calling the ScheduleRun operation: User: <user-arn> is not authorized to perform: devicefarm:ScheduleRun on resource: <upload-arn>
It happens regardless of user permissions, even on a user who has the AdministratorAccess policy attached. Policy json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
The command I'm trying to run:
aws devicefarm schedule-run --region=us-west-2 --project-arn=<project-arn> --test='type=APPIUM_PYTHON,testPackageArn=<package-arn>,testSpecArn=<spec-arn>'
However I can still start the run manually via the web AWS console.
I am trying to assign a role to a user using the AWS console but not having a whole lot of success with it. So i created a user David and i created a role with a trust policy in which i am assigning the David i.e. IAM user as the principal which looks like this :-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account-ID:user/David"
},
"Action": "sts:AssumeRole"
}
]
}
and i also attached a policy to the role which lets the user listbuckets and getobject. The policy looks like this :-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allowsusertotolistbuckets",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::*"
}
]
}
Now when i run aws configure and authenticate as David user with the right access key and secret access key and run aws s3 ls. I run into the following: An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied. How can i have the user assume the role. Any help will be appreciated.
IAM Roles are not 'attached' to a user. Rather, an IAM User can be permitted to assume an IAM Role.
Using the AWS CLI, they would assume an IAM Role like this:
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/xaccounts3access --role-session-name s3-access-example
In response, AWS STS will return a set of temporary credentials:
{
"AssumedRoleUser": {
"AssumedRoleId": "AROA3XFRBF535PLBIFPI4:s3-access-example",
"Arn": "arn:aws:sts::123456789012:assumed-role/xaccounts3access/s3-access-example"
},
"Credentials": {
"SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
"SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
"Expiration": "2016-03-15T00:05:07Z",
"AccessKeyId": "ASIAJEXAMPLEXEG2JICEA"
}
}
These credentials can then be used to call AWS service 'as the IAM Role' rather than 'as the IAM User'.
See: assume-role — AWS CLI Command Reference
To make things easier, it is possible to define a profile that uses an IAM Role. The AWS CLI will automatically use IAM User credentials to call AssumeRole(), then use the resulting credentials to make the desired API call.
Here is an example profile entry:
[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
source_profile = user1
This is saying: "Use the IAM User credentials from profile user1 to call AssumeRole() on the marketingadminrole"
It can then be used like this:
aws s3 ls s3://marketing-bucket --profile marketingadmin
See: Using an IAM role in the AWS CLI - AWS Command Line Interface
I am trying to define an IAM Role + Polices to be used to deploy and manage RDS Instances via Cloudformation. So I am writing a IAM Role, that will be passed to Cloudformation for the deployment.
The Role should allow to deploy and manage RDS instances with specific tags, and not create any instance that does not have the tags.
So what I am trying int the role is this (IAM Policy):
{
"Condition": {
"StringEquals": {
"rds:req-tag/Project": "myproject"
}
},
"Action": [
"rds:Create*",
"rds:Restore*"
],
"Resource": "*",
"Effect": "Allow"
},
Yet, when I try to create RDS Instance with the Tag Project=myproject using Cloudformation, I get:
API: rds:CreateDBInstance User: <me> is not authorized to perform: rds:CreateDBInstance on resource: arn:aws:rds:eu-central-1:078433912766:db:ss9wm5ynvx3n8i because no identity-based policy allows the rds:CreateDBInstance action
Lookling through CloudTrail it seems to me, that Cloudformation does not send the tags when creating the Instance, which is probably the reason why this fails.
So I wonder: is what I am tyring even possible? Or do I have to accept the fact, that I cannot restrict Cloudformation so that it can only create RDS Instances with specific tags?
I tested the following policy
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"rds:req-tag/Project": "myproject"
}
},
"Action": [
"rds:Create*",
"rds:Restore*",
"rds:AddTagsToResource"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
with the following CLI command
aws rds create-db-instance \
--db-instance-identifier test-mysql-instance \
--db-instance-class db.t3.micro \
--engine mysql \
--master-username admin \
--master-user-password secret99 \
--allocated-storage 20 \
--region us-east-1 \
--tags Key=Project,Value=myproject
and I can confirm that it's working as intended.
I am trying to use aws cli to run some commands. I do not have a user account in the target region, but I am trying to use a role called "AssumedAdministrator" which has sts:assumerole.
I can log into the aws web console OK using the "switch role" option.
but when I run a CLI command like :
aws --profile $profile sts get-caller-identity --region $region
I am getting the following error:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::111111111111:user/john.smith is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::222222222222:role/AssumedAdministrator
Here's the Trusted Entities tied to that role:
AssumedAdministrator role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
What am I doing wrong? How can I run aws cli commands
my sections in the credentials file:
[default]
aws_access_key_id = ##########################
aws_secret_access_key = ############################
region = ##########
[assumed-#####-admin]
role_arn = arn:aws:iam::222222222222:role/AssumedAdministrator
source_profile = default
Thanks
I have bootstrapped CDK toolkit stack in this way
npx cdk bootstrap \
--trust 158******206 \
--toolkit-stack-name **** \
--qualifier ****\
--cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccess \
As a result, CDK toolkit stack has these resources:
ContainerAssetsRepository
DeploymentActionRole
FileAssetsBucketEncryptionKey
FileAssetsBucketEncryptionKeyAlias
FilePublishingRole
FilePublishingRoleDefaultPolicy
ImagePublishingRole
ImagePublishingRoleDefaultPolicy
StagingBucket
StagingBucketPolicy
Then I try to deploy CDK stack via IAM user and it's work correctly. I use this command:
cdk deploy --require-approval never --toolkit-stack-name **** --profile user-1
If I try deploy via STS I received this error
Error: Could not assume role in target account (did you bootstrap the environment with the right '--trust's?): User: arn:aws:sts::448*****770:assumed-role/cdktoolkit-test-role/91cb8d5a-57e9-4d73-9f66-ddc630b637f2 is not authorized to perform: sts:TagSession on resource: arn:aws:iam::448*****770:role/cdk-event-proc-deploy-role-448******770-us-east-1
My iam-sts-config.yml
---
aws_iam:
- type: sts-access-keys
version: V2
config:
iam_assume_role_name: cdktoolkit-test-role
Then I add
AWS_ACCESS_KEY_ID=***
AWS_SECRET_ACCESS_KEY=***
AWS_SESSION_TOKEN=***
AWS_DEFAULT_REGION=***
There is my trust relationship policy for the role cdk-event-proc-deploy-role:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::448******770:root"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::158*****206:root"
},
"Action": "sts:AssumeRole"
}
]
}
If I edit and add manually "Action": "sts:TagSession" in to trust relationship policy. I can deploy my stack.
So, my question is, could I set up a custom trust relationship policy when I bootstrap CDK toolkit stack for my roles?
I found only this parameter --trust but it's added only a new Principal could I add additional Actions?