This message was originally posted on the AWS Developer Forums, but it seems like the AWS crowd is on SO, so I'm duplicating it here.
Hi there, I'm an absolute AWS beginner so I'll try to be as clear as possible.
I'm trying to use the JS API to allow any user on my site to upload videos to S3 (this works well) and then convert the uploaded files to other formats (with Elastic Transcoder).
I've set up:
an input (not public) and an output (public) buckets on S3. The input receives the user-submitted videos, that part works :)
an Elastic Transcoder pipeline (video-converter-test-pipeline-01)
a federated identity on Cognito (video_converter_test_02)
matching Auth and Unauth roles on IAM (Cognito_video_converter_test_02Auth_Role and Cognito_video_converter_test_02Unauth_Role)
The pipeline has the following permission summary: "The following IAM roles have been granted access to this pipeline: arn:aws:iam::529773801731:role/Elastic_Transcoder_Default_Role"
Cognito_video_converter_test_02Unauth_Role has two attached policies:
oneClick_Cognito_video_converter_test_02Unauth_Role_1522923667877
video-converter-policy, that I made myself.
Here's its JSON representation:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "elastictranscoder:CreateJob",
"Resource": [
"arn:aws:elastictranscoder:*:*:pipeline/*",
"arn:aws:elastictranscoder:*:*:preset/*"
]
}
]
}
Here's how I try to create a transcoding job using the JS API:
function createJob(uploadedFileKey) {
console.log("Create job", uploadedFileKey);
var params = {
PipelineId: PipelineId,
Input: {
Key: uploadedFileKey
},
Output: {
PresetId: PresetId
}
};
elastictranscoder.createJob(params, function (err, data) {
if (err) console.error(err, err.stack); // an error occurred
else console.log(data); // successful response
});
}
When executing it, I get the following error:
Error: User: arn:aws:sts::529773801731:assumed-role/Cognito_video_converter_test_02Unauth_Role/CognitoIdentityCredentials is not authorized to perform: elastictranscoder:CreateJob on resource: arn:aws:elastictranscoder:eu-west-1:529773801731:pipeline/1522763370759-mmowmr
I tried using IAM Policy Simulator to understand what was wrong, but when doing so with the same parameters, I get "allowed"...
I'm sure I'm doing something wrong here, but can't understand what. I've tried many things but nothing worked. Any help would be appreciated :)
Thanks in advance, bye!
I contacted AWS Developer Support and the solution seems to be to have these in the IAM Policy:
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "cognito-sync:*",
"Resource": "*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "mobileanalytics:PutEvents",
"Resource": "*"
}
Related
I have a simple function that returns an item of text.
When I set auth to NONE it works fine.
When I set auth to AWS_IAM and create the resource based policy within the permissions section of AWS Lambda I set the following:
"Version": "2012-10-17",
"Id": "default",
"Statement": [
{
"Sid": "sid8",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxx:user/xxxxxxxxxx"
},
"Action": "lambda:InvokeFunctionUrl",
"Resource": "arn:aws:lambda:eu-west-1:xxxxxxxxx:function:simpleFunction",
"Condition": {
"StringEquals": {
"lambda:FunctionUrlAuthType": "AWS_IAM"
}
}
}
]
}
On this I get a forbidden error.
Every demo / example on the internet uses NONE for auth.
I have also tried adding the lambda:InvokeFunctionUrl to the IAM policy of the user for the specified resource but still getting a forbidden error.
Am I missing something or does this aspect of the new function not work?
The problem is that when you are using IAM_AUTH you're required to sign your requests with SigV4. Essentially, this is identical to using API Gateway with IAM_AUTH type.
There are multiple ways of signing requests you can even use botocore functionality to do so. The easiest would be to use awscurl or postman, also check this doco that confirms this requirement https://docs.aws.amazon.com/lambda/latest/dg/urls-invocation.html
I am trying to enable SMS message delivery logs in AWS SNS. But no matter what I do I get this error:
Couldn't set text messaging attributes. Error code: AuthorizationError
- Error message: You are not authorized to perform actions for the provided bucket
I have tried numerous IAM roles (including admin access role) and I am logged in as the root account owner.
What might I be missing? What can I try?
Thank you!
I found this specific documentation that solved it for me: https://docs.aws.amazon.com/sns/latest/dg/sms_stats_usage.html#example_bucket_policy
The key is that the bucket policy needs to list sns.amazonaws.com as the principal, and really only needs to allow these 3 actions to finish configuring SMS:
s3:GetBucketLocation
s3:ListBucket
s3:PutObject
{
"Version": "2012-10-17",
"Id": "Policy1653549854620",
"Statement": [
{
"Sid": "Stmt1653549853470",
"Effect": "Allow",
"Principal": {
"Service": "sns.amazonaws.com"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::BUCKETNAME"
}
]
}
I've recently setup AWS SES and continue to run into the following error when sending email from a local application.
User `arn:aws:iam::REDACTED:user/mail_user' is not authorized to perform `ses:SendEmail' on resource `arn:aws:ses:us-east-1:REDACTED:identity/mail#REDACTED.COM'
I've setup the below policy for the email mail#REDACTED.COM
{
"Version": "2012-10-17",
"Id": "SampleAuthorizationPolicy",
"Statement": [
{
"Sid": "AuthorizeEmail",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::REDACTED:user/mail_user"
},
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn:aws:ses:us-east-1:REDACTED:identity/mail#REDACTED.COM"
}
]
}
Any suggestions as to why I'm continuing to receive the unauthorized error?
To resolve this issue I created an inline policy for the user via IAM (the permissions tab under the User).
I granted the following permissions to resource arn:aws:ses:us-east-1:REDACTED:identity/mail#REDACTED.COM
SendEmail
SendRawEmail
I did not need to create an identity policy via the SES management panel.
Alright, so I currently have almost everything working by following this guide here and pieces of several others.
https://aws.amazon.com/blogs/mobile/building-fine-grained-authorization-using-amazon-cognito-user-pools-groups/
However, instead of giving users direct access to the DynamoDB, I am running it through an API Gateway and then a Lambda Function using an Authorization header and the Cognito session id.
I have that part working.
In my lambda function I call the update function
const data = await documentClient.update(params).promise();
I have AWSLambdaBasicExecutionRole policy and the following policy added to my lambda function role to allow the row level access for Update
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:us-east-2:mydynamodbid:table/userdata"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": "${cognito-identity.amazonaws.com:sub}"
}
}
}
]
It works fine with the AmazonDynamoDBFullAccess but I am not sure that is accomplishing what I am looking for as I think it just completely bypasses the condition.
I am getting the following error though
"User: arn:aws:sts::**********:assumed-role/db-crud/update-user-info-by-id is not
authorized to perform: dynamodb:UpdateItem on resource: arn:aws:dynamodb:us-east-
2:************:table/userdata"
Has anyone encountered anything like this or see where I am possibly going wrong?
This is the flow I am going for, and this is related to step 6
I want to give access to IAM users from other accounts to be able to invoke my API.
I have these configurations in my API Gateway resource methods:
Authorization type: AWS_IAM (I tried with Auth type None as well..)
And Resource Policy defined as:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_2>:user/ApiUser"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:<ACCOUNT_1>:<API_ID>/*/*/*"
}
]
}
I have also given invoke permissions to the IAM user of the other account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": "arn:aws:execute-api:us-west-2:<ACCOUNT_1>:<API_ID>:test/GET/*"
}
]
}
I have deployed the API to a stage named test.
Still, I see the below error when I invoke the API with the credentials from the other account's user:
{
"message": "User: arn:aws:iam::<ACCOUNT_2>:user/ApiUser is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-<ACCOUNT_1>:<API_ID>/test/GET/foo/bar"
}
What am I missing here?
I followed this guide:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-resource-policies-examples.html
This has bitten me before, and may be your issue too.
After you SAVE your resource policy, you must ALSO deploy your API.
In the menu on the left, click up one level
Then under ACTIONS, select DEPLOY API