Given an IAM role created with this permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Effect": "Allow",
"Sid": "First"
}
]
}
is there anything that tells AWS that only lambda functions in this account should be able to assume the role. I want AWS lambda to be able to assume this role when running functions in this account, but only lambda functions running in this AWS account - not lambda functions running in other random AWS account that happen to discover the ARN of this IAM role.
If it is the case that using this configuration allows any lambda function running in any AWS account to assume this role, then how can this policy be amended to only allow lambda functions running in my account to assume this role.
"Service": "lambda.amazonaws.com" tells that your IAM role can only be assumed by Lambda.
If you want to grant permissions to another account to assume the role, your IAM policy for the role may look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AccountNumberThatCanAssumeTheRole>:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Related
I am trying to allow a user to assume a role on AWS. I attached an assume role policy to a group where the IAM user belongs so that they can assume a particular role. The problem is that the user now uses SSO to login and and is no longer allowed to login into through console with the IAM user credentials, therefore the user is unable to assume the role. How can I configure a user with SSO login to assume an existing IAM role? When i created the Assume role policy I chose both AssumeRole and AssumeRoleWithSaml. But it's still not working.
This is what the AssumeRole policy looks like
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithSAML"
],
"Resource": "arn:aws:iam::xxxxxxxxxxxx:role/service-role/KinesisFirehoseServiceRole--us-east-1-xxxxxxxxxxxxx"
}
]
The Trust relationship for the role looks like this
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "firehose.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
You need to specifically allow that user / role to be able to assume that role. Right now, the Principal is set to only allow the "firehose service" to assume that role.
The 2nd problem is that you need to specifically allow a SSO account to be able to access it. You'll need to get the ARN of your current SSO user session. To get this you should run aws sts get-caller-identity
You should get something like this
{
"UserId": "BROA5DAM2TACHAA38V9J1:daryl.teo#appetiser.com.au",
"Account": "1234567890",
"Arn": "arn:aws:sts::1234567890:assumed-role/AWSReservedSSO_AWSAdministratorAccess_abe68abec87ew/something.username"
}
Or a 1 liner aws sts get-caller-identity --output text --query Arn
Then take that value and add it to your policy as an additional policy statement.
{
"Version": "2012-10-17",
"Statement":
[
{
"Effect": "Allow",
"Principal":
{
"Service": "firehose.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal":
{
"AWS": "arn:aws:sts::1234567890:assumed-role/AWSReservedSSO_AWSAdministratorAccess_abe68abec87ew/something.username"
},
"Action": "sts:AssumeRole"
},
]
}
And now you can use:
aws sts assume-role --role-arn=arn:aws:iam::123456823432:role/NameOfYourRole --role-session-name=role-session-name
I managed to enable SSO users to assume a role in the account they were authenticated to by using the following. Note that you'll need to replace ${ACCOUNT_ID}, ${SSO_ROLE_NAME}, and ${ASSUMABLE_ROLE_NAME}. You may, of course, need to repackage the bits.
aws iam create-role --role-name ${ASSUMABLE_ROLE_NAME} --assume-role-policy-document file://policy.json --profile $PROFILE
policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${ACCOUNT_ID}:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::${ACCOUNT_ID}:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_${SSO_ROLE_NAME}_*",
"arn:aws:iam::${ACCOUNT_ID}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_${SSO_ROLE_NAME}_*"
]
}
}
}
]
}
Thanks to everyone that responded. I was able to complete the task using this instructions. google saml sso with AWS
So we create AWS kinesis in account A and create the role with only putRecord permission and then we give the role to account B where their lambda assumes the role and accordingly sends the data in.
But the problem here is the trust policy which is having root access and anyone in account B can assume the role and start pushing data
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT2:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Can we reduce the scope to Account B particular service (lambda function) and no other should service should push data?
anyone in account B can assume the role
No, that's does not work that way. Any IAM entity (user, role) in account B which wants to access that role, still needs explicit IAM permissions to do so.
If you want only the lambda to assume the role, you have to use lambda executone role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "<arn-of-lambda-exec-role-from-acc-B-to-assume-the-role"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Am facing an access issue when trying to update record set using lambda function.
Lambda - Account A
Route53 - Account B
I have an IAM role attached to lambda in Account A with an assume role permission to an IAM role in Account B. The IAM role in account B has access to update the record set in Account B.
When am triggering lambda, am receiving user is not authorized to access this resource.
Can someone help me, if i'm missing anything here or do I need any additional setup.
You are using a Lambda function in Account-A to call Route 53 in Account-B.
This will require:
An IAM Role (Role-A) in Account-A that is assigned to the Lambda function. It should grant permission to call AssumeRole(), with the Resource set to the ARN of Role-B in Account-B:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<Account-B>:role/role-b"
}
]
}
And with this Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
An IAM Role (Role-B) in Account-B that has permission to call Route 53. It should also have a trust policy allowing it to be assumed by Role-A in Account-A:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:*",
"Resource": "*"
}
]
}
(This is an overly powerful policy. It would be better to limit it to the specific Route 53 actions that are required.)
And this Trust Relationship (pointing to the Role created in the previous step):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account-A>:role/role-a"
},
"Action": "sts:AssumeRole"
}
]
}
You need to use STS to get a token to call Route53 on Account B. Here are the docs on STS in boto3: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts.html#STS.Client.assume_role
You'll get back a credential that you will use to make the call to Route53.
I need to assume a cross account role to get access to an ElasticSearch domain for logging on AWS. Here's what I've done:
First, I have created a cross account role in ACCOUNT1. The role name is LoggerAccessToES and the trust relationship is something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT1:root",
"arn:aws:iam::ACCOUNT2:root"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Then, on ACCOUNT2, I have created a Lambda function to assume the above role with this code:
sts_client = boto3.client('sts', region_name=Config.AWS_ES_REGION)
assumed_role_object=sts_client.assume_role(
RoleArn="arn:aws:iam::ACCOUNT1:role/LoggerAccessToES",
RoleSessionName="AssumeLoggerAccessToESSession1"
)
When I invoke the lambda (basically the lambda is attached to an SNS topic), I get the error:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
I've already tried everything was suggested by other guys in other questions and I also googled the problem but I couldn't find the resolution. What am I doing wrong here?
From what i understand, you want to assume a role in Account 1 using the lambda in account 2.
This would require two roles to be created -
The first role needs to be created in the Account 2 which is to be attached to the Lambda. This role needs to have the following permission attached -
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT1:role/LoggerAccessToES"
}
}
The above policy can be added to your existing lambda execution role.
For the second part, only the trust relationship of the Role LoggerAccesstoEs needs to be addedin Account 1 shown below-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT2:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
The first role policy allows the lambda to use the AssumeRole.
The second policy allows the Account 1 to trust the AssumeRole request from Account 2.
I have two AWS accounts(Account A & B). I want to allow few IAM users of Account B to access resources of Account A via AWS IAM roles.
I have created the role and it works fine. However, I see that any IAM user who gets hold of the role name is able to switch roles and access the resources.
Is there a way to allow only specific users of Account B to be able to switch to the role?
The trust policy statement is as follows-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account-B:root"
},
"Action": "sts:AssumeRole"
}
]
}
You can add the users who should be restricted to assume the role to a group. Then you can attach IAM policy to the IAM group with an explicit Deny.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::Account_A_ID:role/Rolename"
}
}
http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html#tutorial_cross-account-with-roles.html#tutorial_cross-account-with-roles-2