I'm issuing an STS token for a user interface that includes the following statement for lambda permissions:
{
"Sid" : "AllowUserInvokeLambda",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:us-east-2:*:function:CreateThumbnail",
"arn:aws:lambda:us-east-2:*:function:ImageScanner"
]
},
When I try to invoke the function from the aws-sdk.js in the browser, I get back an error with the message:
"User: arn:aws:sts::123456789012:assumed-role/test_sts_role/user-12345 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-2:198765432109:function:ImageScanner"
Am I missing something in that policy?
I found the issue, your policy is missing the account number. so it should be,
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUserInvokeLambda",
"Action": [
"lambda:InvokeAsync",
"lambda:InvokeFunction"
],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:ap-southeast-2:012345678901:function:*"
]
}
]
}
Note: Also You should assign this policy to the role you are assuming, not to the user who is assuming. can you confirm that part.
Reference: https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/
Related
I have multiple users and lambda functions in my AWS account, as an example user1, user2, user3, user4 and have the same name for lambda function as well.
I have created the following policy to invoke the Lambda function, but I am getting a following error:
Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-west-2:111111111111:function:${aws.username}"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::111111111111:role/lambda_role",
"arn:aws:lambda:us-west-2:111111111111:function:*"
]
}
]
}
I can create the function without any issue but when I try to invoke the Lambda function, I am getting an error message. However, the policy is attached to the user account.
An error occurred (AccessDeniedException) when calling the Invoke operation: User: arn:aws:iam:: 111111111111:user/user1 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2: 111111111111:function:user1 because no identity-based policy allows the lambda:InvokeFunction action
I am trying to setup eksctl for eks but it throwing
"Error: unable to determine AMI to use: error getting AMI from SSM Parameter Store: AccessDeniedException: User: arn:aws:iam:::user/cnc is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1::parameter/aws/service/eks/optimized-ami/1.18/amazon-linux-2/recommended/image_id".
The IAM Permission Policy I am using is
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:::parameter/*"
}
]
I also tried using policy simulation for check the permissions , it is giving me "Implicitly Denied (No matching statement)"
I had the same issue. The way I resolved it was by adding the region to the ssm resource. And also added a ssm:GetParameter like this:
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action":[
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action":[
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:GetParametersByPath"
],
"Resource": "arn:aws:ssm:ca-central-1::parameter/*"
}
]
If you notice I've added the region ca-central-1 and you should change it to your current region.
For me, I was using --with-decryption for a SecureString. My Instance Profile also needed to have KMS rights to the alias/parameter-store-key
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter*"
],
"Resource": "arn:aws:ssm:us-west-2:111122223333:parameter/ITParameters/*"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
]
}
Mine was in the other direction. I had ssm:GetParameter, and the error message was AccessDeniedException: User is not authorized to perform: ssm:GetParameter on resource because no identity-based policy allows the ssm:GetParameter action, but implicitly the missing ssm:GetParameters was causing the request to be denied with a misleading error message.
I think you might need to authorize the "ssm:GetParameter" action as well.
I had the same error message as #plantbeard
but mine was related to capitalisation
I was using Serverless and taking the param name from the stage enviroment eg dev
but my parameter was called /Dev/param
renaming to /dev/param fixed it for me
For anyone else who still has issues, I was receiving the same error for my Lambda function:
"AccessDeniedException: User: arn:aws:sts::xxxxxx:assumed-role/[role-name]-role-xxxxxx/[lambda-function-name] is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:us-east-1:xxxxxx:parameter/[parameter_path1]/[parameter_pathx] because no identity-based policy allows the ssm:GetParameter action",
I found that on the policies page
https://us-east-1.console.aws.amazon.com/iamv2/home#/policies
I needed to add the rule to a "Customer managed" Type Policy Named
AWSLambdaBasicExecutionRole-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (I think someone else created this though and I just added on to it)
That looked like this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:us-east-1:xxxxxxxxxx:parameter/[parameter_path1]/[parameter_pathx]"
}
]
}
I'm trying to allow a set of users in a group access to a role through which they can upload objects to an s3 bucket.
The group as the policy:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNTID:role/Clinic_Sync"
}
}
The role "Clinic_Sync" has the policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SyncReqs",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::*/*"
},
{
"Sid": "SyncReqs2",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
}
]
}
The bucket has the policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTID:role/Clinic_Sync"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::mydata"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTID:role/Clinic_Sync"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::mydata/*"
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mydata",
"arn:aws:s3:::mydata/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"ADMINUSERID:*",
"ACCOUNTNO"
]
}
}
}
]
}
The idea being that no one can access the bucket except through assuming this role (other than the admin). I have created the credentials files as follows:
[default]
aws_access_key_id = ACCESSID1
aws_secret_access_key = SECRETKEY1
[csync]
role_arn = arn:aws:iam::ACCOUNTID:role/Clinic_Sync
source_profile = default
And the config file:
[default]
output = json
region = eu-west-2
[profile csync]
role_arn = arn:aws:iam::ACCOUNTID:role/Clinic_Sync
source_profile = default
The bucket policy seems to work, as running the command "aws s3 cp hello.txt s3://mydata" gives the error: Upload failed. An error occured when calling the PutObject operation: Access Denied.
But when I try to use the role, using the command "aws s3 cp hello.txt s3://run3d-data --profile csync", it gives this error:
upload failed: .\hello.txt to s3://mydata/hello.txt An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::ACCOUNTID:user/TestAcc2 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::ACCOUNTID:role/Clinic_Sync
I've been searching the web for an answer for ages and can't find any answers. The aws documentation is frankly unintelligible to me. If anyone can help me find a solution to this I'd be much appreciated as I'm tearing my hair out here.
To reiterate, I just want the users in a particular group to have access to a role that grants them permission to use an s3 bucket, but block all other access to the bucket.
Your bucket policy seems to say: "Deny access to the bucket unless aws:userId is a given Admin User ID or Account Number. It does not reference the Role.
Therefore, accessing the bucket via the Role will be denied. This is because Deny always overrides Allow.
Writing policies with Deny can be quite difficult, as seen in this situation.
If you really want to keep a bucket secure, it is easier to put the bucket in a separate AWS Account and only grant cross-account access to the entities that should have access. This way, no Deny policy is required.
If you receive a not authorised to perform sts:AssumeRole error, make sure the Trust Policy grants access to users by selecting the Another AWS account option when creating the role. The policy should look similar to:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
I have an AWS Lambda function which queries an Amazon Athena database. But I get a permission error when executing the Lambda function:
An error occurred (AccessDeniedException) when calling the GetQueryExecution operation: User: arn:aws:sts::773592622512:assumed-role/lambda_access-role/reddit_monitor is not authorized to perform: athena:GetQueryExecution on resource: arn:aws:athena:ap-southeast-2:773592622512:workgroup/primary: ClientError
I have created this policy for the Lambda function:
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"athena:StartQueryExecution"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::${var.athena-bucket}",
"arn:aws:s3:::${var.athena-bucket}/*"
]
}
]
}
I wonder why it still doesn't have permission to query Athena? Have I missed anything here?
You granted athena:StartQueryExecution instead of athena:GetQueryExecution.
I'm new to aws. I want to generate temporary credentials for aws call. And for that I use example from Making Requests Using IAM User Temporary Credentials - AWS SDK for Java
Where I pass
String clientRegion = "<specific region>";
String roleARN = "<ARN from role>";
String roleSessionName = "Just random string"; //<-- maybe I should pass specific SessionName?
String bucketName = "<specific bucket name>";
And when trying assume role
stsClient.assumeRole(roleRequest);
get an error
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException:
User: arn:aws:iam:::user/ is not authorized to perform:
sts:AssumeRole on resource: arn:aws:iam::<ID>:role/<ROLE_NAME> (Service: AWSSecurityTokenService; Status Code: 403; Error Code:
AccessDenied; Request ID:)
I have a cognito role.
I think the problem in role Trust Relationship settings.
It looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<iam user ID>:user/<USER_NAME>",
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "<user pool ID>"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
and user policy (This user policy is attached to this Role also):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<sidId1>",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<path>*"
]
},
{
"Sid": "sidId2",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithWebIdentity"
],
"Resource": [
"arn:aws:iam::<ID>:role/<ROLE_NAME>"
]
}
]
}
User policy has two warnings:
What I'm doing wrong?
UPD
I changed role Trust relationship, just delete Condition:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com",
"AWS": "arn:aws:iam::<ID>:user/<USER>"
},
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithWebIdentity"
]
}
]
}
and now Access denied error occurred on another line of code:
// Verify that assuming the role worked and the permissions are set correctly
// by getting a set of object keys from the bucket.
ObjectListing objects = s3Client.listObjects(bucketName);
Received error response: com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: ), S3 Extended Request ID:
To be able to assume to an IAM Role, simply the IAM Role assume role policy or trust relation must explicitly allow the principal assuming role into it, which in this case it didn't. It permitted sts:AssumeRoleWithWebIdentity with some conditions which didn't apply to your case.
About the other error, as mentioned by the #user818510 your role doesn't have permission to s3:ListBucket action.