I have a hard time assigning an IAM role to a user depending on the cognito-identity.amazonaws.com:sub Key using the Condition element.
When setting up the identity-pool using AWS Cognito you can specify an «Authenticated role» where i selected the app-authenticated role.
I have two IAM Roles:
app-authenticated
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "eu-central-1:fa078075-9622-4f0d-8789-700105a9e612"
},
"StringNotEquals": {
"cognito-identity.amazonaws.com:sub": "eu-central-1:555540a6-cd49-44b2-bbd8-02cfa73b3510"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
and
app-authenticated_admin
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "eu-central-1:fa078075-9622-4f0d-8789-700105a9e612",
"cognito-identity.amazonaws.com:sub": "eu-central-1:555540a6-cd49-44b2-bbd8-02cfa73b3510"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
The Problem is that whoever loggs in, he always gets the app-authenticated role, also the one user with the sub «555540a6-cd49-44b2-bbd8-02cfa73b3510» (copied from userPool -> users -> user detail -> sub) which I would expect to get the app-authenticated_admin role. Is anyone expecting something similar, or am I missing some basic concepts for such a simple scenario?
Try Deny instead of Allow in unauthenticated users.
Also have you tried user groups in user pools.
Related
I am working on aws,
I have a role and 2 lambdas.
I want only those lambdas to run with the role, and the ability to assume role only from those lambdas.
I tried to add the lambdas in the trust relationship of the role and it is not working.
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111:root",
"Service": [
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"lambda:FunctionArn": "arn:aws:lambda:us-east-1:111111:function:service:function_name"
}
}
}
]
}
I am getting: The role defined for the function cannot be assumed by Lambda.
I'm trying to call an api-gateway endpoint from my web app but getting the error:
User: arn:aws:sts::<number>:assumed-role/my_identity_pool_auth_role/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:eu-west-2:********9277:<api-gateway id>/test/GET/theme
I have a user pool set up in which I've created two groups, one of which I'd like to give access to execute the endpoint mentioned above.
The user pool group has an iam role attached with no permissions, but the following trust relationships:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": [
"sts:AssumeRoleWithWebIdentity",
"sts:TagSession"
],
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "<identity pool id>"
}
}
}
]
}
and a tag with:
key: user_role
value: end_user_basic
The identity pool auth role has permissions and trust relationship below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cognito-identity:*",
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-west-2:*:<api-gateway id>/*/GET/theme",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/user_role": "end_user_basic"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": [
"sts:AssumeRoleWithWebIdentity",
"sts:TagSession"
],
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "<identity pool id>"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
In the identity pool settings, I have 'authenticated role selection' set to 'user default role' and 'attributes for access control' set to 'use custom mappings' with the below:
Tag key for principal: user_role
Attribute name: user_role
And when I make the request, my id token has a payload something like below:
{
"sub": ...,
"cognito:groups": [
"<the correct cognito user group>"
],
"iss": ...,
"cognito:username": ...,
"origin_jti": ...,
"cognito:roles": [
"<the correct iam role with tag attached>"
],
"aud": ...,
"event_id": ...,
"token_use": "id",
"auth_time": ...,
"exp": ...,
"iat": ...,
"jti": ...,
"email": ...
}
so the user belongs to the correct group with the correct iam role applied.
I'm new to AWS so I'm sure i'm missing something daft but if somebody could point me in the right direction I'd be grateful.
As an aside, if I remove the condition below:
"Condition": {
"StringEquals": {
"aws:PrincipalTag/user_role": "end_user_basic"
}
}
from the identity pool auth role, I can make the api call successfully
I am using Terraform to deploy a service role for CodeBuild using a trust policy from this guide.
The service role mentioned in the guide set conditions on the trust policy to avoid the confused deputy problem, but with those conditions CodeBuild is not able to assume the role with this error:
CodeBuild is not authorized to perform: sts:AssumeRole on arn:aws:iam::<account-ID>:role/<my-role>
Without the conditions everything works fine.
Any suggestions?
Trust policy from the guide:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "<account-ID>"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:codebuild:<region-ID>:<account-ID>:project/<project-name>"
}
}
}
]
}
Generated trust policy in my role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "<account-ID>"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:codebuild:us-west-2:<account-ID>:project/<my-project>"
}
}
}
]
}
I am trying to create a Cognito user Pool through a lambda function, using Go lang.
The IAM Role, IAM policy and the Trust relationship policy is getting created successfully.
But when I try to create the Cognito pool, I am getting an error,
InvalidSmsRoleTrustRelationshipException: Role does not have a trust relationship allowing Cognito to assume the role.
The trust relationship policy is
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cognito-idp.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
The Create user Pool API call is as below -
newUserPoolData := &cognitoidentityprovider.CreateUserPoolInput{
PoolName: aws.String(poolName),
Policies: &userPoolPolicyType,
AutoVerifiedAttributes: autoVerifiedAttributes,
UsernameAttributes: userNameAttributes,
SmsConfiguration: &smsConfingType,
}
Am I missing something here?
The service role policy should have the service-role path. For example the arn should be in the format arn:aws:iam::{ACCOUNT_ID}:role/service-role/{role_name}
The trust relationship should be:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "cognito-idp.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "{External ID}"
}
}
}
]
}
And the inline policy of the role should be
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:publish"
],
"Resource": [
"*"
]
}
]
}
I am trying to connect boxfuse to my aws account
i am getting the below. Any help is highly appreciated
`Role with ARN arn:aws:iam::535880694150:role/Boxfuse-access has not been properly configured. Please check your configuration and try again. (AWSSecurityTokenService: AccessDenied -> User: arn:aws:iam::762186188748:user/boxfuse-console is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::535880694150:role/Boxfuse-access)`
I followed the instructions as provided by Boxfuse, Am i missing something, Do i need to do anything special.I used the policy provide by boxfuse
{"Version": "2012-10-17","Statement":[
{"Sid":"allow","Effect":"Allow","Resource":["*"],
"Action":["ec2:*","elasticloadbalancing:*","autoscaling:*","rds:*","cloudwatch:*","iam:ListInstanceProfiles","iam:PassRole"]},
{"Sid":"ec2Deny","Effect":"Deny",
"Action":["ec2:*"],"Resource":["*"],"Condition":{"StringEquals":{"ec2:ResourceTag/boxfuse:ignore":"true"}}},
{"Sid":"rdsDeny","Effect":"Deny",
"Action":["rds:*"],"Resource":["*"],"Condition":{"StringEquals":{"rds:db-tag/boxfuse:ignore":"true"}}}]}
This is how my trust relationship in Iam role policy looks like
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::762186188748:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "uxvmGXwfII4944dh"
},
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
As stated in the instructions, multi-factor access should be turned off. In your case this can be fixed by updating the policy document to:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::762186188748:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "uxvmGXwfII4944dh"
}
}
}
]
}