I have a role ssm-role for EC2. I want another IAM user to launch EC2 instance with ssm-role attached.
Policy attached with ssm-role : AmazonEC2RoleforSSM
Trust relationship for ssm-role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com",
"AWS": "arn:aws:iam::<ACC_ID>:user/test-user"
},
"Action": "sts:AssumeRole"
}
]
}
I have added the following inline policy for the user who wants to assume ssm-role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "test",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::<ACC_ID>:role/ssm-role"
}
]
}
Despite these, test-user is not able to launch EC2 with ssm-role attached.
Any help will be greatly appreciated.
Note: test-user has EC2FullAccess
To launch an Amazon EC2 instance with an attached role, the IAM User making the request needs to have iam:PassRole permissions for the given role.
This is required to prevent a potential "elevation of authority" situation, such as:
A user has limited permissions
They launch an EC2 instance, specifying a Role that has elevated privileges
They login to the EC2 instance and use the privileges of the Role to perform functions that they would not normally be permitted to do
Thus, a user must have iam:PassRole permissions for the given role (at minimum) to be able to launch an instance that uses that role.
See: Granting a User Permissions to Pass a Role to an AWS Service - AWS Identity and Access Management
Related
I am trying to set up CI/CD with AWS + EC2 and am stuck when creating Deployment Group. The role of CodeDeploy has policies AWSCodeDeployRole and AWSCodeDeployRoleForECS but it throws an error. I tried giving it Admin rights but it is still not enough. Am I missing something? Thanks for any help!
You have a role that has the permissions required for the codedeploy to perform the deployment. What you are missing here is, You should have a trust policy defined in the role that allows codedeploy to assume the role.
Goto IAM console and select the role from the roles section
Click Trust relationships
Click Edit trust Relationships
Add the following trust policy to allow code deploy service to assume this role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"codedeploy.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
Reference: Create a service role for CodeDeploy
I'm currently spinning in circles trying to restore from an AWS Backup and am running into permissions errors. I have administrator access to my AWS account. I've tried creating a new policy and attach it to my user account in IAM as follows:
The issue I can't seem to get around is that I need to add the permission iam:PassRole but I can't seem to find it anywhere within the AWS portal. How can I add this permission to my policy?!
EDIT: I've created a policy with all backup permissions allowed and including iam:PassRole however I am still receiving the error message You are not authorized to perform this operation. when trying to perform the backup. The policy I've created and attached to my user looks as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"backup:*",
"iam:PassRole",
"iam:GetRole"
],
"Resource": "*"
}
]
}
“To successfully do a restore with the original instance profile, you will need to make changes to the restore policy. If you apply instance profile during the restore, you must update the operator role and add PassRole permissions of the underlying instance profile role to EC2. Otherwise, Amazon EC2 won’t be able to authorize the instance launch and it will fail.”
Here is the policy you can attach to the AWS default Backup role “AWSBackupDefaultServiceRole” to work around this issue:
{
"Version": "2012–10–17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<Account-ID>:role/*"
}]}
Source: https://medium.com/contino-engineering/new-aws-backup-features-for-quick-and-easy-ec2-instance-recovery-c8887365ca6a
I have an an audit container that runs a scan against various AWS APIs. I want to have all of these run as ECS tasks in the prod account, but scan resources in other accounts. Is it possible to set a role from another account as the task role? I've attempted setting taskRoleArn in my task definition to the ARN of the desired role from another account, but I get the error message "Role is not Valid"
I have a simple trust relationship on the role from on the other account (111111111111 is the prod account):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I have a Cloudwatch Events service role in the prod account that allows iam:passRole to this role on the other account. Is there any modification needed to the ECS task execution role? I was under the impression this was only going to forward logs to Cloudwatch Logs and pull the OCI image from ECR, and shouldn't need any other permissions.
Is this possible or do I just have to assign a task role with sts:assumeRole permissions into the other account and have a shim in the Container image that assumes the role before running the audit?
Is there any modification needed to the ECS task execution role?
Add a policy to your ECS task execution role to assume roles.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "<cross-account role arn here>"
}
]
}
And assume it programmatically: https://stackoverflow.com/a/64345823/12170218
I have organization root aws account named cloud. below is the policy attached to it.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::XXXXXXXXX:role/Account-accessROle"
]
}
}
I have role Accountaccessrole created in child accounts. this role have trust relationship with organization account such that only cloud user can assume this role.
it's trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{ROOTACCOUNT}:user/cloud"
},
"Action": "sts:AssumeRole"
}
]
}
its attached policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "EC2:*",
"Resource": "*",
}
}
]
}
this is sorted. but the users from child account (XXXXX) can use this role in lambda to do something....I want to restrict it....no one from child account should do any thing with this role...how to restrict this??
tried adding the condition for policy in child account roles..but could not find any specific
If you are showing correct trust policy then users can't pass this role to a Lambda function because there is no trust between Lambda service and your role.
Second things is that users in your child account (or any account for that matter) do not have rights to assume any role by default (they do not have right to do anything by default) which means that someone granted them that privilege.
Easy solution would be to remove this privilege from them. If that is not feasible due to amount of work it would require then you can simple create IAM policy which denies sts:AssumeRole for that particular resource (the IAM role that you want to restrict) and apply this role to a group where you can place all your users. This will however not prevent root user of the child account (or any user with permissions to IAM service) from bypassing this restriction.
Another option is to deny the above mentioned action in SCP and apply that SCP to the child account. You can either modify your current SCP if possible or you can create new one and apply it directly to the child account (note that you can apply multiple SCPs to an account/OU and explicit deny will overrule any existing allow statements).
I have an AWS File Gateway. I am able to create a share to an S3 bucket ONLY if I let the AWS console create a new IAM role. If I select Use an Existing Role I get the error:
Failed to create file share
User: arn:aws:iam::024123456789:root is not authorized to perform: iam:PassRole on resource: my-storage-gateway-role (Request ID: f14a287d-e266- 11e7-bd3b-49a5a190c50e)
I have tried this using both IAM users with administrative access and with the root user. Every time results in this same error. Here is the policy that my administrators have:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Isn't this policy sufficient to do pretty much anything? Any ideas what is causing this error?
Scott here with AWS, I understand that when you try to create your own IAM role that has admin permissions for your SGW, you're still not able to create a file share with your S3 bucket.
Looking into the issue, the most likely reason for this error is because the your account doesn't have the correct permissions to assume the role with Storage Gateway[1]:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "storagegateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Since you have admin access on the the role, you don't need to change the policy for permissions.
After logging into my root account, I wasn't able to reproduce this issue even when creating a new role for the file share.
Are you able to share the role you are trying to use?
[1]http://docs.aws.amazon.com/storagegateway/latest/userguide/managing-gateway-file.html#grant-access-s3