while testing the chatbot using messenger, it shows "Error: The IAM Role is not properly configured for Lex"
how to IAM in aws such that it should work using IAM role
For my app, the IAM role is 'AWSServiceRoleForLexBots', and it integrates with the Facebook messenger.
If you navigate to 'Security, Identity & Compliance' services on AWS console, pick IAM. Further, under 'Create individual IAM users', check the 'Access Advisor' section in the user configuration.
If you have the Administrator access, AWS should create 'AWSServiceRoleForLexBots' automatically for your profile.
Hope it helps!
Related
AWS Elasticsearch fine grained access control uses Open Distro Elasticsearch security. Using this feature authorization can be handled inside the Elasticsearch. https://opendistro.github.io/for-elasticsearch-docs/docs/security/access-control/users-roles/#create-roles
AWS Documentation suggests to use the Open Distro Elasticsearch documentation, to use security Rest APIs, such as creating role or reading role.
You can create new roles for fine-grained access control using Kibana or the _opendistro/_security operation in the REST API. For more information, see the Open Distro for Elasticsearch documentation.
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html
There are roles inside Elasticsearch using which we can control the authorization permissions of IAM user/role. This is done using Role mapping by adding IAM user into Users list or IAM role into backend role.
I added my IAM role into Elasticsearch backend role and I am able to execute below APIs,
PUT /my_index
PUT /_template/template_for_my_index
But when I execute below API, I am getting below response.
PATCH /_opendistro/_security/api/rolesmapping/my_role_inside_elasticsearch
{'statusCode': 200, 'headers': {'Access-Control-Allow-Origin': '*'}, 'isBase64Encoded': False, 'body': '{"status":"FORBIDDEN","message":"No permission to access REST API: User arn:aws:iam::123456789:role/myIamRole with Open Distro Security Roles [all_access] does not have any role privileged for admin access. No ssl info found in request."}'}
I tried adding IAM role into Elasticsearch all_access and also into my own Elasticsearch role which has * permissions(all permissions).
How to grant access to IAM Role/User to create role inside AWS Elasticsearch?
Note: IAM Roles and Elasticsearch Roles are different.
To grant permission to an IAM user/role to access opendsitro apis, you have to give the IAM entity permissions similar to master user. You have two options to do so:
Either make that IAM entity the new master user via aws opensearch cli/console.
Map the IAM user/role to all_access as well as security_manager thereby adding it as an additional master user.
Note: For IAM user, the arn needs to be added under users, whereas for IAM role, the arn needs to be added under backend_roles in the role mapping section.
More details: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html#fgac-more-masters
Can you clarify if you were able to successfully map the IAM user/role to all_access? Your question is not clear on that.
Following this article to set up Cognito auth for AWS Elasticsearch.
https://aws.amazon.com/blogs/database/get-started-with-amazon-elasticsearch-service-use-amazon-cognito-for-kibana-access-control/
Getting an error:
Open Distro for Elasticsearch
Missing Role
No roles available for this user, please contact your system administrator.
Anybody knows why I could get it?
The crucial missing part was the below:
navigate to the Elastisearch domain on your AWS Elasticsearch console page
After this, click on the “Actions” button -> “Modify master user"
Then select “Set IAM ARN as master user” and in the “IAM ARN” field, add the IAM role ARN “arn:aws:iam::<aws_account_id>:role/<My_cognito_auth_role_assigned_to_the_cognito_user_group”
click Submit
If you have enabled Fine-Grained Access Control with your Elasticsearch domain, one of the assumed roles from the Amazon Cognito identity pool must match the IAM role that you specified for the Master User. Considering you have at least two existing IAM roles, one for the Master User and one for more limited users, this guide may help you.
Alternatively you can configure the master user role same as Cognito Authenticated role ARN.
I want a run a python boto3 scrip from my local machine using Pycharm. I am having config file setup in my machine that contains different roles based on the accounts. Say for example I want to execute the scrip using dev-power user that is included in the config file. But I am getting the below error:
"botocore.exceptions.NoCredentialsError: Unable to locate credentials"
Could you please let me know the process by which I can do this from local IDE?
You cannot use IAM Role to access AWS services from your development environment. An IAM Role can only be attached to an IAM User or an AWS service and cannot be used for programmatic access.
For programmatic access to different AWS services you will need to create an IAM User which will have access to required services or has a role attached to it with specific policies.
Reference :
AWS IAM Roles
AWS IAM Users
IAM User provides "access-key" and "secrete-key" which can be configured on your machine to access the services from your development environment.
Reference :
AWS Access Credentials
Setting up your AWS credentials
According to the offical AWS documentation, IAM Roles can also be attached to IAM Users, and not only services.
What would be a valid use case to assign an IAM Role to an IAM User?
Aren't all the cases covered by directly granting (allow/deny) IAM Policies to the users?
TBH my initial impression was thar IAM Roles served the purpose of authorization for the AWS services (so that they can interact with other services), since the latter cannot be addressed in the User context
As you clearly understood, AWS Roles serves the purpose of authentication (with IAM policies for authorization) for AWS services. In contrast, AWS IAM users directly maps towards human user who obtains credentials to login to the AWS Management Console.
However, when granting access to an User outside the AWS Account (e.g; Cross Account Access, AD Authentication Federation) it will require an IAM Role to Assume the permission.
Referring to the documentation you shared, its not a direct IAM User who is getting permission, rather an Active Directory user (External) assuming an IAM Role (Not direct IAM User) to get access to the AWS Resources.
It is an IAM best practice is to assign Roles to AWS users from other AWS accounts in order to delegate permissions. This is to avoid sharing credentials between AWS accounts.
I also wanted to point out, your initial impression about Roles as authorization is not correct. The only IAM resource that is considered authorization are IAM Policies.
This can be seen in the AWS documentation on Understanding IAM and in the following AWS training video: Authentication and Authorization with AWS Identity and Access Management (login required)
The other three basic IAM resources: Users, Groups and Roles are considered part of Authentication.
I'm new to programming. I need to figure out how I can create AWS users, roles and policies programmatically using code.
That task I'm after :
Create a User, Role and Policy
Assign Policy to the Role
Assign Role to the User
Set condition on the Role, that only Users with MFA can assume that Role
Config's should live in S3 bucket
configure a LAMBDA to check the user's role membership and output the result to S3 bucket.
Just trying to figure out where do I start from ? I have a very limited programming experience (can do a bit of PHP).
I have a AWS account, created a user and gave him 'AdministratorAccess' also have user keys for CLI access.
Should I be suing 1)AWS CLI 2) Powershell 3) AWS SDK's 4) AWS API?
Appreciate any help/direction to achieve the above.
Thanks
S
To programmatically create IAM Roles you can use AWS PHP SDK. Refer the IAM Create User section in SDK API reference for more details.
Aside from using specific language AWS SDKs such as suggested by #Ashan, you can do so by using AWS REST API with the following example request:
https://iam.amazonaws.com/?Action=CreateUser
&Path=/division_abc/subdivision_xyz/
&UserName=Bob
&Version=2010-05-08
&AUTHPARAMS
Source - CreateUser