I'm trying to set up CodeBuild with a CodeCommit source that lives in another AWS account. I believe this can be done using AssumeRole but I've had no luck. Can anyone help provide an example of how to make CodeBuild assume a role specified in another account to access a CodeCommit repo?
Currently my CodeBuild role (in account 22222222) includes the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::11111111:role/Read-CodeCommit"
}
]
}
In account 11111111 I have the Read-CodeCommit role has the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"codecommit:*"
],
"Resource": "arn:aws:codecommit:us-west-2:11111111:dashboard"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "codecommit:ListRepositories",
"Resource": "*"
}
]
}
Read-CodeCommit has the following trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::22222222:root",
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Edit:
Posting a solution I came up with for anyone who might face a similar issue.
The best I could manage was just to side-step the issue. Instead of setting up CodeCommit as a source, I'm using a custom ECR image which includes CodeCommit credentials. The buildspec then clones from the repo.
It's not as clean as I like but it gets the job done.
Related
I have created a user and grant three permissions to it.
IAMFullAccess, AmazonSageMakerFullAccess and AmazonS3FullAccess
Now when i try to setup sagemaker domain, it throw following exceptions
ValidationException
Access denied in getting/accepting the portfolio shared by SageMaker. Please call withservicecatalog:AcceptPortfolioShare & servicecatalog:ListAcceptedPortfolioShares permission.
AccessDeniedException
User: arn:aws:iam::117609614511:user/tac-sagemaker is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker:us-east-1:117609614511:domain/d-bpq1nh2g5t9l because no identity-based policy allows the sagemaker:CreateDomain action
First, I did not understand, though i granted full sagmaker access, why its not picking createDomain policy,
Second, i go to my role and manually added these policies.
Here are policies for my sagemaker role
AmazonSageMaker-ExecutionPolicy-20220813T004513
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s34sagemaker"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s34sagemaker/*"
]
}
]
}
SagemakerCreateDomain
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sagemaker:CreateDomain",
"Resource": "arn:aws:sagemaker:*:117609614511:domain/*"
}
]
}
sagemakerportfolioservices
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "servicecatalog:AcceptPortfolioShare",
"Resource": "arn:aws:catalog:*:117609614511:portfolio/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "servicecatalog:ListAcceptedPortfolioShares",
"Resource": "*"
}
]
}
But still it giving me same error
Edit
I added two new policy to my user
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
AWSServiceCatalogAdminFullAccess
Now ValidationException is gone, but still having AccessDeniedException
EDIT2:
I have attached a new custom policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"sagemaker:CreateDomain"
],
"Resource": "*"
}
]
}
But still the error is same
I would recommend using the CloudFormation template in this blog to help create the Domain and User Profile.
https://aws.amazon.com/blogs/machine-learning/automate-a-centralized-deployment-of-amazon-sagemaker-studio-with-aws-service-catalog/
I'm trying to use SPI API programatically using Golang.
https://github.com/amazinsellers/amazon-sp-api-sdk-go and also tried with official https://github.com/amzapi/selling-partner-api-sdk and always have permission denied on the sample code on both github...
I followed this guide for all the IAM setup on my AWS Account but still not working..
https://spapi.cyou/en/guides/SellingPartnerApiDeveloperGuide.html#terminology
Here is my response json:
{"AssumeRoleResponse": {"-xmlns": "https://sts.amazonaws.com/doc/2011-06-15/", "AssumeRoleResult": {"AssumedRoleUser": {"AssumedRoleId": "AR***:SPAPISession", "Arn": "a
rn:aws:sts::123***:assumed-role/MyStsRoleName/SPAPISession"}, "Credentials": {"SessionToken": "FwoGZXIvYXdzEPb//////////wEaDJyejpfUNUYyux***=", "Expiration": "2022-03-14T13:41:14Z", "AccessKeyId": "A***", "SecretAccessKey": "Dr***"}}, "ResponseMetadata": {"RequestId": "b000db8e-e0f0-4150-b2fe-808d8212d599"}}}
{"code":"Unauthorized","details":"","message":"Access to requested resource is denied."}
My Dev App on Seller Central is on Draft status I passed the role I created on it like following :
arn:aws:iam::123***:role/MyStsRoleName
and on my code:
SPClientID = "amzn1.application-oa2-client.123***"
SPClientSecret = "26***"
SPRefreshToken = "Atzr|**"
SPAccessKeyID = "AKI***"
SPSecretKey = "Xre***"
SPRegion = "eu"
SPRoleArn = "arn:aws:iam::123***:role/MySTSRoleName"
Is it possible to get some help, since 2 days blocked on that part and I found nothing that could help me fix that. I tried a lot of thing on IAM params nothing works.
Here is my inlined policy on my IAM User:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123***:role/MySTSRoleName"
}
]
}
The Policy arn:aws:iam::123***:policy/SellingPartnerAPI is like :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:*",
"Resource": "*"
}
]
}
Edit:
My role trusted entities:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123***:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Thanks a lot
I generated the below code using S3 policy generator, when I paste the code in AWS S3 edit policy console it shows error. Pls help
{
"Id": "Policy1611491895768",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1611491893687",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::aws-landing-zone-configuration-756692330110-ap-south-1",
"Principal": {
"AWS": [
"\"AWS\": \"arn:aws:iam::756692330110::user/aravindkumar.s#gmail.com\""
]
}
}
]
}
There are few issues,
GetObject is applicable only to bucket objects not bucket , so, Resouce should contain /* at the end.
Principle is not formatted right.
Here is updated policy
{
"Version": "2012-10-17",
"Id": "Policy1611491895768",
"Statement": [
{
"Sid": "Stmt1611491893687",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::756692330110:user/aravindkumar.s#gmail.com"]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::aws-landing-zone-configuration-756692330110-ap-south-1/*"
}
]
}
I'm trying to copy contents of an S3 bucket to another bucket on another account, and I wanted to use the CLI to do this. So I set up a bucket policy on the source bucket, allowing a IAM user in the destination account to perform all S3 actions, but it keeps complaining that the ListObjects operation is denied.
I've tried Google, but I can't tell what would be the problem with my policy compared to the solutions I find. Even if I make the source bucket public (and can list it in a browser), it still gives me access denied.
What to do, what to do? Here's my bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAll",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123123123123:user/USER"
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::SOURCE",
"arn:aws:s3:::SOURCE/*"
]
}
]
}
Please try using below policy,
{
"Version": "2008-10-17",
"Id": "Policy1357935677554",
"Statement": [
{
"Sid": "CrossAccountList",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::examplebucket"
},
{
"Sid": "CrossAccountS3",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*"
}
]
}
You can read the full steps here
Another read here
I know that you can set up an IAM policy to restrict access to services. However, is it possible to set up a policy to allow access to a part of a service.
E.g. I am two EC2 instances. I need to create two users such that they have an access to the AWS console, but only to one EC2 instance each.
Yes you can do this with Resource-Level Permissions for EC2
The structure of the resource is stated in the documentation as follows:
arn:aws:[service]:[region]:[account]:resourceType/resourcePath
Here is how you would structure the IAM policies for each user:
User 1
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/InstanceIdOne"
}
]
}
User 2
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/InstanceIdTwo"
}
]
}
Policy without access to EC2:DescribeInstance will not work. You need to allow DescribeInstances access on all resources and manage additional access like modify, delete to specific instances depending on what the need is.
In short, allow all basic operations like Describe Tags, Instances, NetworkACLs, Images etc to all users and allow specific destructive actions like Modify and Delete to select user.
List of EC2 actions for your reference here
http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_Operations.html
So you have 2 options-
Create one policy like below and attach the same policy to both users
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:*Describe*",
"Resource":"*",
},
{
"Effect": "Allow",
"Action": [
"ec2:*Modify*",
"ec2:*Delete*"
],
"Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-1**" },
"Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdOne**"
},
{
"Effect": "Allow",
"Action": [
"ec2:*Modify*",
"ec2:*Delete*"
],
"Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-2**" },
"Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdTwo**"
}
]}
Create 2 different policies. Example for one below
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:*Describe*",
"Resource":"*",
},
{
"Effect": "Allow",
"Action": [
"ec2:*Modify*",
"ec2:*Delete*"
],
"Principal": { "AWS": "arn:aws:iam::AWS-account-ID:user/**user-name-1**" },
"Resource": "arn:aws:ec2:us-east-1:AWS-account-ID:instance/**InstanceIdOne**"
}
]}