I am trying to use aws cli to tag a lambda function. However, I keep getting the access decided error. I even tried to give the user admin access in IAM, and still it does not work. I guess something else has to be configured somewhere that currently overrides the policy
root#fd9f516869e1:~# aws lambda tag-resource --resource $FUNCTION_ARN --tags CURRENT_COMMIT=${CIRCLE_SHA1}
An error occurred (AccessDeniedException) when calling the TagResource operation: User: <user ARN> is not authorized to perform: lambda:TagResource
The policy attached to the user is
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<SID>",
"Effect": "Allow",
"Action": [
"tag:*",
"lambda:ListTags",
"lambda:TagResource",
"lambda:UntagResource",
"lambda:GetFunction",
"lambda:UpdateFunctionCode"
],
"Resource": [
"<my lambda ARN>"
]
}
]
}
As noted in the documentation for Lambda API Permissions and AWS Services That Work with IAM tag-related calls (ListTags, TagResources, UntagResources) can't be restricted to specific resources.
So access for tagging has to be granted for all Lambda functions. To get it working, you'd need to replace <my lambda ARN> in the policy above with *.
Related
This question has been answered here but it didn't solve my problem.
I get the An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: AssumeRole policy may only specify STS AssumeRole actions when I try to call aws iam create-role --role-name AutoscalingRole-Name --assume-role-policy-document file://./IAM_Trust_Policy.json
If my IAM_Trust_Policy.json contains only this code:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
}
It's working like a charm. But I needed something more, I'm creating an autoscaling role and I have a policy with these requirements:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com",
"autoscaling.amazonaws.com"
]
},
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"ec2:DescribeLaunchTemplateVersions"
]
}
}
And for some reason I get the An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: AssumeRole policy may only specify STS AssumeRole actions
Can anyone see where I'm wrong? Thanks
As #luk2302 commented, you are mixing up two policy types. Both are required for your Role to be useful:
Trust Policy: whom you allow to assume the role
This is your first policy document
Principal is required - this is whom you allow
Use this as the AssumeRolePolicyDocument parameter in CreateRole .
Access/Permissions Policies: the permissions the role will have
This is your second policy document
Principal is not allowed - makes no sense here
There are two ways to attach these permissions to your role (aka Identity-based Policies):
As a standalone Managed Policy with AttachRolePolicy
Or as an Inline Policy embedded in your role with PutRolePolicy
In other words, remove the Principal from your second policy document and call PutRolePolicy to embed it with your role.
You can not use role policy with assume-role-policy.
I think you are trying to rediscover the wheel.
AWS has one role for your need to autoscale AWSServiceRoleForAutoScaling managed role.
When I try to start a DeviceFarm run via CLI or API with an IAM user, I'm always getting the following error:
An error occurred (AccessDeniedException) when calling the ScheduleRun operation: User: <user-arn> is not authorized to perform: devicefarm:ScheduleRun on resource: <upload-arn>
It happens regardless of user permissions, even on a user who has the AdministratorAccess policy attached. Policy json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
The command I'm trying to run:
aws devicefarm schedule-run --region=us-west-2 --project-arn=<project-arn> --test='type=APPIUM_PYTHON,testPackageArn=<package-arn>,testSpecArn=<spec-arn>'
However I can still start the run manually via the web AWS console.
I am trying to assign a role to a user using the AWS console but not having a whole lot of success with it. So i created a user David and i created a role with a trust policy in which i am assigning the David i.e. IAM user as the principal which looks like this :-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::Account-ID:user/David"
},
"Action": "sts:AssumeRole"
}
]
}
and i also attached a policy to the role which lets the user listbuckets and getobject. The policy looks like this :-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allowsusertotolistbuckets",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::*"
}
]
}
Now when i run aws configure and authenticate as David user with the right access key and secret access key and run aws s3 ls. I run into the following: An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied. How can i have the user assume the role. Any help will be appreciated.
IAM Roles are not 'attached' to a user. Rather, an IAM User can be permitted to assume an IAM Role.
Using the AWS CLI, they would assume an IAM Role like this:
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/xaccounts3access --role-session-name s3-access-example
In response, AWS STS will return a set of temporary credentials:
{
"AssumedRoleUser": {
"AssumedRoleId": "AROA3XFRBF535PLBIFPI4:s3-access-example",
"Arn": "arn:aws:sts::123456789012:assumed-role/xaccounts3access/s3-access-example"
},
"Credentials": {
"SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
"SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
"Expiration": "2016-03-15T00:05:07Z",
"AccessKeyId": "ASIAJEXAMPLEXEG2JICEA"
}
}
These credentials can then be used to call AWS service 'as the IAM Role' rather than 'as the IAM User'.
See: assume-role — AWS CLI Command Reference
To make things easier, it is possible to define a profile that uses an IAM Role. The AWS CLI will automatically use IAM User credentials to call AssumeRole(), then use the resulting credentials to make the desired API call.
Here is an example profile entry:
[profile marketingadmin]
role_arn = arn:aws:iam::123456789012:role/marketingadminrole
source_profile = user1
This is saying: "Use the IAM User credentials from profile user1 to call AssumeRole() on the marketingadminrole"
It can then be used like this:
aws s3 ls s3://marketing-bucket --profile marketingadmin
See: Using an IAM role in the AWS CLI - AWS Command Line Interface
I have created a role to get objects from s3 bucket as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3GetObjects",
"Effect": "Allow",
"Action": [
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::cat-pics",
"arn:aws:s3:::cat-pics/"
]
}
]
}
Next, created a lambda function to assume this role. For that added the following statement to the basic lambda execution role which is attached to lambda:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::same-account-id:role/AssumeS3RoleDemo"
}
]
}
However, the following code
import json
import boto3
def lambda_handler(event, context):
print("this test should be printed")
# create an STS client object that represents a live connection to the
# STS service
sts_client = boto3.client('sts')
# Call the assume_role method of the STSConnection object and pass the role
# ARN and a role session name.
assumed_role_object=sts_client.assume_role(
RoleArn="arn:aws:iam::same-account-id:role/AssumeS3RoleDemo",
RoleSessionName="AssumeRoleSession"
)
# From the response that contains the assumed role, get the temporary
# credentials that can be used to make subsequent API calls
credentials=assumed_role_object['Credentials']
print("credentials are")
print(credentials)
does not work. I keep getting the following error:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::same-account-id:assumed-role/lambda_basic_execution_new/AssumeRoleDemo is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::same-account-id:role/AssumeS3RoleDemo: ClientError
Here AssumeRoleDemo is name of the lambda function and AssumeS3RoleDemo is the role name which has access to S3.
Is it possible to assume role in the same account ? Is so, what step am I missing here ? Please let me know.
thanks
You need amend the role with trust policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
In addition to that make sure your S3 bucket doesnt have a bucket policy. Because resource based policy and IAM based policies both should be allowing.
You don't need to use STS and AssumeRole in your lambda code to access S3 if both are in the same account, if role attached to lambda has policy allowing access on S3 it will work just fine.
But if you really want to do it, you need to make sure your role AssumeS3RoleDemo trust policy allow lambda execution role to assume it.
Below is a link to one exemplo using two different accounts, but the mechanism is the same using just one account:
https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/#:~:text=1.,the%20role%20in%20account%20B%3A&text=Update%20your%20Lambda%20function%20code,to%20create%20a%20service%20client.
I am using trying to invoke a Lambda from another Lambda, I am getting the error:
AccessDeniedException: User: [role ARN] is not authorized to perform:
lambda:InvokeFunction on resource: [Lambda ARN]
After researching, I found put that I need to attach a Policy to the IAM user to allow the action.
I'm wondering if there's any AWS Managed Policy which allows lambda:InvokeFunction?
If not, what would be the best minimalist policy JSON to create?
A managed role would be the AWSLambdaRole.
If you want to create it on your own:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": "<ARN of the function which is allowed to be invoked>"
}
]
}
For the ARN (Amazon Resource Name) you could also put * (then all functions are allowed to be invoked). Also, you could provide a list of multiple function ARNs.