How would you switch to a user in the AWS console?
I've set up an IAM policy for a user and I'd like to test whether they're working or not.
I've tried switching roles http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html
using the account id from the User ARN (e.g.
arn:aws:iam::<account id>:user/<username>
in
https://signin.aws.amazon.com/switchrole
using:
Account: <account id>
Role: test_user
Display Name: Test User
then clicking Switch Role but I get:
Could not switch roles using the provided information. Please check your settings and try again. If you continue to have problems, contact your administrator.
Note: I am an Admin with full access.
You cannot use the Switch Role functionality to switch to a User.
You have two options:
Login as the User you wish to test, or
Create a Role with the same permissions, switch to the Role, then test
The easiest is to simply login as the user you wish to test. However, this can be a poor security practice because you are using another person's account and any actions you perform would be recorded against that user in Amazon CloudTrail (audit trail).
Alternatively, you could create a new IAM Role and assign exactly the same permissions to that Role. You would also need to assign a Trust Policy to the role to permit it to be used by you (your IAM User). You can then switch to that role in the console. This will work, unless you have any policies that specifically reference the User you wish to test (which will not recognise your Role permissions).
The best way to do this is fully log out of the AWS console. Or you can use a different browser so you can be logged into both at the same time.
Related
I'm trying to setup my aws cli. I downloaded it and everything worked.
Now I wanted to log in from my powershell script.
Set-AWSCredentials –AccessKey key-name –SecretKey key-name
Because I don't have any users at the moment I had to create one. I have given the user admin rights.
When creating the user aws throws this error:
User: arn:aws:sts::37197122623409:assumed-role/voclabs/user2135080=.... is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::371237422423709:user/.... because no identity-based policy allows the iam:CreateUser action
My first thought was that my education account is having a problem. But I didn't find anything about it. Thanks for your help in advance.
The "voclab" part of the error suggests you are not logged as the account root user but instead assuming a role in an account used for teaching purposes.
This role is probably designed to disallow IAM actions, in order to prevent privilege escalation.
Read
https://docs.aws.amazon.com/singlesignon/latest/userguide/howtogetcredentials.html to get role credentials for the role you're assuming
You can't make any IAM roles, policies or users as a student using voclabs account. AWS Academy does not allow to do that and its a hard limit which you nor your educator can change.
I have two roles configured in my IAM called "role1" and "role2" and a user called "foobar". The trust policy of "role2" is configured so that "role1" is granted the AssumeRole action, while "role1" can be assumed by the foobar user.
So the workflow to use role2 would be to login as user foobar, then assume role1 and from there assume role2.
I know that I can easily jump from role1 to role2 in the CLI by setting the source_profile value in the configuration file ~/.aws/config. But I have been unable to do the same thing in the management console (web interface). There is the "Switch Role" menu, but that only allows me to assume the role from the user not logged in, not from an already assumed role.
So my question is: How can I switch to "role2" in the scenario described above from the management console?
I think the transitive IAM Role switch from AWS Console is not allowed as per the documentation
Granting a user permissions to switch roles
When you switch roles in the AWS Management Console, the console always uses your original credentials to authorize the switch. This applies whether you sign in as an IAM user, as a SAML-federated role, or as a web-identity federated role. For example, if you switch to RoleA, it uses your original user or federated role credentials to determine if you are allowed to assume RoleA. If you then try to switch to RoleB while you are using RoleA, your original user or federated role credentials are used to authorize your attempt, not the credentials for RoleA.
After setting up AWS Organizations, I created a member account with a custom IAM role name. I've now forgotten the role name used and I'm unable to assume role as root into that account. I need to create IAM users in the member account but without the ability to assume role using the custom OrganizationAccountAccessRole it seems I'm unable to.
I've tried getting access by
Using the member account root user but it doesn't have permissions to IAM
Signing in to member account using AWS SSO user with IAMFullAccess and AdministratorAccess policies attached to the policy set but user cannot access IAM.
Attempting to describe member account using the master account admin user but the role isn't there
At this point, I'm thinking the only way out is to recreate the member account. Please tell me there is a better way.
UPDATE:
- Found that 1 & 2 didn't work because of a restrictive Service Control Policy (SCP) on the account which didn't include IAM access permissions.
Based on the comments.
The solution was to inspect CloudTrial logs to find the API call used to create the role.
As an Admin user, I have created an IAM user with some restricted accesses for testing purposes.
So, when I login with the IAM user, I don't have access to unauthorized services as expected but I've noticed that I can create and remove IAM users, even if I didn't created them by myself.
So, I have three questions:
Why an IAM have the ability to remove other users?
And how can I prevent this?
When an IAM user create "sub IAM users", do these "sub users" inherit from his unauthorizations?
1) Why an IAM have the ability to remove other users?
Am IAM user is just another user of your AWS account. It appears you gave the new IAM user the permissions to create, modify, or delete other IAM user accounts.
2) And how can I prevent this ?
You need to review the IAM policies and roles assigned to the new IAM user and remove the permissions you don't want them to have. Please post the exact IAM roles and policies you have assigned to the user if you need help with this.
3) When an IAM user create "sub IAM users", do these "sub users"
inherit from his unauthorizations ?
There is no such thing as "sub users". A user is not in any way tied to the user that created them.
A user is granted the ability to create a user by virtue of the permissions granted to the first user. If you attach a policy to the second her that also grants the ability to create users that second will have permission to do so. There is a feature that allows you to grant a user the permission to create other uses whilst limiting the permissions of the second user. The feature is called Permission boundaries. By using this you can allow a user to create other users but limit what permissions that other user can grant.
There is no concept of "sub-IAM users." An IAM user is an IAM user. The user has permissions to create other IAM users because you haven't denied the iam:* policies. You said you "created an IAM user with some restricted accesses for testing purposes." Without seeing the user it's not possible to know what permissions you have granted, but you must have allowed IAM permissions. To prevent the user from creating other users, do not attach policies that allow the iam:CreateUser permission.
Yes you're right an IAM user shouldn't have the ability to manage other users. AWS has policies for this like if you want other users to give access to all services you can create a group and attach PowerUserAccessPolicy to that group. Users with PowerUserAccess wouldn't be able to manage groups and other IAM users. Further, if you want to restrict admin users access to manage other IAM users you can create custom policy to deny this affect using an inline policy.
Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html
Any IAM user can't be called as "sub-user", as all users can be said to have the same level.When any IAM user is associated the policies for IAM operations such as create, update, delete, that user can perform such IAM operations for new or existing users.
I am writing an application for AWS platform, which was planned to be launched from the root account, with root credentials. At this point I need to stop some of the machines started by the AWS organizations member accounts.
By default AWS organizations doesn't give access to root account to look or manage resources to other member's account. So I tried using temporary credentials and tried to assume a role created by the target account.
More on that here.
https://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempSessionTokenJava.html
On the other hand it doesn't allow root account to assume roles, and throws such exception.
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Roles may not be assumed by root accounts. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 7bee7537-48e0-11e9-bb1a-bb36134736e4)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1695) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1350) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1101) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:758) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:732) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:714) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:674) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:656) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:520) ~[aws-java-sdk-core-1.11.475.jar:na]
at...
Is there any way get around this problem? For example, somehow to give the root access to everything or let it assume roles?
Firstly, please don't use your Root account! Best practice is to remove access keys from the root account, add an MFA token and lock it away. We have a large AWS Organization structure and we don't use the root accounts for anything other than where it's absolutely required.
See the IAM Best Practices user guide, specifically the section: Lock Away Your AWS Account Root User Access Keys
For your described administrative purposes, use IAM Users
IAM Users can assume Roles. Recommended steps:
Create IAM Group and attach the required policy for admin permissions. The AdministratorAccess policy is an easy pre-built policy that gives full admin access within the current account, but to assume roles into sub-accounts, all you really need to allow is the sts:AssumeRole action.
Creating Your First IAM Admin User and Group
Granting a User Permissions to Switch Roles
Create an IAM User and assign it to the IAM Group.
Adding and Removing Users in an IAM Group
Create the target Role in your sub-accounts with a Policy to allow actions in that sub-account and with a Trust Relationship defined for your IAM user in the master Org account.
Creating a Role to Delegate Permissions to an IAM User
NOTE: Sounds like you may already have this, but check the trust relationship to make sure.
Authenticate your app via IAM user credentials, temp credentials, etc.
NOTE: The temp credentials doc that you linked is for IAM Users, I'd recommend trying it again once you have a proper IAM user setup.
There are many ways to authenticate to AWS services, as another example see: Assuming an IAM Role in the AWS CLI
Additional: Not sure what you're building, but if appropriate, Consider Using Service-linked Roles to directly provide the app the specific permissions it needs--rather than dealing with user credentials.