I'm using boto3 in order to create a presigned post url for s3.
s3 = boto3.client('s3')
post = s3.generate_presigned_post(
Bucket=bucket_name,
Key=f"{userid}.{suffix}"
)
The aws_access_key_id that is being used is incorrect, one of the ways of using the right one is by adding an environment variable through environment variables.
Any idea how can I enforce using the aws access key as defined by the user I've created in IAM ?
Update 1
Policy attached to the IAM role that executes the lambda
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": "arn:aws:logs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachNetworkInterface",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DetachNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ResetNetworkInterfaceAttribute"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": [
"kinesis:*"
],
"Resource": "arn:aws:kinesis:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"sns:*"
],
"Resource": "arn:aws:sns:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"sqs:*"
],
"Resource": "arn:aws:sqs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "arn:aws:dynamodb:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"route53:*"
],
"Resource": "*"
}
]
}
Update 2
Role in IAM
Role configuration in Lambda configuration
You should not use an IAM User for any sort of execution permissions in lambda. Rather, use an IAM role with appropriate policies attached and attach that role to your Lambda function.
Also note that once the role is configured, the access id and secret will be automatically set as environment variables by lambda and Boto will retrieve them without any additional configuration.
Related
Im using aws sdk go to create role using CreateRole() and policy using CreatePolicy() and then attach role to policy using AttachRolePolicy() api and when i call CreateDeliveryStream() api
I get the below error
InvalidArgumentException: Firehose is unable to assume role arn:aws:iam::<no>:role/<name>. Please check the role provided.
After looking in AWS console policy and roles is properly created.
So ran lambda again with only CreateDeliveryStream() as the permissions were already created and it created successfully .
Tried running again the same flow create permissions and then create delivery stream. It throws the same error.
Role trust policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "firehose.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
policy attached
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "kinesis",
"Effect": "Allow",
"Action": [
"kinesis:DescribeStream",
"kinesis:GetShardIterator",
"kinesis:GetRecords",
"kinesis:ListShards"
],
"Resource": [
"arn:aws:kinesis:<>:stream/<>"
],
"Principal": {}
},
{
"Sid": "s3",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::<>",
"arn:aws:s3:::<>/*"
],
"Principal": {}
},
{
"Sid": "kms",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:<>:key/<>"
],
"Principal": {}
},
{
"Sid": "cloudwatch",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:<>:log-group:/aws/kinesisfirehose/<>:log-stream:*"
],
"Principal": {}
}
]
}
Any idea what is happening here?
Creating an IAM inline policy to allow the IAM user to attach a max of 20GB EBS volume, and only allow t2.micro Ubuntu instance from us-east-2 region. I have copied the ami for the same but in the conosle for IAM user it shows API error when trying to run the EC2 instance, what might be the problem.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AdminPermissions",
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"ssm:GetCommandInvocation",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Sid": "RunInstanceResourcePermissions",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:::network-interface/*",
"arn:aws:ec2:::security-group/*",
"arn:aws:ec2:::subnet/*",
"arn:aws:ec2:*::image/ami-0885b1f6bd170450c"
]
},
{
"Sid": "LimitInstanceVolumeSize",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:::volume/*"
],
"Condition": {
"NumericLessThanEquals": {
"ec2:VolumeSize": "20"
}
}
},
{
"Sid": "LimitInstanceTypes",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:::instance/ami-0885b1f6bd170450c"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType":
"t2.nano"
}
}
}
]
}
I am trying to create a state machine in AWS stepfunctions using AWS sdk Eg.,
stepfunctions.createStateMachine(params, function(err, data)...
I created a lambda in AWS console and added the code for creating state machine. Also I provided the permissions for the Role to execute this lambda and create state machine. I verified the Role Permissions using Simulator also which is fine (allowed). But when I execute the lambda, I am getting AcccessDeniedException.
errorMessage": "User: arn:aws:sts::555555555:assumed-role/SFN_API_role/SFAPITest is not authorized to perform: states:CreateStateMachine on resource: arn:aws:states:us-east-1:555555555:stateMachine:*",
"errorType": "AccessDeniedException
"SFN_API_role" is the role and "SFAPITest" is the lambda.
Here is the Policy defined:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:ListStateMachines",
"states:ListActivities",
"states:CreateStateMachine",
"states:CreateActivity"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"lambda:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeStateMachine",
"states:StartExecution",
"states:DeleteStateMachine",
"states:ListExecutions"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeExecution",
"states:GetExecutionHistory",
"states:StopExecution"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"states:DescribeActivity",
"states:DeleteActivity",
"states:GetActivityTask",
"states:SendTaskSuccess",
"states:SendTaskFailure",
"states:SendTaskHeartbeat"
],
"Resource": [
"*"
]
}
]
}
Any pointers are appreciated!
You are using "Resource": ["*"] instead of "Resource": "*". Just change the first portion of your policy to the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"states:ListStateMachines",
"states:ListActivities",
"states:CreateStateMachine",
"states:CreateActivity"
],
"Resource": "*"
},
...
I am trying to setup and assign a policy so that a user can only trigger AWS Systems Manager Services (SSM) Run Commands on only authorized or assigned EC2 instances to them.
To do this, I am following instructions from https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sysman-configuring-access-iam-create.html and as per it, I created below custom policy with provisioning access for only 1 EC2 instance:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:ListDocuments",
"ssm:DescribeDocument*",
"ssm:GetDocument",
"ssm:DescribeInstance*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:SendCommand",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"arn:aws:s3:::test-ssm-logs/TESTSERV",
"arn:aws:ssm:us-east-1:123456789012:document/AWS-RunPowerShellScript"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "TESTSERV"
}
}
},
{
"Action": [
"ssm:CancelCommand",
"ssm:ListCommands",
"ssm:ListCommandInvocations"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DescribeInstanceStatus",
"Effect": "Allow",
"Resource": "*"
}
]
}
After I assigned above policy to a test user and when I log in using it and navigate to "Run Command", under Target Instances I see other EC2 instances as well and I am even able to execute commands to them as well. Shouldn't the user only see the 1 instance that is specified in above policy?
I do not understand what am I doing wrong here and how to fix it? Appreciate your help.
Thanks!
I have below IAM policy assigned to all my EC2 system instances:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ds:CreateComputer",
"ds:DescribeDirectories"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::amazon-ssm-packages-*"
}
]
}
Also, I have below IAM policy assigned to test user to so that they can Start/Stop/Restart EC2 instances:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "TESTSERV"
}
}
}
]
}
I was able to make this work by adjusting policy as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:ListDocuments",
"ssm:DescribeDocument*",
"ssm:GetDocument",
"ssm:DescribeInstance*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:SendCommand",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"arn:aws:s3:::nsight-ssm-logs/TESTSERV",
"arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript"
]
},
{
"Action": [
"ssm:CancelCommand",
"ssm:ListCommands",
"ssm:ListCommandInvocations"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DescribeInstanceStatus",
"Effect": "Allow",
"Resource": "*"
}
]
}
My requirement was to only allow execution of PowerShell scripts so the line:
"arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript"
You can replace AWS-RunPowerShellScript with * to allow all commands.
Also, the EC2 Role assignment was necessary since without it I couldn't see any instances under Run Command.
Please also know that the user would see all instances under Run Command but will only be able to execute commands for the EC2 instances for which the policies are assigned to, user account. I do not think there is any option to suppress this.
Thanks for your contribution and helpful tips.
I have a IAM policy that restricts a user to launch an instance in a particular VPC.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-west-2:accountID:instance/*",
"arn:aws:ec2:us-west-2:*:image/* ",
"arn:aws:ec2:us-west-2:accountID:subnet/*",
"arn:aws:ec2:us-west-2:accountID:vpc/vpc-ID",
"arn:aws:ec2:us-west-2:accountID:network-interface/*",
"arn:aws:ec2:us-west-2:accountID:volume/*",
"arn:aws:ec2:us-west-2:accountID:key-pair/*",
"arn:aws:ec2:us-west-2:accountID:tags/*",
"arn:aws:ec2:us-west-2:accountID:security-group/*"
]
},
{
"Sid": "Stmt1394644402000",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"*"
]
},
{
"Sid": "Stmt1394645330000",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:ReleaseAddress"
"ec2:AttachVolume",
"ec2:CreateVolume",
"ec2:CreateTags"
],
"Resource": [
"*"
]
}
]
}
But the policy is not working. Also I want to restrict user from launching an instance in the ec2-classic.
Any help is appreciated.
Thanks