I am trying to add trust relationships to allow codedeploy to work for my role
I have the following json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": ["ec2.amazonaws.com", "codedeploy.amazonaws.com"]
},
"Action": ["sts:AssumeRole",
"codedeploy:GetApplication",
"codedeploy:GetDeploymentGroup",
"codedeploy:CreateDeployment",
"codedeploy:GetDeployment"
]
}
]
}
I keep getting the following error
You are mixing two different concepts in the policy: trust relationship and IAM actions.
You need to have two different policies, one for the IAM Role like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
and other for the IAM Policy as:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codedeploy.amazonaws.com"
},
"Action": [
"codedeploy:GetApplication",
"codedeploy:GetDeploymentGroup",
"codedeploy:CreateDeployment",
"codedeploy:GetDeployment"
]
}
]
}
Related
I have a user pool and an Identity pool, where the role i am giving the authenticating users in the identity pool has the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutBucketPolicy",
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::testbucket123",
"arn:aws:s3:::testbucket456",
"arn:aws:s3:::testbucket987"
]
}
]
}
I have created a new role called Role_testbucket456_User_X using Web Identity and added a condition where cognito-identity.amazonaws.com:sub is stringEquals to 8e23d688-1f28-445c-8966-fdcb967c8e3c, and attach to it the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
Then I have added the Cognito user Y that has the sub 8e23d688-1f28-445c-8966-fdcb967c8e3c to a Cognito User Pool Group called testbucket456_Users
And then attached the role Role_testbucket456_User_X to this group testbucket456_Users
What I am expecting is that none of the Cognito users will have Read/Write access on any S3 bucket, except the user Y that has sub 8e23d688-1f28-445c-8966-fdcb967c8e3c to be able to access Read/Write on testbucket456 bucket. But that didn't work unfortunately.
So I have added the following Bucket Policy to the testbucket456 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
},
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucket456/*"
},
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
But that still didn't work, I am still getting Access Denied issue whenever I try to call this method:
const listObjectParams = {
Bucket: 'testbucket456',
};
s3.listObjects(listObjectParams, (err: any, data: any) => {
if (err) {
console.log(err);
return;
}
console.log(data);
console.log(`Successfully listed objects in `);
});
Note
When I set the testbucket456 bucket's policy to
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::testbucket456/*"
},
{
"Sid": "AllowCognitoUserAccess",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::testbucket456"
}
]
}
I am then able to access(list objects) the bucket using the Cognito users, I think the issue is with the bucket's policy itself and in the Principal field specifically.
Possible issues
Maybe the authenticated role must have permissions to assume the custom role
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
}
to be like the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::testbucket456"
]
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::5555555555555:role/Role_testbucket456_User_X"
}
]
}
Can anybody confirm please?
This answer was the solution, I had to change the default role given to the Cognito Users
I have created a user and grant three permissions to it.
IAMFullAccess, AmazonSageMakerFullAccess and AmazonS3FullAccess
Now when i try to setup sagemaker domain, it throw following exceptions
ValidationException
Access denied in getting/accepting the portfolio shared by SageMaker. Please call withservicecatalog:AcceptPortfolioShare & servicecatalog:ListAcceptedPortfolioShares permission.
AccessDeniedException
User: arn:aws:iam::117609614511:user/tac-sagemaker is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker:us-east-1:117609614511:domain/d-bpq1nh2g5t9l because no identity-based policy allows the sagemaker:CreateDomain action
First, I did not understand, though i granted full sagmaker access, why its not picking createDomain policy,
Second, i go to my role and manually added these policies.
Here are policies for my sagemaker role
AmazonSageMaker-ExecutionPolicy-20220813T004513
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s34sagemaker"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s34sagemaker/*"
]
}
]
}
SagemakerCreateDomain
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sagemaker:CreateDomain",
"Resource": "arn:aws:sagemaker:*:117609614511:domain/*"
}
]
}
sagemakerportfolioservices
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "servicecatalog:AcceptPortfolioShare",
"Resource": "arn:aws:catalog:*:117609614511:portfolio/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "servicecatalog:ListAcceptedPortfolioShares",
"Resource": "*"
}
]
}
But still it giving me same error
Edit
I added two new policy to my user
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
AWSServiceCatalogAdminFullAccess
Now ValidationException is gone, but still having AccessDeniedException
EDIT2:
I have attached a new custom policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"sagemaker:CreateDomain"
],
"Resource": "*"
}
]
}
But still the error is same
I would recommend using the CloudFormation template in this blog to help create the Domain and User Profile.
https://aws.amazon.com/blogs/machine-learning/automate-a-centralized-deployment-of-amazon-sagemaker-studio-with-aws-service-catalog/
I am trying remediation action "Publish sns topic" But I'm getting an error message
"Invalid execution parameters sent to Systems Automation. The defined assumed role is unable to be assumed"
Permissions for the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
""
],
"Resource": ""
}
]
}
Trusted policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"iam.amazonaws.com",
"sns.amazonaws.com",
"config.amazonaws.com",
"ssm.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
Can anyone help me to resolve this?
When I enter the example code from here https://docs.aws.amazon.com/de_de/translate/latest/dg/async.html
$ aws translate start-text-translation-job --job-name batch-test \
--source-language-code en \
--target-language-codes fr \
--input-data-config S3Uri=s3://input-bucket-name/folder,ContentType=text/plain \
--output-data-config S3Uri=s3://output-bucket-name/ \
--data-access-role-arn arn:aws:iam::012345678901:role/service-role/AmazonTranslateInputOutputAccess
Then the following error is throw:
An error occurred
(InvalidRequestException) when calling the StartTextTranslationJob
operation: Translate is not authorized to assume role:
arn:aws:iam::012345678901:role/service-role/AmazonTranslateInputOutputAccess.
Please update the role's trust policy.
The role AmazonTranslateInputOutputAccess is already created but anyhow should be affect the thrown error.
Could fix it by adding a trust policy of:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "translate.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Adding this will fix the issue.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowTranslation",
"Effect": "Allow",
"Resource": "*",
"Action": "translate:*"
}
]
}
If You want to auto detect the source language and translate the text, then you also have to add the comprehend action in your Iam role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowTranslation",
"Effect": "Allow",
"Resource": "*",
"Action": [ "translate:*", "comprehend:*" ]
}
]
}
I have a domain: domain1 and trying to allow user1 to access it. This is the policy:
{ "Version": "2012-10-17", "Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::340539148951:user/user1"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:340539148951:domain/domain1/*"
} ] }
When the user1 tries logs in the Console and tries to go to ElasticSearch content, he gets this error:
ListDomainNames: {"Message":"User:
arn:aws:iam::340539148951:user/user1 is not authorized to perform:
es:ListDomainNames on resource:
arn:aws:es:us-east-1:340539148951:domain/*"}
So the question is where do I set this? At the user level? What would the policy be?
Dima.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1504015454000",
"Effect": "Allow",
"Action": [
"es:*"
],
"Resource": [
"arn:aws:es:us-east-1:340539148951:domain/*"
]
}
]
}
Probably too much es:* - but it worked