I have a domain: domain1 and trying to allow user1 to access it. This is the policy:
{ "Version": "2012-10-17", "Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::340539148951:user/user1"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:340539148951:domain/domain1/*"
} ] }
When the user1 tries logs in the Console and tries to go to ElasticSearch content, he gets this error:
ListDomainNames: {"Message":"User:
arn:aws:iam::340539148951:user/user1 is not authorized to perform:
es:ListDomainNames on resource:
arn:aws:es:us-east-1:340539148951:domain/*"}
So the question is where do I set this? At the user level? What would the policy be?
Dima.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1504015454000",
"Effect": "Allow",
"Action": [
"es:*"
],
"Resource": [
"arn:aws:es:us-east-1:340539148951:domain/*"
]
}
]
}
Probably too much es:* - but it worked
Related
I am trying to create a Glue job in an account that has full access to all resources
The script gets generated but when I try and save it I get the following error
[gluestudio-service.us-east-1.amazonaws.com] createJob: AccessDeniedException: Account XXXXX is denied access.
The role I am using has nothing fancy in it and has full access to glue and all S3 resources.
Its not an organisational account
Any insight would be greatly appreciated
I am using the managed AWSGlueServiceRole as well as the AmazonS3FullAccess roles
I have added the follwoing
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"glue:UseGlueStudio",
"iam:ListRoles",
"iam:ListUsers",
"iam:ListGroups",
"iam:ListRolePolicies",
"iam:GetRole",
"iam:GetRolePolicy",
"glue:SearchTables",
"glue:GetConnections",
"glue:GetJobs",
"glue:GetTables",
"glue:BatchStopJobRun",
"glue:GetSecurityConfigurations",
"glue:DeleteJob",
"glue:GetDatabases",
"glue:CreateConnection",
"glue:GetSchema",
"glue:GetTable",
"glue:GetMapping",
"glue:CreateJob",
"glue:DeleteConnection",
"glue:CreateScript",
"glue:UpdateConnection",
"glue:GetConnection",
"glue:StartJobRun",
"glue:GetJobRun",
"glue:UpdateJob",
"glue:GetPlan",
"glue:GetJobRuns",
"glue:GetTags",
"glue:GetJob"
],
"Resource": "*"
},
{
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/AWSGlueServiceRole*",
"Condition": {
"StringLike": {
"iam:PassedToService": [
"glue.amazonaws.com"
]
}
}
}
]
}```
Add Trusted Policy like the following in the Role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "glue.amazonaws.com",
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "sts:AssumeRole"
}
]
}
I have created a user and grant three permissions to it.
IAMFullAccess, AmazonSageMakerFullAccess and AmazonS3FullAccess
Now when i try to setup sagemaker domain, it throw following exceptions
ValidationException
Access denied in getting/accepting the portfolio shared by SageMaker. Please call withservicecatalog:AcceptPortfolioShare & servicecatalog:ListAcceptedPortfolioShares permission.
AccessDeniedException
User: arn:aws:iam::117609614511:user/tac-sagemaker is not authorized to perform: sagemaker:CreateDomain on resource: arn:aws:sagemaker:us-east-1:117609614511:domain/d-bpq1nh2g5t9l because no identity-based policy allows the sagemaker:CreateDomain action
First, I did not understand, though i granted full sagmaker access, why its not picking createDomain policy,
Second, i go to my role and manually added these policies.
Here are policies for my sagemaker role
AmazonSageMaker-ExecutionPolicy-20220813T004513
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s34sagemaker"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::s34sagemaker/*"
]
}
]
}
SagemakerCreateDomain
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sagemaker:CreateDomain",
"Resource": "arn:aws:sagemaker:*:117609614511:domain/*"
}
]
}
sagemakerportfolioservices
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "servicecatalog:AcceptPortfolioShare",
"Resource": "arn:aws:catalog:*:117609614511:portfolio/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "servicecatalog:ListAcceptedPortfolioShares",
"Resource": "*"
}
]
}
But still it giving me same error
Edit
I added two new policy to my user
AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy
AWSServiceCatalogAdminFullAccess
Now ValidationException is gone, but still having AccessDeniedException
EDIT2:
I have attached a new custom policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"sagemaker:CreateDomain"
],
"Resource": "*"
}
]
}
But still the error is same
I would recommend using the CloudFormation template in this blog to help create the Domain and User Profile.
https://aws.amazon.com/blogs/machine-learning/automate-a-centralized-deployment-of-amazon-sagemaker-studio-with-aws-service-catalog/
I have tried setting up a permissions policy granting ssm:GetParameter and ssm:GetParameters to a role, but I get that error that "ssm:GetParameter is not allowed for this role". The only way I've found to eliminate the error is to grant ssm:* however I'd like to keep my permissions to a minimum. What am I missing here?
failing permission (account_id obscured):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:us-east-1:{redacted}:parameter/*"
}
]
}
working permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ssm:*",
"Resource": "arn:aws:ssm:us-east-1:{redacted}:parameter/*"
}
]
}
Try using
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:GetParametersByPath"
]
If that does not help, allow "ssm:DescribeParameters".
As a plan to deprecate s3 objects, I am revoking all access apart from mine. I tried 2 ways but I see I am not able to see the bucket policy.
Error message from console:
You don’t have permission to get bucket policy
You or your AWS administrator must update your IAM permissions to allow s3:GetBucketPolicy. After you obtain the necessary permission, refresh the page. Learn more about Identity and access management in Amazon S3
First:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::ck",
"arn:aws:s3:::k/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA"
]
}
}
}
]
}
Second:
{
"Id": "bucketPolicy",
"Statement": [
{
"Action": "s3:*",
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::0220:user/an"
]
},
"Resource": [
"arn:aws:s3:::tes",
"arn:aws:s3:::tes/*"
]
}
],
"Version": "2012-10-17"
}
I am using inline policy for grant access to s3 bucket for IAM user
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1513073615000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::newput-test"
]
}
]
}
but on extended s3 browser when I use the access key id and secret access key of particular IAM user is not listing my bucket.but when I pass * in resources It works fine
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1513073615000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
]
}
]
}
but the problem is its giving access to all the s3 bucket to IAM user.
but I want to give access only single bucket anybody have an idea how to achieve this.
Try something like this
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::mys3bucket",
"arn:aws:s3:::mys3bucket/*"
]
}
]
}
Its been explained here.
http://www.fizerkhan.com/blog/posts/Restrict-user-access-to-Single-S3-Bucket-using-Amazon-IAM.html