I'm a little confused about the requirements for assuming a role from an IAM user in the same AWS account.
Per this document: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html:
If the user is in the same account as the role, then you can do either
of the following:
Attach a policy to the user (identical to the previous user in a
different account).
Add the user as a principal directly in the role's trust policy.
I explicitly added an assume-role policy to the group granted to my user and it could not assume the noted role:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123456789:role/some-role-name"
}
}
Once I added the account number as a principal to the trust policy of the target role, it started working though:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com",
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "sts:AssumeRole"
}
]
}
So, I'm confused for 2 reasons:
Why didn't the first policy alone work given the documentation I've quoted?
The second bullet in the documentation says "add the user as a principal". I think I added the whole account though instead of the user. What is the syntax for adding just this user? I didn't come across it in the documents I read.
1) That looks fine to me, given that the account ID and the role name are correct. Can you add the exact error you're getting?
This is an actual example of one of my policies which let users who are granted this policy to assume the role developer in the accounts acc1, acc2, and acc3:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::acc1:role/developer",
"arn:aws:iam::acc2:role/developer",
"arn:aws:iam::acc3:role/developer"
]
}
]
}
2) Instead of root, use the arn for the IAM user. Something along the lines of "arn:aws:iam::123456789:user/John"
Related
I am trying to create a permissions set that will allow me to assume a test role I have created. When I log in however I have no permissions at all. Is there something I am missing on how I should assume this role?
As I understand it permissions sets are roles in themselves and should only contain individual permissions for a specific task. Is it just not possible to assume a role this way using SSO? With the max length of the permission sets it is not feasible for us to put many of our users policies in to one set. Having log in to do one task in S3 then go back out, assume another role to do something with RDS is a pain, hence the idea to assume a role that has all the required perms.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::12341341324:role/test_sso_role"
}
]
}
The role just has a number of RO policies for S3/Cloudwatch etc, the trust policy below and no conditions attached.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::12341341324:saml-provider/AWSSSO_a1b2c3d4e5f6g8_DO_NOT_DELETE"
},
"Action": "sts:AssumeRoleWithSAML"
}
]
}
Running: aws sts get-caller-identity
{
"UserId": "ABCDEFGHIJKLMNOPQRSTU:john.smith#company.com",
"Account": "12341341324",
"Arn": "arn:aws:sts::12341341324:assumed-role/AWSReservedSSO_test_sso_role_1a2s3d4f5g6h7j8k/john.smith#company.com"
}
What I am trying to is using my IAM user udagram-xue-dev to assume the role of eksClusterRole. This is my policies configures:
This policy has been add to my IAM user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::111111111111:role/eksClusterRole"
}
]
}
This trust policy has been added to my eskClusterRole:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:user/udagram-xue-dev",
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
but I still get this problem:
I have read a lot of relevant details about this assuming role problem, but I still can't figure out how to fix it. It seems that they all just need to add these policies, then it'll be OK.
According to your configuration, everything seems to be in place. However, there might be a different policy (permission boundary, service control policy, or another IAM policy applied to the user) that overrides the permissions.
You can test your policies and find out if there’s anything interfering with your permissions using the IAM Policy Simulator.
Bucket Policy
{
"Version": "2012-10-17",
"Id": "Policy1589032691178",
"Statement": [
{
"Sid": "Stmt1589032265458",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<BUCKET>/*"
}
]
}
This will allow read objects to all user.
IAM Policy attached to user ABC in AWS Account 1
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<BUCKET>"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<BUCKET>/*"
}
]
}
With this setup public read of objects is there to anyone
And IAM policy is attached to user ABC, so ABC has access to list, put, get, delete
Now the question is
If someone in AWS Account 2 creates a user XYZ and attached same IAM policy as above
Will the XYZ user in AWS Account 2 be able to list, get, put, delete ?
What you posted looks like resource-based & IAM policies cross account access.
In order to allow user XYZ in account 2 to execute mentioned actions on bucket in account 1, apart from policy you specified for user XYZ, you need to additionally specify allowed actions for user XYZ in bucket's policy.
Alternative way is to allow cross-account IAM role assumption, where user in account 2 can assume role in account 1 granting desired access to the S3 bucket in account 1.
More information with examples can be found at https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/
I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently.
I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix, but it doesn't work (access is denied):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix"
}
},
"Action": "sts:AssumeRole"
}
]
}
On the other hand, this policy works but it's too open, as it allows any user/role in account A to assume my role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Action": "sts:AssumeRole"
}
]
}
So, is there any way to allow only a set of roles without being explicitly specified?
I encountered the same use-case recently. None of the responses resolved this for me.
Charli, your original solution is valid but I needed some tweaks get it to work, namely, I needed to replace 'ArnLike' with 'stringLike' and switch 'aws:SourceArn' to use 'aws:PrincipalArn':
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::<ACCOUNT_ID>:role/test-role-name-*"
}
}
}
It is not possible to use wildcard in the trust policy except "Principal" : { "AWS" : "*" } . The reason being when you specify an identity as Principal, you must use the full ARN since IAM translates to the unique ID e.g. AIDAxxx (for IAM user) or AROAxxx (for IAM role). Below is the from document:
If your Principal element in a role trust policy contains an ARN that
points to a specific IAM user, then that ARN is transformed to the
user's unique principal ID when the policy is saved. This helps
mitigate the risk of someone escalating their privileges by removing
and recreating the user. You don't normally see this ID in the
console, because there is also a reverse transformation back to the
user's ARN when the trust policy is displayed.
This seems to an issue with delegating access to trusting account(your account) and not the trusted account(_my_suffix - AWS account). These are few things that you can check in the following URL.
Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
Thanks
I have two AWS accounts(Account A & B). I want to allow few IAM users of Account B to access resources of Account A via AWS IAM roles.
I have created the role and it works fine. However, I see that any IAM user who gets hold of the role name is able to switch roles and access the resources.
Is there a way to allow only specific users of Account B to be able to switch to the role?
The trust policy statement is as follows-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account-B:root"
},
"Action": "sts:AssumeRole"
}
]
}
You can add the users who should be restricted to assume the role to a group. Then you can attach IAM policy to the IAM group with an explicit Deny.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::Account_A_ID:role/Rolename"
}
}
http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html#tutorial_cross-account-with-roles.html#tutorial_cross-account-with-roles-2