When I have my IAM Policy for my lambda execution role set to:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:GetFunction"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
I get this error:
[AccessDeniedException: User:
arn:aws:sts::xxx:assumed-role/supercoolsoftware-dev-us-west-2-lambdaRole/supercoolsoftware-dev-addEmail
is not authorized to perform:
lambda:GetFunction on resource:
arn:aws:lambda:us-west-2:xxx:function:supercoolsoftware-dev-dailyEmail]
However, when I set the policy to:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:*"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
The error is gone... What else do I need to add?
Figured it out. Apparently the SDK uses "lambda:GetFunctionConfiguration" as well. Once I included that it all worked.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:GetFunction",
"lambda:GetFunctionConfiguration"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
For anyone getting this error after the alexa.design/cli tutorial,
ASK_CLI_USER is not authorized to perform: lambda:GetFunction on resource
The issue for me was not "lambda:GetFunctionConfiguration" but instead the Resource line below it due to the "ask-" prefix:
"Resource": "arn:aws:lambda:*:*:function:ask-*"
Changing it to this solved my issue:
"Resource": "arn:aws:lambda:*:*:function:*"
Post 2022
The solution is as CamHart said, but there is a twist.
They apparently renamed these permissions. You must now use
lambda:InvokeFunction and lambda:InvokeFunctionConfiguration instead of lambda:GetFunction and lambda:GetFunctionConfiguration
Exemple
JSON
"Statement": [
{
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:GetFunctionConfiguration"
],
"Resource": [
"*"
]
}
]
YAML
Statement:
- Effect: Allow
Action:
- lambda:InvokeFunction
- lambda:InvokeFunctionConfiguration
Resource: '*'
Related
I am pretty new to AWS and struggling with role chaining for my github-actions-role.
I have a role “GithubActionsRole” which has the following Permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity"
],
"Resource": [
"arn:aws:iam::ACCOUNT_NO:role/cdk-contactupd-deploy-role-ACCOUNT_NO-REGION
],
"Effect": "Allow"
}
]
}
And this Trust relationships:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::ACC_NO:oidc-provider/token.actions.githubusercontent.com"
},
"Action": [
"sts:AssumeRoleWithWebIdentity",
"sts:SetSourceIdentity"
],
"Condition": {
"StringLike": {
"token.actions.githubusercontent.com:sub": "repo:my-repo/sub-dir:*”
}
}
}
]
}
So now, the GithubActionsRole should assume the role “cdk-contactupd-deploy-role-ACCOUNT_NO-REGION”. This role is configured like this:
Persmissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStacks",
"cloudformation:ExecuteChangeSet",
"cloudformation:CreateStack",
"cloudformation:UpdateStack"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "CloudFormationPermissions"
}
]
}
Trust relationships:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NO:root"
},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity"
]
}
]
}
In my GitHub-action I execute the following:
…
- name: Set nonlive variables
run: |
echo "STAGE=nonlive" >> $GITHUB_ENV
echo "GITHUB_ROLE=arn:aws:iam::ACC_NO:role/GithubActionsRole" >> $GITHUB_ENV
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials#v1
with:
aws-region: MY_REGION
role-to-assume: ${{ env.GITHUB_ROLE }}
- run: aws sts get-caller-identity
- name: Deploy CDK Stacks
…
Unfortunately the last step is failing with the following Message:
failed: AccessDenied: User: arn:aws:sts::***:assumed-role/GithubActionsRole/GitHubActions is not authorized to perform: cloudformation:DescribeStacks on resource: arn:aws:cloudformation:...:stack/MY_STACK/... because no identity-based policy allows the cloudformation:DescribeStacks action.
But the "cloudformation:DescribeStacks"-policy should be allowed through the role chaining from the ""cdk-contactupd-deploy-role-ACCOUNT_NO-REGION" role.
I appreciate any idea how to fix it. I tried already a lot the last few days :/
I've created a role with an attached Policy "AmazonSSMManagedInstanceCore":
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
}
]
}
And Trust relationships:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
I've then attached the IAM role to the instance. When I start the SSM agent in the instance I get the following error:
2022-03-16 23:14:49 ERROR [HandleAwsError # awserr.go.49] [ssm-agent-worker] [MessageService] [MDSInteractor] error when calling AWS APIs. error details - GetMessages Error: AccessDeniedException: User: arn:aws:sts::XXXX:assumed-role/SSMandCloudWatch/i-YYYYY is not authorized to perform: ec2messages:GetMessages on resource: arn:aws:ssm:eu-central-1:XXXX:* with an explicit deny in a service control policy
status code: 400, request id: zzzz
The call it's complaining about is explicitly allowed in the policy. I've tried restarting the agent but didn't make any difference.
AWS permission evaluation can be complex. I like this AWS diagram below, so it is a good one to follow to track down permissions issues.
So there are a few other things to check or be aware of that could still be limiting access.
I've created an AWS Lambda function which is supposed to copy InstanceDBSnapshots from one region to another.
The following policies are attached to the role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1510479591000",
"Effect": "Allow",
"Action": [
"rds:CreateDBInstance",
"rds:CreateDBSecurityGroup",
"rds:CreateDBSnapshot",
"rds:CreateDBSubnetGroup",
"rds:DeleteDBInstance",
"rds:DeleteDBSecurityGroup",
"rds:DeleteDBSnapshot",
"rds:DeleteDBSubnetGroup",
"rds:DescribeDBInstances",
"rds:DescribeDBSecurityGroups",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:DescribeDBSubnetGroups",
"rds:ModifyDBInstance",
"rds:ModifyDBSubnetGroup",
"rds:RestoreDBInstanceFromDBSnapshot"
],
"Resource": [
"arn:aws:rds:*"
]
}
]
}
And an Amazon policy called: "AWSLambdaBasicExecutionRole".
When I run the function I get the following error:
START RequestId: c5f62f26-c7b6-11e7-8fd4-c9b54c37d712 Version: $LATEST
An error occurred (AccessDenied) when calling the DescribeDBSnapshots
operation: User:
arn:aws:sts::ACCOUNT:assumed-role/cc/Cross-Copy-DB-Snapshots is not
authorized to perform: rds:DescribeDBSnapshots: ClientError
I don't understand what is that "arn:aws:sts" and how to allow this function to run properly.
Anyone knows this issue and how to solve it?
Something is wrong with your role; this should work:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"rds:DescribeDBSnapshots",
"rds:DeleteDBSnapshot",
"rds:CopyDBSnapshot"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
I am having issue with creating IAM policy in cloudformation.But when I run it I get the error that Groups,Roles,Users is required:
Here is my code:
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "AWS CloudFormation Template IAM Groups and Policies",
"Resources": {
"PolicyAutoScalingLimitedOperation": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyName": "AutoScaling-Limited-Operation",
"PolicyDocument": {
"Statement": [{
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
},
{
"Effect": "Allow",
"Action": [
"kms:ListAliases",
"kms:ListKeys",
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
}
}
}
}
Now when I run it I get:
At least one of [Groups,Roles,Users] must be non-empty.
Does that mean I cannot create policy with cloudformation without adding user/role to it?
You probably want to create an AWS::IAM::ManagedPolicy if you just want a standalone policy.
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-managedpolicy.html
From the documentation:
AWS::IAM::ManagedPolicy creates an AWS Identity and Access Management
(IAM) managed policy for your AWS account, which you can use to apply
permissions to IAM users, groups, and roles.
Here's an example:
Resources:
CreateTestDBPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: "Policy for creating a test database"
Path: "/"
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action: "rds:CreateDBInstance"
Resource: "*"
This will resolve your issue.
I have a domain: domain1 and trying to allow user1 to access it. This is the policy:
{ "Version": "2012-10-17", "Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::340539148951:user/user1"
},
"Action": "es:*",
"Resource": "arn:aws:es:us-east-1:340539148951:domain/domain1/*"
} ] }
When the user1 tries logs in the Console and tries to go to ElasticSearch content, he gets this error:
ListDomainNames: {"Message":"User:
arn:aws:iam::340539148951:user/user1 is not authorized to perform:
es:ListDomainNames on resource:
arn:aws:es:us-east-1:340539148951:domain/*"}
So the question is where do I set this? At the user level? What would the policy be?
Dima.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1504015454000",
"Effect": "Allow",
"Action": [
"es:*"
],
"Resource": [
"arn:aws:es:us-east-1:340539148951:domain/*"
]
}
]
}
Probably too much es:* - but it worked