I am using following CLI command to create a role and attach a policy :
aws iam create-role --role-name SMS-Role --assume-role-policy-document file://D:\AWS\Cognito\SMSRolePolicy.txt
SMSRolePolicy.txt contains following policy :
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Resource": "*",
"Action": "sns:publish"
}
}
On executing CLI script I do get following error :
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Has prohibited field Resource
what? where is your trust relationship policy document?
Your code works for adding policies to an existing attached role. To attach the role, you need to have AssumeRole permission for the resource. it should be something like:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}
follow the amazon link to set it up correctly.
Related
I am a bit new to AWS
I am trying to create AccessKey using a Lamdba function
but it gives an error like this
An error occurred (AccessDenied) when calling the CreateAccessKey operation: User: arn:aws:sts::12345645465446:assumed-role/mySecretRotate-role-4x67t1v9/mySecretRotate is not authorized to perform: iam:CreateAccessKey on resource: user test_user: ClientError
Q: How to resolve this problem
enter image description here
You can add inline policy with iam:CreateAccessKey permission into your mySecretRotate-role role: For example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:CreateAccessKey",
"Resource": "*"
}
]
}
If you want to be more explicit, you can specify arn of test_user instead of "*" for Resource.
Your Lambda function role does not have the iam:CreateAccessKey permission. There are different ways to grant this permission to your lambda, see the full documentation here. You can for example add the permission to your "mySecretRotate" role as an inline policy, click on the role and on "Add inline policy" and the visual guide will take your through the process. The resulting policy will look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:CreateAccessKey",
"Resource": /*user arn goes here"*/
}
]
}
I am currently trying to add a CodeBuild Action Step (Invoking a Step Function) in my CodePipeline deployment process. Specifically, I have a Codepipeline resource in Account A and I have a stepfunction defined in Account B. I want to be able to call my Stepfunction by using the CodeBuild Action step, but I am getting a "Insufficient Permissions Error". The error is below:
Insufficient permissions
An API call to StepFunctions.describeStateMachine (RequestId: XXX) returned a AccessDeniedException error: User: arn:aws:sts::ACCOUNTA:assumed-role/SplitUnitMainStack-pipelinePipelinesplitdeployunit-YVFTJZ8E0Z5U/1640984444652 is not authorized to access this resource
Here is what the permissions looks like for Role : arn:aws:iam::782665913187:role/SplitUnitMainStack-pipelinePipelinesplitdeployunit-YVFTJZ8E0Z5U
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNTB:role/ExecuteUnitStepFunction"
}
]
}
And here is what the ExecuteUnitStepFunction Role looks like, which is defined in Account B
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"states:StartExecution",
"states:StartSyncExecution",
"states:DescribeStateMachine"
],
"Resource": "arn:aws:states:us-west-1:ACCOUNTB:stateMachine:SimpleStateMachineE8E2CF40-TzPjbhdrazrn",
"Effect": "Allow"
}
]
}
The Trust Relationship for this role is this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNTA:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
I am not sure what I am missing in order to give CodeBuild cross-account permissions to execution my Step function. One thing I am not sure about is that in the error, there is set of numbers following the role (1640984444652). I am not sure if this is impacting the permissions or if I am missing a step in order to execute a Step Function across accounts using a CodeBuild action.
I'm writing the terraform for creating an IAM role for AWS StepFunctions.
What should be the value for Principal in assume_role_policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": "stepfunctions.amazonaws.com"
},
"Effect": "Allow",
"Sid": ""
}
]
}
I'm getting the error
Error: Error creating IAM Role my_utility_sfn: MalformedPolicyDocument: Invalid principal in policy: "SERVICE":"stepfunctions.amazonaws.com"
The AWS documentation for service endpoints should hold the answer.
Looks like it is states.<region>.amazonaws.com
The principal is states.<region>.amazonaws.com :
https://docs.aws.amazon.com/step-functions/latest/dg/tutorial-lambda-state-machine-cloudformation.html#lambda-state-machine-cfn-create-role
In short, the correct Service Principal for AWS Step Functions is:
states.amazonaws.com
I need to assume a cross account role to get access to an ElasticSearch domain for logging on AWS. Here's what I've done:
First, I have created a cross account role in ACCOUNT1. The role name is LoggerAccessToES and the trust relationship is something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT1:root",
"arn:aws:iam::ACCOUNT2:root"
]
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Then, on ACCOUNT2, I have created a Lambda function to assume the above role with this code:
sts_client = boto3.client('sts', region_name=Config.AWS_ES_REGION)
assumed_role_object=sts_client.assume_role(
RoleArn="arn:aws:iam::ACCOUNT1:role/LoggerAccessToES",
RoleSessionName="AssumeLoggerAccessToESSession1"
)
When I invoke the lambda (basically the lambda is attached to an SNS topic), I get the error:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
I've already tried everything was suggested by other guys in other questions and I also googled the problem but I couldn't find the resolution. What am I doing wrong here?
From what i understand, you want to assume a role in Account 1 using the lambda in account 2.
This would require two roles to be created -
The first role needs to be created in the Account 2 which is to be attached to the Lambda. This role needs to have the following permission attached -
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT1:role/LoggerAccessToES"
}
}
The above policy can be added to your existing lambda execution role.
For the second part, only the trust relationship of the Role LoggerAccesstoEs needs to be addedin Account 1 shown below-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT2:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
The first role policy allows the lambda to use the AssumeRole.
The second policy allows the Account 1 to trust the AssumeRole request from Account 2.
I'm relatively new to AWS and am trying to figure out how the role policies work. I've read the AWS documentation, which is very comprehensive, but the policy I'm applying still isn't doing what I expect... let me explain
I'm trying to grant access to a role so that, when it is assumed, it can do stuff with lambda
I've create a role called "deployer".
I've then attached the below policy to that role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": "lambda:*"
"Resource": "arn:aws:iam::<account_id>:role/deployer"
}
]
}
My expectation here is that the Policy says... The specified resource (the deployer role) is "Allowed" to do any action with the Lambda service
However, when I switch to that role in the front end, I get the following error in the Lambda dashboard:
You are not authorized to perform: lambda:GetAccountSettings.
The only solution I've found is to wildcard the Resource attribute in the Policy... however that sort of negates the purpose of trying to restrict access to only that role
Example of the Policy that does what I want
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": "lambda:*"
"Resource": "*"
}
]
}
Could someone explain to me what is actually happening here? I've clearly not understood what the Resource attribute is used for... To me that second Policy says any resource can do anything with Lambda...
Thanks
You're attempting to define the role to apply the policy to in the resource attribute - that's not what the resource attribute is for. The resource attribute relates to the Lambda functions you want the user to be able to call.
To assign this policy to a role, simply create the policy as above (defining your Lambda resources appropriately, which could be a wildcard if you really want to apply this to all your Lambda functions) then assign the policy to a role in the IAM console.
See here for more information on defining resources.
Change
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": "lambda:*"
"Resource": "arn:aws:iam::<account_id>:role/deployer"
}
]
}
to
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Action": "lambda:*"
"Resource": "arn:aws:lambda:<region>:<account_number>:function:my-awesome-lambda-function"
}
]
}