The policies attached to the IAM developers group I've set up are as follows:
However, launching new instances won't work. Just after a user in this group selects the key pair to associate with it, i.e. reaches the final step, they get the following message on the next page:
Launch Failed
You are not authorized to perform this operation. Encoded authorization failure message: WZzytnkJ4T3-nkMYslM...
What's preventing developers to launch new instances, given these policies?
It could be that the instance is being launched with an IAM Role, and the group does not have iam:PassRole permissions (which are outside of the ec2:* permissions space).
You should add a policy like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PassRoleToEC2",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*"
}
]
}
This saying "Allow this user to pass any (*) role to an EC2 instance".
Actually, you should limit such permissions only to specific roles, otherwise a normal user could select an Admin role. Then, if they logged into the instance, they would have access to credentials that have Admin permissions on the whole AWS Account.
Alternatively, do not select a Role when launching the instance. It should then launch okay (assuming that this is the issue causing the error).
The user needs a PassRole permission.
A Role must be associated with the "Launch" of the EC2 instance.
The PassRole permission helps you make sure that a user doesn’t pass a role to an EC2 instance where the role has more permissions than you want the user to have.
As in the following example, if the EC2 Launch requires access to S3 you User must be able to pass the S3 role required.
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::123456789012:role/S3Access"
}
Link to documentation:
https://aws.amazon.com/blogs/security/granting-permission-to-launch-ec2-instances-with-iam-roles-passrole-permission/
Related
We have just built a new Things Enterprise server hosted at AWS on an EC2 instance and created an application to use AWS IOT. We are getting the following error
“message”: “User: arn:aws:sts::446971925991:assumed-role/Things-Enterprise-Stack-Srv-StackIAMRole-DBHBSMSY05AQ/i-095895d605fab3fa4 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::446971925991:role/Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93”
I have been told
What is the execution role of the TTES instance that is trying to assume the role? The role TTES needs to be able to assume that role. That will give the right permissions.
But I'm not sure what that means, i'm presuming i need to add / alter some permissions within an IAM role. Can someone point me in the right direction Pls.
From the error message it seems that your IAM role for Amazon EC2 has no permissions to assume a role Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93.
To add such permissions manually you can do the following:
Go to IAM Console->Roles.
In the Roles window, you can use Search bar to locate Things-Enterprise-Stack-Srv-StackIAMRole-DBHBSMSY05AQ role.
Once you find the role, you click on Add inline policy.
Once Create policy window shows, you can go to JSON tab and add the following JSON policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::446971925991:role/Bosh-Parking-IOT-Stack-TheThingsStackRoleCD9FBAD2-C44RRJJ53M93"
}
]
}
Then click Review Policy, name the policy (e.g. PolicyToAssumeRole) and Create policy
However, based on your policy names (e.g. Stack-Srv-StackIAMRole) it is possible that they have been create by CloudFormation. If this is the case, then manually changing the roles as described above is a bad practice and will lead to drift. Any changes to resources created by CloudFormation should be done using CloudFormation. Sadly, your question does not provide any details about CloudFormation templates used, therefore its difficult to comment on that more.
I couldn't understand the use of IAM Passrole. Can anyone explain with simple example?
I am referring the page : https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html but couldn't make much sense out it.
PassRole is a permission granted to IAM Users and resources that permits them to use an IAM Role.
For example, imagine that there is an IAM Role called Administrators. This role has powerful permissions that should not be given to most users.
Next, imagine an IAM User who has permissions to launch an Amazon EC2 instance. While launching the instance, the user can specify an IAM Role to associate with the instance. If the user — who is not an Administrator — were to launch an EC2 instance with the Administrators role, then they could login to the instance and issue commands using permissions from that role. It would be a way for them to circumvent permissions: while not being an administrator themselves, they could assign the IAM Role to a resource, and then use that resource to gain privileged access.
To prevent this scenario, IAM requires that the user be granted the iam:PassRole permission for the Administrators role. If the user does not have that permission, then they will not be permitted to launch the EC2 instance as described, or to assign that role to any other services. It gives them permission to pass a role to a service or resource.
Simply,
when the service B needs the ROLE
A has the iam:PassRole permission about the ROLE,
A can give the ROLE to B.
This is the permission granted for a user to be allowed to pass a role to a service during configuration, without this a user can not perform that binding. You can use this permission combined with resource Arns to limit what roles the user can pass to the service
If for example you have many applications with many different available IAM roles to choose from you might want to restrict the roles a user is able to pass to the service. You would be able to limit this scope using the below statements.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::<account-id>:role/EC2-WordpressRole",
"arn:aws:iam::<account-id>:role/EC2-DatabaseRole"
]
}]
}
In the above scenario there might also be a arn:aws:iam::<account-id>:role/EC2-AdminRole but because this role grants an EC2 host permissions this user should not be able to give to an EC2 it is withheld from the EC2 list by the person who configured the permissions.
I have 2 IAM roles in same aws account
IAM_ROLE_1 : which has ec2 launch permission with s3 read permissions
IAM_ROLE_2 : which has only access to lamda with assume trust from IAM_ROLE_1
I am able to assume IAM_ROLE_2 from an instance which has IAM_ROLE_1 attached to it.
Now I want to read a s3 location (which IAM_ROLE_1 has access to) after assuming IAM_ROLE_2 .
My understanding is that I can do that with "iam:passrole"
Is this correct understanding ?
When I am adding below to IAM_ROLE_1 , and assuming IAM_ROLE_2 & accessing s3 bucket it still throwing access denied error.
{
"Sid": "allowpassrole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::00000001:role/IAM_ROLE_2"
]
}
A set of credentials is only associated with one IAM User or IAM Role at any time. Thus, to make a call using permissions associated with IAM Role 1, you would need to use credentials associated with that Role (not IAM Role 2).
To use IAM Role 1, simply create an Amazon S3 client object without specifying credentials. It will then use IAM Role 1 that is associated with the instance.
iam:PassRole is used to permit a service to assume a role on your behalf. For example, when launching the Amazon EC2 instance with the Role set to IAM Role 1, you would need permission to PassRole with IAM Role 1. Without this permission, you would not be able to launch the EC2 instance with that role.
PassRole is not used to pass permissions 'between' roles.
Let's say, I have an user, say User-A, that is assigned the following policy (who is essentially an admin user):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Can I create another policy and associate it to User-A, so that User-A can't launch EC2 instance? (I don't want to disassociate the above policy from User-A; because of some legacy reason, I only want to add rules/policies to a user)
Moreover, can I limit launching EC2 instance operation from an AWS account root user? (See the following statement on AWS IAM page)
When you sign in as the root user, you have complete, unrestricted
access to all resources in your AWS account, including access to your
billing information and the ability to change your password.
If you can edit the existing policy, then you can change the permissions that are being granted (eg by using NotAction, as #bishop suggested).
If you cannot edit the existing policy, you can add another policy with "Effect": "Deny" and then list the actions that are not permitted.
As to the Root account... It can basically do anything. That is why the recommendation is to attach Multi-Factor Authentication to the account, then lock away the MFA device for emergency use only.
I know how to create user, group and role in AWS IAM.
I can also attach policies to each of them.
For example, after selecting a group, you can go to permissions tab, and attach some policies to it.
However, I don't know how to attach a role to a user or group.
I looked on documentation and forums, but did not find anything, and appreciate your help.
You can't assign IAM role to IAM user or group, see the notes from this AWS official doc :- https://aws.amazon.com/iam/faqs/
Q: What are IAM roles and how do they work?
AWS Identity and Access Management (IAM) roles provide a way to access AWS by relying on temporary security credentials. Each role has a set of permissions for making AWS service requests, and a role is not associated with a specific user or group. Instead, trusted entities such as identity providers or AWS services assume roles. For more information, see IAM roles.
It looks like it's not straight forward to attach IAM role to IAM user, follow https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html on how to do it.
In the past, I've created IAM role for my ec2-instance and when launching that instance, I can choose that IAM role and my ec2-instance will have all the permissions set in that IAM role, likewise you can assign a role to other ec2-services, this is the most used scenario of IAM role.
To assign IAM role to an IAM user, do the following:
Open the IAM Dashboard
Select the role that you want to assign to an IAM user
Edit the trust policy
add the ARN of the IAM user in the Principal's section
That's it. Now test it out using the Switch Role feature.
Follow the same procedure to assign IAM role to an IAM group.
I'd be careful about modifying trust relationships - if they're poorly configured they can lead to your account or resource being compromised.
When granting explicit access to a user/group on the same account you should not be modifying the Trust Relationship of the role. To clarify further:
The roles should have a trust relationship of something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<YOUR ACC ID>:root"
},
"Action": "sts:AssumeRole",
}
]
}
What this essentially means is I'm delegating permissions to this role to the account listed in "arn:aws:iam::<YOUR ACC ID>:root" -- its now up to the IAM operator of that account to grant access to this role using a policy such as this one:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": "<role arn>"
}
]
}
This policy can be attached to a user or group and that user or the users in the group will be able to assume the role that has the trust relationship above.
A User can be placed in a group to gain the permissions associated with the group or can assume a role to enter a session where permissions are now that of the roles. Users have an access key and secret access key.
Groups are only used to provide permissions to users, i.e a user is placed in a group.
Roles are a temporary set of permission, i.e a user assumes a role and is granted temporary credentials for the life of the session. Role sessions will have an access key, secret access key, and a session token.
An IAM role is an IAM entity that defines a set of permissions for
making AWS service requests. IAM roles are not associated with a
specific user or group. Instead, trusted entities assume roles, such
as IAM users, applications, or AWS services such as EC2.
It is clearly documented here.
https://aws.amazon.com/iam/faqs/