I have quite a few users in an AWS Account - let's call it the Base account:
IAM:
groups:
admins:
user1
user2
user3
....
user56
I have created a second AWS account - let's call it the Dev account with a single Role with AdministratorAccess.
IAM:
Roles:
AdminRole
I tried to add a Trust Relationship between Base/admins and Dev/AdminRole with this Trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::************:group/admins" },
"Action": "sts:AssumeRole"
}
]
}
but got the following error:
An error occurred: Invalid principal in policy....
How do I allow users in Base/admins to assume the Dev/AdminRole?
You need to give access to the entire account from Dev/AdminRole and then restrict access from roles in the base account.
Related
I have a user and I'm trying to impersonate a role for running a service on Kubernetes. However, when I tried using STS to assume the role, I get the following error:
$ aws sts assume-role --role-arn "arn:aws:iam::{ACCOUNT_ID}:role/service-myservice" --role-session-name AWSCLI-Session
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::{ACCOUNT_ID}:user/me is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{ACCOUNT_ID}:role/service-myservice
I find this odd because this user belongs to a user group with the AdministratorAccess permission attached to it, which should give it access to anything on AWS. This is it:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
So, what am I doing wrong here?
What you have here is the IAM policy attached to this User, aka - what is this user is able to do.
You need to set the Trust Relationship as well. This defines which resources or principals is able to use this role/user. Could be Lambda, EC2 or in your case: an IAM User.
See here for example.
The IAM User/Role (in that case, role) you want to assume must have the Trust Relationship as follow:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account_id>:role/<role_name>
},
"Action": "sts:AssumeRole"
}
]
}
I am trying to configure a trust relationship for a AWS IAM role in account 111111111111 so that a user with an assumed role from account 222222222222 can assume it. However, the sts:AssumeRole action is failing because AWS says that I'm not authorised.
Here is the trust relationship that I have set. I've had to define an overly permissive principal because AWS do not allow the use of wildcards in role session principals. I am however attempting to use a condition to restrict the principal.
Note that the AWS principal explicitly matched as arn:aws:iam::222222222222:role/my_lamda_function_role is allowed to assume that role - it seems as though the only issue is with wildcards.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:sts::222222222222:assumed-role/my_admin_role_name/*",
"arn:aws:iam::222222222222:role/my_lamda_function_role"
]
}
}
}
]
}
When I try to assume the role I see the following error.
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::222222222222:assumed-role/my_admin_role_name/my_session_name is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/my_role_that_admins_can_assume
How can I amend my trust relationship to get it working?
I believe that my issue is related to my use of Condition in the policy, because when I explicitly add my STS session to the Principal I can assume the role as expected.
However, I wish for all sessions that assume the role my_admin_role_name to be allowed, so this approach is not viable and that is why I'm trying to use Condition with a wildcard.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:sts::222222222222:assumed-role/my_admin_role_name/my_session_name",
"arn:aws:iam::222222222222:role/my_lamda_function_role"
]
},
"Action": "sts:AssumeRole"
}
]
}
I'm trying to follow the instructions in How can I allow a Group to assume a Role?, but run into the following error when I try to switch roles:
Invalid information in one or more fields. Check your information or contact your administrator.
In this scenario I have three AWS Accounts with example ids
CompanyMain - 000000000001
CompanyProd - 000000000002
CompanyDev - 000000000003
Where the main account has an organization that includes the the prod and dev accounts
What I'd like to do is set up a single set of IAM users on the main account and allow them to login and switch between either of the two subaccounts, instead of forcing everyone to have three separate logins.
Here's what I've done so far all on the CompanyMain account:
Create Role for accessing Prod Account
Set trusted Entity to "Another AWS Account"
Set Permission Policy to AdministratorAccess
So when I go to Role > "Trust Relationship" > Show Policy Document - it looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::000000000002:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
With the name "company-prod-admin" so the ARN is like this:
arn:aws:iam::000000000001:role/company-prod-admin
This also comes with the link to switch roles as follows:
https://signin.aws.amazon.com/switchrole?roleName=company-prod-admin&account=000000000001
Create a Policy to Assume this Role
Service: STS
Actions: AssumeRole
Role ARN: arn:aws:iam::000000000001:role/company-prod-admin
So the Policy Document looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::000000000002:root"
}
]
}
Create Admin Group
Create a group on the main account called admin and attach the policy we just created
Create IAM User
Create user on the main account and place in admin group
Sign in as IAM User
I can now sign in as an IAM user against the main account
From there, I'd like to switch roles by using the role link or going to https://signin.aws.amazon.com/switchrole and entering the account / role info
However, I get the error that the following info is invalid
Org Setup Question
How can I create roles that across organizations? I'm a little confused as to where the role / permission needs to originate between the three accounts, but ideally I'd like to have a way for someone to login to one set of permissions for the whole organization.
You need to do the IAM policy the other way around if you want to be able to access the CompanyProd from CompanyMain then you need to create a IAM policy in the CompanyProd like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::000000000001:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Next you login into the MainCompany and go to switch role.
in the Account, you write 000000000002, in the Role field you write root.
I am trying to setup an API Gateway endpoint with a resource policy, which allows access to a specific IAM role in my account. The IAM role is cross-account, setup with a trust policy which allows AssumeRole to a specific IAM user principal from another account.
In the API Gateway resource policy, when I set AWS principal to the role ARN: arn:aws:iam::********:role/myRole, I get the following 403 error when invoking the API:
User: arn:aws:sts::********:assumed-role/myRole/mySession is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-west-2:********:********/test/POST/echo
But, if I change the AWS principal to be the temporary STS user ARN: arn:aws:sts::********:assumed-role/myRole/mySession, then I can invoke the API successfully.
Here's the resource policy that doesn't work:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::********:role/myRole"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:********:********/*"
}
]
}
Here's the resource policy that works:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::********:assumed-role/myRole/mySession"
},
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-west-2:********:********/*"
}
]
}
Can IAM roles be used as AWS principals for API Gateway resource policy?
Based on the documentation https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-policy-language-overview.html,
Principal – The account or user who is allowed access to the actions
and resources in the statement. In a resource policy, the principal is
the IAM user or account who is the recipient of this permission.
Looks like roles cannot be added as a principal.
P.S: Spent two days trying to restrict access using roles, but couldn't get it to work.
When I run the Kinesis sample, I get this error:
Caught Exception: User (arn:aws:iam::xxxxxxxxxxxx:user/user_name) does not have permission to perform (sdb:ListDomains) on resource (arn:aws:sdb:us-west-2:xxxxxxxxxxxx:domain/). Contact account owner.
What is the policy name that I need to attach for the user in-order to grant access to perform perform (sdb:ListDomains) ?
Only 6 AWS managed policies mention sdb explicitly:
- AmazonElasticMapReduceReadOnlyAccess
- AmazonElasticMapReduceRole
- AmazonElasticMapReduceforEC2Role
- ReadOnlyAccess
- AmazonElasticMapReduceFullAccess
- SecurityAudit
ReadOnlyAccess has sdb:List* attached so it seems like the most sensible if you are running a sample app.
Otherwise create your own policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sdb:ListDomains"
],
"Effect": "Allow",
"Resource": "*"
}
]
}