Policy to allow lambda:InvokeFunction to an IAM Assumed Role - amazon-web-services

I am using trying to invoke a Lambda from another Lambda, I am getting the error:
AccessDeniedException: User: [role ARN] is not authorized to perform:
lambda:InvokeFunction on resource: [Lambda ARN]
After researching, I found put that I need to attach a Policy to the IAM user to allow the action.
I'm wondering if there's any AWS Managed Policy which allows lambda:InvokeFunction?
If not, what would be the best minimalist policy JSON to create?

A managed role would be the AWSLambdaRole.
If you want to create it on your own:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": "<ARN of the function which is allowed to be invoked>"
}
]
}
For the ARN (Amazon Resource Name) you could also put * (then all functions are allowed to be invoked). Also, you could provide a list of multiple function ARNs.

Related

Official example on AWS documentation on how to add a service principal on a resource based policy does not work

I several lambda functions on my account to be able to access a secret.
(I cannot use identity policies, don't ask why)
I am following this example from the official documentation so I am creating this resource based policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com"
]
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:sourceArn": "arn:aws:lambda::1234567891911:*"
},
"StringEquals": {
"aws:sourceAccount": "1234567891911"
}
}
}
]
}
My lambda invocation fails as follows:
"An error occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::1234567891911:assumed-role/my-secret-name/my-lambda-name is not authorized to perform: secretsmanager:GetSecretValue on resource: ps-shield-token because no identity-based policy allows the secretsmanager:GetSecretValue action",
????
I don't see the problem. Your policy example is valid for services that support service-linked roles1. Lambda functions do not support service-linked roles. Therefore, the policy example is not valid for Lambda.
Service-linked roles, which are AWS-managed, are referenced by service name in resource-based policies, as in the OP. For instance, the principal { “Service”: “elasticloadbalancing.amazonaws.com” } refers to the AWS-managed ELB service-linked-role, which is called AWSServiceRoleForElasticLoadBalancing. Again, there's no equivalent lambda.amazon.aws option here, because Lambda has no service-linked role2.
Functions have user-managed execution roles. Execution roles (EC2 Instances and ECS Tasks have something similar) are referenced by the role ARN in the resource-based policy "Principal": { AWS: <Lambda Role Arn> }, as in #jellycsc's answer.
Although the docs could definitely be clearer, your Example: Service principal does refer to just to service-linked roles. The first link on the page, AWS Service Principal, refers to "service principal" as used "services that support service-linked roles".
Lambda#Edge does support service-linked roles.
It's not the lambda service that's getting the secret value. The lambda service first assumes the execution role which you set in your lambda function, and the execution role is the principle of the secretsmanager:GetSecretValue action. Therefore, the following policy should work.
{
"Version": "2012-10-17",
"Statement":
[
{
"Effect": "Allow",
"Principal":
{
"AWS": "arn:aws:iam::1234567891911:role/<lambda-execution-role-name>"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}
]
}

(MalformedPolicyDocument) AssumeRole policy may only specify STS AssumeRole actions

This question has been answered here but it didn't solve my problem.
I get the An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: AssumeRole policy may only specify STS AssumeRole actions when I try to call aws iam create-role --role-name AutoscalingRole-Name --assume-role-policy-document file://./IAM_Trust_Policy.json
If my IAM_Trust_Policy.json contains only this code:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
}
It's working like a charm. But I needed something more, I'm creating an autoscaling role and I have a policy with these requirements:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"autoscaling.amazonaws.com"
]
},
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"ec2:DescribeLaunchTemplateVersions"
]
}
}
And for some reason I get the An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: AssumeRole policy may only specify STS AssumeRole actions
Can anyone see where I'm wrong? Thanks
As #luk2302 commented, you are mixing up two policy types. Both are required for your Role to be useful:
Trust Policy: whom you allow to assume the role
This is your first policy document
Principal is required - this is whom you allow
Use this as the AssumeRolePolicyDocument parameter in CreateRole .
Access/Permissions Policies: the permissions the role will have
This is your second policy document
Principal is not allowed - makes no sense here
There are two ways to attach these permissions to your role (aka Identity-based Policies):
As a standalone Managed Policy with AttachRolePolicy
Or as an Inline Policy embedded in your role with PutRolePolicy
In other words, remove the Principal from your second policy document and call PutRolePolicy to embed it with your role.
You can not use role policy with assume-role-policy.
I think you are trying to rediscover the wheel.
AWS has one role for your need to autoscale AWSServiceRoleForAutoScaling managed role.

Restrict viewing/listing objects in S3 with a specific prefix

I've got a bucket policy to restrict roles (apart from one) from downloading/putting objects of a specific name into my S3 bucket.
However I'm having difficulty restricting the file from even being viewed if the file is there.
I would like to restrict roles from even listing files in the bucket with a prefix of 'audit'. I would still like them to be able to list all other objects in the path.
So far I've tried a few variations of this bucket policy. The role ID is for the role that should be able to view the files
- Sid: 3
Effect: Deny
Principal: "*"
Action:
- s3:ListBucket
Resource:
- arn:aws:s3:::my-bucket/audit*
Condition:
StringNotLike:
aws:userid:
- <THE ALLOWED ROLE ID>:*
I'm getting the following error:
Action does not apply to any resource(s) in statement
(Service: Amazon S3; Status Code: 400;
Error Code: MalformedPolicy; Request ID:
Thank you 😊
You can use aws:PrincipalArn condition to check for the IAM ARN.
Works with ARN operators and string operators.
Use this key to compare the Amazon Resource Name (ARN) of the principal that made the request with the ARN that you specify in the policy. For IAM roles, the request context returns the ARN of the role, not the ARN of the user that assumed the role. To learn which types of principals you can specify in this condition key, see Specifying a principal.
Availability – This key is always included in the request context.
{
"Statement": [
{ "Sid": "1",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:ListBucket"
],
"Condition": {
"ArnNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::1234567890:role/myrole"
]
}
},
"Resource": [
"arn:aws:s3:::my-bucket"
]
}
]
}
Now why it is saying invalid policy because s3:ListBucket permission deals with bucket, not at the object level, so you are getting the error.
s3:GetObject applies to the objects in the bucket so the Resource is correct:
"Resource": "arn:aws:s3:::my-bucket/*".
s3:ListBucket applies to the Bucket itself and so the Resource should be
"Resource": "arn:aws:s3:::my-bucket"

creating iam user and aws secrets via iam:passrole

I have two iam roles,
allaccessrole (with complete aws account access)
limitedaccessrole (with very limited access to certain services only)
How do I utilize iam:passrole so that limitedaccessrole can utilize the permissions of allaccessrole for creating new resources(ex: a new iam user/ec2 instance)?
I added
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {"iam:PassedToService": "iam.amazonaws.com"}
}
}
]
}
to limitedaccessrole 's policy but when I try creating a new user, it still says
limitedaccessrole is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::myaccnumber:user/new-user-m-trying-to-create
I also tried
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:sts::acc_num:role/limitedaccessrole",
"Condition": {
"StringEquals": {"iam:PassedToService": "iam.amazonaws.com"}
}
}
]
}
This also gives me:
limitedaccessrole is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::myaccnumber:user/new-user-m-trying-to-create
In short is there a way to make limitedaccessrole
create resources (a new iam user + secrets) while utilizing a combination of IAM:Passrole and
an existing allaccessrole (which can do everything)
AND without giving "iam:CreateUser" permission to the limitedaccessrole.
Appreciate any inputs.
EDIT: I think I have a confused understanding of what IAM Passrole does. Looks like iam passrole is to be used when you want some service to have the same permissions as a specified role, but not when you want one role to take on the permissions of another role.
You want to use the sts:AssumeRole permission to accomplish what you're trying to achieve.
The workflow for this is below:
Resource A has Role A. Role A has permission sts:AssumeRole to allow it to assume Role B.
Resource A performs sts:AssumeRole to assume Role B. IAM key, secret key and session ID returned.
Resource performs interaction using SDK/CLI specifying specifically the three values returned.
To summarise, when you assume a role you use the credentials returned to act as the role. It is not automatic, you could support many roles.

Tagging AWS lambda function access denied

I am trying to use aws cli to tag a lambda function. However, I keep getting the access decided error. I even tried to give the user admin access in IAM, and still it does not work. I guess something else has to be configured somewhere that currently overrides the policy
root#fd9f516869e1:~# aws lambda tag-resource --resource $FUNCTION_ARN --tags CURRENT_COMMIT=${CIRCLE_SHA1}
An error occurred (AccessDeniedException) when calling the TagResource operation: User: <user ARN> is not authorized to perform: lambda:TagResource
The policy attached to the user is
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<SID>",
"Effect": "Allow",
"Action": [
"tag:*",
"lambda:ListTags",
"lambda:TagResource",
"lambda:UntagResource",
"lambda:GetFunction",
"lambda:UpdateFunctionCode"
],
"Resource": [
"<my lambda ARN>"
]
}
]
}
As noted in the documentation for Lambda API Permissions and AWS Services That Work with IAM tag-related calls (ListTags, TagResources, UntagResources) can't be restricted to specific resources.
So access for tagging has to be granted for all Lambda functions. To get it working, you'd need to replace <my lambda ARN> in the policy above with *.