I am a bit confused about AWS IAM. which user am I when I'm in the console? I am currently trying to make a s3 policy for one of my buckets. and I'm getting an error saying Access denied which I believe is due to not having the correct permissions for one user. so I gave this user fullS3 access. but I'm still getting Access denied.
so which user does the console think I am? if that makes sense? or how can I give that user controlling the console the correct s3 access?
The user you are in the console is whichever user you logged in as. If you haven't created a user, and you're logging in to the console with your email address, then you're the root user, which has full permissions. There are still some reasons that you could be getting access denied though.
Is it possible you've already applied a bucket policy which denies access to all? If so, you could try deleting the current policy rather than changing it in the console, then applying the new one. Sometimes you will need to remove the policy with the CLI though.
If not, could it be this issue? Access denied when put bucket policy on aws s3 bucket with root user (= bucket owner)
If neither of these work, please confirm which user you are logged in as (it'll say in the top right hand corner), and the JSON for the policy you're trying to apply.
Related
I'm totally new to AWS and learning about IAM. I was wondering if there is a way around for an IAM user to check what all permission he/she have? Like as a root user, I created a group of IAM users where they were only allowed to use S3 service but once I logged in as an IAM user, it was showing that I have access to other AWS services as well like running EC2 instances, etc which I reckon shouldn't be the case. Thanks!
No, it isn't possible to "show" which services you have access to use, because the policies can be quite complex (eg permission to access an S3 bucket, but only a particular sub-folder if coming from a given range of IP addresses).
You would need to look the the IAM Policies attached to the IAM User, plus the policies on any IAM Groups they are in. Then, some services like Amazon S3 have additional permissions such as Bucket Policies.
In addition, AWS Organizations can limit the permissions of all users within an AWS Account, so even if a user appears to be granted certain permissions, they might not actually be available for use.
In many situations, you'll only know if you can do something by actually trying it. For example, you might have Read Only permissions, which means you can see resources in the AWS Console, but you would receive an error when you try to change things.
All services are available in the AWS Console, but various parts of the console will only work if you have adequate permission.
Note that there's IAM Policy Simulator from AWS. You can select a service and check if a given user has access to any given action (or all actions relevant to a service)
Ok, this is making me pull my hair out I can't believe it's so complex...
So, to achieve what subject says, without giving user read access to all files in all buckets (Other buckets in proj have sensitive data)
I Navigated to the bucket -> permissions and added user as Storage Object Viewer, expecting this to be enough (later it appears this is enough if you have a direct link - or probably also api) but the user trying to navigate console gets stuck on https://console.cloud.google.com/storage/browser?project=xyz (bucket browser page). Message is: "You don’t have permission to view the Storage Browser or Storage Settings pages in this project"
How can I give the user access to list buckets (and therefore go through the UI path in console, without giving general read access to all of Storage? There are no roles called "storage browser" or similar... I'm even up for creating a custom role but what permissions would it need. Apparently storage.objects.list is not it.
Quick answer:
You need a custom role with:
storage.buckets.list
Rant answer:
Finally found the complete permissions reference.
https://cloud.google.com/storage/docs/access-control/iam-permissions
Looked easy enough knowing there are storage.bucket... permissions. With UI it was still a nightmare to create the role though. Adding permissions modal is tiny, and only filterable by role ^^. I don't know a role with these permissions but I know the exact permission. Shows 10 per page of 18xx permissions. Luckily storage permissions are very close to the end so adding service column + reverse sort only took 2 page steps or something. Oh wow, it's like they don't want people to understand this.
As of January 2021, to give a user access to the cloud storage console and access to a particular bucket, let's say to view or upload files:
Create a custom role in Cloud IAM
This custom role needs resourcemanager.projects.get and storage.buckets.list permissions.
The first permission allows the user to actually select the relevant project.
The second permission allows the user to list all the buckets in your account. Unfortunately, there is no way to only list the buckets you want the user to see, but since you can control their access to a bucket, your data is still private and secure.
Create an IAM user
Go into Cloud IAM .
Add an IAM user assign them the new role you created in Step 1.
Assign Permissions on the Bucket Resource.
Go into the bucket you want to provide access to.
Go into the permissions pane.
Assign permission(s) to the IAM user you created in step 2. Assign a Storage role that makes sense for your situation (i.e. Storage Admin if they need to read objects/write objects/update permissions/fully configure the bucket for the bucket or Storage Viewer for read only access).
You can easily test this by using a personal email address and seeing if the permissions are correct and that you're not creating a data breach.
My use case: I needed to give a third party developer access to a bucket that would hold assets for our marketing site. He should not have access to any other bucket but should be free to add/remove assets in this marketing bucket. Being so, I assigned the developer Storage Object Admin role.
I'm an admin user on my AWS account, so I have full access. Working through the console, I get no issues. When I try to work with programmatic access though, I get an access denied error. Does anybody have a clue why?
The code and all is OK, it works fine on my other AWS account on which I have admin access as well. Yes, I did change the AWS configuration to match the access keys to the right account.
If you are 100% sure that your code is correctly assuming your admin role and you admin role is having the admin policy, then you should be facing:
The resource(e.g., S3) you are trying to access has some explicit deny policy or not having an allow policy for you user.
IAM service latency. Say if you just create this user with admin access and you try to test that immediately with your code, it might happen that AWS thought you don't have enough permission. That happen to me when I created a new role, I saw delay can be up to 20 minutes, but that kind of delay is rare. But you cannot assume your update to IAM permissions to take effect immediately just like the EC2 security group.
Have you enabled MFA in the IAM account. If so, you cannot directly access the AWS CLI or API with Access key. You need to create a temporary Access and secret key and use those to access the AWS resource
With the access key that you configured earlier you need to create the temp access key. Refer the below links for procedure.
https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/
https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
I know what the documentation says:
Important
IAM users can't create CloudFront key pairs. You must log in using root credentials to create key pairs.
But I what to know is this restriction a permission based. Can you give that permission to IAM user?
That means the person paying the bills is privileged only to do that. IAM users cannot have these privileges even if they have full admin access.
I have an app where users are required to enter in a set of AWS credentials with a specific set of permissions. I'd like to verify the credentials when they are entered in to make sure they have the required set of user policies on them.
Is there a way I can retrieve the user policies for those credentials?
Yes, if they gave you creds that are allowed to do an IAM call. You can list all their IAM users, then find the one IAM user with your key, and then read the permissions for that user. But this requires parsing the IAM permissions language, which is a little complex.
The other way to do it is make a sample call for anything you want to verify (i.e. list S3 bucket, etc.) It's probably better to validate just one or two calls than try to validate every possible call. Yes, you're likely to run into errors down the road if you're missing some permissions, but it's much more likely that they made a typo or gave you the wrong creds than they gave you partial creds.
The other thing you could consider: If they give you full creds, you could create an IAM user with just the creds you need, an use those creds. Everything in IAM has an API, so it's possible.