How to create an IAM role inside a SAM template likewise I did in SAM package.
I tried this as following:
"lambdaFunctionRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"lambda.amazonaws.com",
"apigateway.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
},
"ManagedPolicyArns": [
{
"Ref": "lambdaBasePolicy"
}
],
"Policies": [
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:*",
"dynamodb:*",
"iam:ListRoles",
"ses:*",
"events:*"
],
"Resource": "*"
}
]
}
}
]
}
}
It throws me an error : com.amazonaws.serverlessappsrepo.template.InvalidTemplateException: Resource with name [lambdaFunctionRole] is invalid. AWS::Serverless::Role is not a supported Serverless Apps Repository Type.
When publishing to the Serverless app repo, you need to take care to use only the supported resources in you SAM template.
In your case, you can skip creating the lambdaFunctionRole as a standalone resource and just create it inline in your function resource definition.
"lambdaFunction": {
"Type": "AWS::Serverless::Function",
"Policies": [
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"s3:*",
"dynamodb:*",
"iam:ListRoles",
"ses:*",
"events:*"
],
"Resource": "*"
}
]
}
]
}
Notice that I've only copied the PolicyDocument part of the Policies in the Role. See the Policies section in the SAM spec.
Related
I am trying to implement an AWS tagging policy at the AWS Organization level.
This will cover many AWS services but the immediate issue is related to EC2.
This policy results in an error when I try to use the AWS CLI command : ec2 run-instance.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyResourceCreationSCP",
"Effect": "Deny",
"Action": [
"ec2:Create*",
"ec2:Run*",
"elasticfilesystem:Create*",
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": "true"
}
}
}
]
}
However this policy succeeds.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyResourceCreationSCP",
"Effect": "Deny",
"Action": [
"ec2:Create*",
"elasticfilesystem:Create*",
],
"Resource": [
"*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": "true"
}
}
},
{
"Sid": "DenyResourceCreationSCPEC2",
"Effect": "Deny",
"Action": [
"ec2:RunInstance"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"Null": {
"aws:RequestTag/project": "true"
}
}
}
]
}
Can someone explain please why the resource condition for "*" full wildcard does not work for ECS2 RunInstance?
Why does the volume,instance,security-group-network-interface resource type need to be explicit?
Thanks
I have EKS cluster
{
"cluster": {
"name": "cluster",
"arn": "arn:aws:eks:us-west-2:xxx:cluster/cluster",
"createdAt": "2022-10-04T18:24:38.786000-07:00",
"version": "1.23",
"endpoint": "https://xxx.gr7.us-west-2.eks.amazonaws.com",
"roleArn": "arn:aws:iam::xxx:role/eksrole",
"resourcesVpcConfig": {
"subnetIds": [
"subnet-08f0fc71",
"subnet-53032a18"
],
"securityGroupIds": [],
"clusterSecurityGroupId": "sg-06fa1aa90566a372e",
"vpcId": "vpc-0e09ba76",
"endpointPublicAccess": true,
"endpointPrivateAccess": false,
"publicAccessCidrs": [
"0.0.0.0/0"
]
},
"kubernetesNetworkConfig": {
"serviceIpv4Cidr": "10.100.0.0/16",
"ipFamily": "ipv4"
},
"logging": {
"clusterLogging": [
{
"types": [
"api",
"audit",
"authenticator",
"controllerManager",
"scheduler"
],
"enabled": false
}
]
},
"identity": {
"oidc": {
"issuer": "https://oidc.eks.us-west-2.amazonaws.com/id/18BD011EE7130A4BA313C555E62FB9FA"
}
},
"status": "ACTIVE",
xxx
},
"platformVersion": "eks.2",
"tags": {}
}
}
It has 1 node group which I added in UI (my account shown in UI arn:aws:iam::xxx9399:user/user)
aws eks list-nodegroups --cluster-name cluster
{
"nodegroups": [
"node-group"
]
}
I have no problems adding more node groups to the same cluster in UI, but when I use AWS CLI I get this error:
aws eks create-nodegroup --cluster-name cluster --nodegroup-name NG --subnets subnet-08f0fc71 subnet-53032a18 --node-role arn:aws:iam::xxx9399:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup
An error occurred (InvalidParameterException) when calling the CreateNodegroup operation: Following required service principals [ec2.amazonaws.com] were not found in the trust relationships of nodeRole arn:aws:iam::xxx9399:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup
I checked AWSServiceRoleForAmazonEKSNodegroup
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SharedSecurityGroupRelatedPermissions",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeInstances",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/eks": "*"
}
}
},
{
"Sid": "EKSCreatedSecurityGroupRelatedPermissions",
"Effect": "Allow",
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeInstances",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/eks:nodegroup-name": "*"
}
}
},
{
"Sid": "LaunchTemplateRelatedPermissions",
"Effect": "Allow",
"Action": [
"ec2:DeleteLaunchTemplate",
"ec2:CreateLaunchTemplateVersion"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/eks:nodegroup-name": "*"
}
}
},
{
"Sid": "AutoscalingRelatedPermissions",
"Effect": "Allow",
"Action": [
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:CompleteLifecycleAction",
"autoscaling:PutLifecycleHook",
"autoscaling:PutNotificationConfiguration",
"autoscaling:EnableMetricsCollection"
],
"Resource": "arn:aws:autoscaling:*:*:*:autoScalingGroupName/eks-*"
},
{
"Sid": "AllowAutoscalingToCreateSLR",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "autoscaling.amazonaws.com"
}
},
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*"
},
{
"Sid": "AllowASGCreationByEKS",
"Effect": "Allow",
"Action": [
"autoscaling:CreateOrUpdateTags",
"autoscaling:CreateAutoScalingGroup"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": [
"eks",
"eks:cluster-name",
"eks:nodegroup-name"
]
}
}
},
{
"Sid": "AllowPassRoleToAutoscaling",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "autoscaling.amazonaws.com"
}
}
},
{
"Sid": "AllowPassRoleToEC2",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"iam:PassedToService": [
"ec2.amazonaws.com",
"ec2.amazonaws.com.cn"
]
}
}
},
{
"Sid": "PermissionsToManageResourcesForNodegroups",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"ec2:CreateLaunchTemplate",
"ec2:DescribeInstances",
"iam:GetInstanceProfile",
"ec2:DescribeLaunchTemplates",
"autoscaling:DescribeAutoScalingGroups",
"ec2:CreateSecurityGroup",
"ec2:DescribeLaunchTemplateVersions",
"ec2:RunInstances",
"ec2:DescribeSecurityGroups",
"ec2:GetConsoleOutput",
"ec2:DescribeRouteTables",
"ec2:DescribeSubnets"
],
"Resource": "*"
},
{
"Sid": "PermissionsToCreateAndManageInstanceProfiles",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:AddRoleToInstanceProfile"
],
"Resource": "arn:aws:iam::*:instance-profile/eks-*"
},
{
"Sid": "PermissionsToManageEKSAndKubernetesTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringLike": {
"aws:TagKeys": [
"eks",
"eks:cluster-name",
"eks:nodegroup-name",
"kubernetes.io/cluster/*"
]
}
}
}
]
}
It shows the following Trusted entities
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks-nodegroup.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I cannot add anything to Trust Relationships (entities are not editable)
I also have AWSServiceRoleForAmazonEKSNodegroup Policy with attached AWSServiceRoleForAmazonEKSNodegroup role to it
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForAmazonEKSNodegroup
{
"Policy": {
"PolicyName": "AWSServiceRoleForAmazonEKSNodegroup",
"PolicyId": "ANPAZKAPJZG4KH2AAMJJG",
"Arn": "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForAmazonEKSNodegroup",
"Path": "/aws-service-role/",
"DefaultVersionId": "v6",
"AttachmentCount": 1,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"Description": "Permissions required for managing nodegroups in the customer's account. These policies related to management of the following resources: AutoscalingGroups, SecurityGroups, LaunchTemplates and InstanceProfiles.",
"CreateDate": "2019-11-07T01:34:26+00:00",
"UpdateDate": "2022-01-14T00:33:26+00:00",
"Tags": []
}
}
But I cannot attach it to my user
I would like to know what actions I need to perform to
be able to create a managed node group
add required service principals [ec2.amazonaws.com] in the trust relationships of nodeRole arn:aws:iam::xxx9399:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup
Thanks
You need to change eks-nodegroup.amazonaws.com to ec2.amazonaws.com in the permissions. At least that was my problem.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks-nodegroup.amazonaws.com" // change to ec2.amazonaws.com
},
"Action": "sts:AssumeRole"
}
]
}
I can easily deny the deployment of an AWS Image via arn-ami "arn:aws:ec2:*::image/ami-xxx" within an IAM policy but I'm trying to deny all RedHat Images (Marketplace / Community AMIs) deployments
Is this possible via Resource tag and AMI-Name "RHEL-8.2.0_HVM-20200423-x86_64-0-Hourly2-GP2"
Exmaple
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAMIAccess",
"Effect": "Deny",
"Action": [
"ec2:RunScheduledInstances",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*::image/ami-0810abbfb78d37cdf",
"arn:aws:ec2:*::image/ami-0e2cfc23d72b5cb98",
"arn:aws:ec2:*::image/name/RHEL*",
"arn:aws:ec2:*::image/RHEL*"
]
}
]
}```
Try the below along with "Allow" for Resources "*"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyAMIAccess",
"Effect": "Deny",
"Action": [
"ec2:RunScheduledInstances",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*::image*"
],
"Condition": {
"StringNotLike": {
"aws:RequestTag/Name": "RHEL"
}
}
},
{
"Sid": "DenyAMIAccess",
"Effect": "Deny",
"Action": [
"ec2:RunScheduledInstances",
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*::image*"
],
"Condition": {
"Null": {
"aws:RequestTag/Name": "true"
}
}
}
]
}
I am trying to validate action ec2:AttachVolume using policy simulator sdk java API.
my policy looks as follows
{
"Action": [
"ec2:AttachVolume"
]
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
]
},
{
"Action": [
"ec2:AttachVolume"
]
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:volume/*"
]
}
How can i validate it using policy simulator API as I need to provide both the resource i.e. instance and volume?
With this policy the simulator works fine for me:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"ArnEquals": {
"ec2:SourceInstanceARN": "arn:aws:ec2:*:*:instance/i-1234567890"
}
}
}
]
}
I'm trying to create a policy that allows users to have all IAM actions except any action contains the word "User" or "Group" in the string, so they can still do other actions like: "CreateRole", "ChangePassword", etc.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"iam": [
"*User*",
"*Group*"
]
}
}
}
]
}
But I got this notification: "This policy does not grant any permissions.". I've tried with "StringLike".
According to AWS Docs:
StringNotLike
Negated case-sensitive matching. The values can include a
multi-character match wildcard (*) or a single-character match
wildcard (?) anywhere in the string.
If I do this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"iam:*User*",
"iam:*Group*"
],
"Resource": "*",
"Condition": {
"StringLike": {
"iam:": ["Create*", "Delete*"]
}
}
}
]
}
The the policy allows full access.
You can add a deny * action to your policy. It would deny everything that was not explicitly allowed.
Take a look at the bellow for an example.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListRoles",
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
"Resource": [
"*"
],
"Effect": "Deny"
}
]
}
I had to do explicit deny like this. It works but I'm open to better solution.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"iam:CreateGroup",
"iam:DeleteGroup",
"iam:UpdateUser",
"iam:PutUserPermissionsBoundary",
"iam:AttachUserPolicy",
"iam:DeleteUserPolicy",
"iam:UpdateGroup",
"iam:DeleteUser",
"iam:DeleteUserPermissionsBoundary",
"iam:CreateUser",
"iam:RemoveUserFromGroup",
"iam:AddUserToGroup",
"iam:AttachGroupPolicy",
"iam:PutUserPolicy",
"iam:DetachGroupPolicy",
"iam:DetachUserPolicy",
"iam:DeleteGroupPolicy",
"iam:PutGroupPolicy"
],
"Resource": "*"
}
]
}