I have an AWS File Gateway. I am able to create a share to an S3 bucket ONLY if I let the AWS console create a new IAM role. If I select Use an Existing Role I get the error:
Failed to create file share
User: arn:aws:iam::024123456789:root is not authorized to perform: iam:PassRole on resource: my-storage-gateway-role (Request ID: f14a287d-e266- 11e7-bd3b-49a5a190c50e)
I have tried this using both IAM users with administrative access and with the root user. Every time results in this same error. Here is the policy that my administrators have:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Isn't this policy sufficient to do pretty much anything? Any ideas what is causing this error?
Scott here with AWS, I understand that when you try to create your own IAM role that has admin permissions for your SGW, you're still not able to create a file share with your S3 bucket.
Looking into the issue, the most likely reason for this error is because the your account doesn't have the correct permissions to assume the role with Storage Gateway[1]:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "storagegateway.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Since you have admin access on the the role, you don't need to change the policy for permissions.
After logging into my root account, I wasn't able to reproduce this issue even when creating a new role for the file share.
Are you able to share the role you are trying to use?
[1]http://docs.aws.amazon.com/storagegateway/latest/userguide/managing-gateway-file.html#grant-access-s3
Related
Problem Statement:
Account A is uploading some file in an Amazon S3 bucket in Account B. I am in account C and trying to access objects in Account B Amazon S3 bucket. I am able to access some of the files but not all.
Account A is uploading files like this
this.s3Client.putObject(bucketName, key, new FileInputStream(content), metadata);
this.s3Client.setObjectAcl(bucketName, key, CannedAccessControlList.BucketOwnerFullControl);
I am only getting access denied for some of the files not all.
While I have checked Bucket Policy and lambda policy. It seems correct to me, as I am able to access other objects that were not uploaded by Account A and I feel that this issue is related to an object permission, where the uploader in s3 bucket has the exclusive access. But as we see in the above code, uploader is setting object acl to BucketOwnerFullControl
All the files are set to public already, also I have given access to Account C aws account canonical Id under ACL.
ACLs
Lambda policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::ACCOUNT_B_BUCKET/*"
}
]
}
Bucket Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_ACCOUNT_C:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::ACCOUNT_B_BUCKET/*"
}
]
}
I have spent a lot of time on this and it is frustrating now. Please also let me know how can I debug these types of issues faster?
Can you please check the ACL or GO to S3 console and Select all files and make public. this is just a debugging step .
How do I set the S3 read permission to only my IAM User can access? I have my IAM User config in the backend for my hybrid app but I still can't get access to S3 list.
Here is my bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxx:user/xxx#xxx.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-s3-bucket/*"
}
]
}
I tried was s3 ls s3://my-s3-bucket on terminal it is showing the list of items in my s3 bucket but not the backend. If I change the Principal to "*" I can access without any problem. (I want to limit to only my app can access it with the IAM User credential I have).
The error I have
{"code":"InternalError","message":"Access Denied"}
Thank you.
The aws s3 ls command is used to list the contents of a bucket but your policy is only granting permission to GetObject (which means to read the contents of an object).
If you wish to allow listing of the bucket, you would also need to grant s3:ListBucket permissions.
Bucket Policies vs IAM Policies
Typically, Bucket Policies are used to grant public or cross-account access.
If you wish to grant access to a specific IAM User, then it is better to add a policy on the IAM User themselves:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-s3-bucket/*"
}
]
}
However, you say "only one user". This becomes more difficult if any other users have been granted access to ALL S3 buckets with an Admin-like policy. In this situation, it you would need to add a Deny to the Bucket Policy to prevent access by anyone who has been granted access to all Buckets. This starts to get a little tricky because Deny policies have a habit of denying more than you expect.
If the bucket contains sensitive information, another option is to put the bucket in a different AWS Account and then only grant cross-account access to the specific IAM Users who need access. This prevents people gaining Admin-like access and avoids the need to use a Deny policy.
For s3 ls s3://my-s3-bucket to work you need s3:ListBucket permissions along with bucket resource:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxx:user/xxx#xxx.com"
},
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": ["arn:aws:s3:::my-s3-bucket/*",
"arn:aws:s3:::my-s3-bucket"]
}
]
}
I'm currently spinning in circles trying to restore from an AWS Backup and am running into permissions errors. I have administrator access to my AWS account. I've tried creating a new policy and attach it to my user account in IAM as follows:
The issue I can't seem to get around is that I need to add the permission iam:PassRole but I can't seem to find it anywhere within the AWS portal. How can I add this permission to my policy?!
EDIT: I've created a policy with all backup permissions allowed and including iam:PassRole however I am still receiving the error message You are not authorized to perform this operation. when trying to perform the backup. The policy I've created and attached to my user looks as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"backup:*",
"iam:PassRole",
"iam:GetRole"
],
"Resource": "*"
}
]
}
“To successfully do a restore with the original instance profile, you will need to make changes to the restore policy. If you apply instance profile during the restore, you must update the operator role and add PassRole permissions of the underlying instance profile role to EC2. Otherwise, Amazon EC2 won’t be able to authorize the instance launch and it will fail.”
Here is the policy you can attach to the AWS default Backup role “AWSBackupDefaultServiceRole” to work around this issue:
{
"Version": "2012–10–17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<Account-ID>:role/*"
}]}
Source: https://medium.com/contino-engineering/new-aws-backup-features-for-quick-and-easy-ec2-instance-recovery-c8887365ca6a
In AWS, I (joe.doe#accountXYZ) created a S3 bucket, thus I am this s3 bucket owner.
I want to configure this S3 bucket based on the IAM role, thus only some IAM roles, such as [role_xyz, role_abc, role_cde], can can read this bucket.
From the AWS console, it seems that I can not configure it.
Can anyone tell me whether it is possible to do that?
========
I understand that from the IAM role side you can configure a policy for this s3 resource. But my question here is on the s3 resource side, whether I can define a access policy based IAM roles.
It appears that your requirement is to permit certain specific roles access to a particular Amazon S3 bucket.
There are two ways to do this:
Option 1: Add permissions to the Role
This is the preferred option. You can add a policy to the IAM Role that grants access to the bucket. It would look similar to:
{
"Id": "Policy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}
]
}
This is a good method because you just add the policy to the desired Role(s), without having to touch the actual buckets.
Option 2: Add a Bucket Policy
This involves putting the permissions on the bucket, which grants access to a specific role. This is less desirable because you would have to put the policy on every bucket and refer to every Role.
It would look something like:
{
"Id": "Policy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::my-bucket/*"
],
"Principal": "arn:aws:iam::123456789012:role/my-role"
}
]
}
Please note that these policies are granting s3:* permissions on the bucket, that might be too wide for your purposes. It is always best to only grant the specific, required permissions rather than granting all permissions.
This is the policy I have:
{
"Version": "2012-10-17",
"Id": "Policy1477084949492",
"Statement": [
{
"Sid": "Stmt1477084932198",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::__redacted__"
},
{
"Sid": "Stmt1477084947291",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::__redacted__/*"
}
]
}
I am able to view the files in the bucket via aws s3 ls but am not able to download.
My understanding is that these permissions should give full access to any AWS identity.
Question- Is there some reason that is not the case here?
Your policy works for me when I test it in my account.
In IAM, a deny overwrites an allow, and I suspect that you have a conflicting policy somewhere. Check all user policies, and groups that the user is a member of for conflicting policies.
You don't explicitly say you are doing this, but just to cover all bases. If you are running the s3 get on an instance with an IAM Role associated with it, check to make sure that the IAM Roles permissions are appropriate.
Depending on what you are actually doing this could explain your situation. If you are using an EC2 instance with an IAM Role, it will be using that IAM Role for permissions by default not your IAM User permissions. If you run aws configure and explicitly configure it with IAM User issued key and secret then it will use the IAM User policies.
Best practices say that if you are performing work on an EC2 instance, where possible and where your use case allows for it; you should not be using keys and secrets on the host but using an EC2 IAM Role.
Additional Reading:
IAM Policy Evaluation Logic
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html