I was wondering if someone could tell me what Policy I need to attach to authorize myself for the BrowseNodeLookUp on the Amazon Product Advertisement API. Somehow I can't seem to find any Information on this and for all my request I receive
[Code] => UnauthorizedOperation
[Message] => Your AccessKeyId is not authorized to perform this operation. Please check IAM policies for the Access Key.
So I would very much appreciate a little pointer here
thanks in advance
The Product Advertising API does not support IAM roles. You must use
the root account credentials. (Source)
If you are using an IAM user you must use the root account credentials instead. (So there is no IAM policy for BrowseNodeLookUp - relevant thread on AWS support forums.)
Related
I'm trying to setup my aws cli. I downloaded it and everything worked.
Now I wanted to log in from my powershell script.
Set-AWSCredentials –AccessKey key-name –SecretKey key-name
Because I don't have any users at the moment I had to create one. I have given the user admin rights.
When creating the user aws throws this error:
User: arn:aws:sts::37197122623409:assumed-role/voclabs/user2135080=.... is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::371237422423709:user/.... because no identity-based policy allows the iam:CreateUser action
My first thought was that my education account is having a problem. But I didn't find anything about it. Thanks for your help in advance.
The "voclab" part of the error suggests you are not logged as the account root user but instead assuming a role in an account used for teaching purposes.
This role is probably designed to disallow IAM actions, in order to prevent privilege escalation.
Read
https://docs.aws.amazon.com/singlesignon/latest/userguide/howtogetcredentials.html to get role credentials for the role you're assuming
You can't make any IAM roles, policies or users as a student using voclabs account. AWS Academy does not allow to do that and its a hard limit which you nor your educator can change.
Following this article to set up Cognito auth for AWS Elasticsearch.
https://aws.amazon.com/blogs/database/get-started-with-amazon-elasticsearch-service-use-amazon-cognito-for-kibana-access-control/
Getting an error:
Open Distro for Elasticsearch
Missing Role
No roles available for this user, please contact your system administrator.
Anybody knows why I could get it?
The crucial missing part was the below:
navigate to the Elastisearch domain on your AWS Elasticsearch console page
After this, click on the “Actions” button -> “Modify master user"
Then select “Set IAM ARN as master user” and in the “IAM ARN” field, add the IAM role ARN “arn:aws:iam::<aws_account_id>:role/<My_cognito_auth_role_assigned_to_the_cognito_user_group”
click Submit
If you have enabled Fine-Grained Access Control with your Elasticsearch domain, one of the assumed roles from the Amazon Cognito identity pool must match the IAM role that you specified for the Master User. Considering you have at least two existing IAM roles, one for the Master User and one for more limited users, this guide may help you.
Alternatively you can configure the master user role same as Cognito Authenticated role ARN.
I am writing an application for AWS platform, which was planned to be launched from the root account, with root credentials. At this point I need to stop some of the machines started by the AWS organizations member accounts.
By default AWS organizations doesn't give access to root account to look or manage resources to other member's account. So I tried using temporary credentials and tried to assume a role created by the target account.
More on that here.
https://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempSessionTokenJava.html
On the other hand it doesn't allow root account to assume roles, and throws such exception.
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Roles may not be assumed by root accounts. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 7bee7537-48e0-11e9-bb1a-bb36134736e4)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1695) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1350) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1101) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:758) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:732) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:714) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:674) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:656) ~[aws-java-sdk-core-1.11.475.jar:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:520) ~[aws-java-sdk-core-1.11.475.jar:na]
at...
Is there any way get around this problem? For example, somehow to give the root access to everything or let it assume roles?
Firstly, please don't use your Root account! Best practice is to remove access keys from the root account, add an MFA token and lock it away. We have a large AWS Organization structure and we don't use the root accounts for anything other than where it's absolutely required.
See the IAM Best Practices user guide, specifically the section: Lock Away Your AWS Account Root User Access Keys
For your described administrative purposes, use IAM Users
IAM Users can assume Roles. Recommended steps:
Create IAM Group and attach the required policy for admin permissions. The AdministratorAccess policy is an easy pre-built policy that gives full admin access within the current account, but to assume roles into sub-accounts, all you really need to allow is the sts:AssumeRole action.
Creating Your First IAM Admin User and Group
Granting a User Permissions to Switch Roles
Create an IAM User and assign it to the IAM Group.
Adding and Removing Users in an IAM Group
Create the target Role in your sub-accounts with a Policy to allow actions in that sub-account and with a Trust Relationship defined for your IAM user in the master Org account.
Creating a Role to Delegate Permissions to an IAM User
NOTE: Sounds like you may already have this, but check the trust relationship to make sure.
Authenticate your app via IAM user credentials, temp credentials, etc.
NOTE: The temp credentials doc that you linked is for IAM Users, I'd recommend trying it again once you have a proper IAM user setup.
There are many ways to authenticate to AWS services, as another example see: Assuming an IAM Role in the AWS CLI
Additional: Not sure what you're building, but if appropriate, Consider Using Service-linked Roles to directly provide the app the specific permissions it needs--rather than dealing with user credentials.
According to the offical AWS documentation, IAM Roles can also be attached to IAM Users, and not only services.
What would be a valid use case to assign an IAM Role to an IAM User?
Aren't all the cases covered by directly granting (allow/deny) IAM Policies to the users?
TBH my initial impression was thar IAM Roles served the purpose of authorization for the AWS services (so that they can interact with other services), since the latter cannot be addressed in the User context
As you clearly understood, AWS Roles serves the purpose of authentication (with IAM policies for authorization) for AWS services. In contrast, AWS IAM users directly maps towards human user who obtains credentials to login to the AWS Management Console.
However, when granting access to an User outside the AWS Account (e.g; Cross Account Access, AD Authentication Federation) it will require an IAM Role to Assume the permission.
Referring to the documentation you shared, its not a direct IAM User who is getting permission, rather an Active Directory user (External) assuming an IAM Role (Not direct IAM User) to get access to the AWS Resources.
It is an IAM best practice is to assign Roles to AWS users from other AWS accounts in order to delegate permissions. This is to avoid sharing credentials between AWS accounts.
I also wanted to point out, your initial impression about Roles as authorization is not correct. The only IAM resource that is considered authorization are IAM Policies.
This can be seen in the AWS documentation on Understanding IAM and in the following AWS training video: Authentication and Authorization with AWS Identity and Access Management (login required)
The other three basic IAM resources: Users, Groups and Roles are considered part of Authentication.
I'm new to programming. I need to figure out how I can create AWS users, roles and policies programmatically using code.
That task I'm after :
Create a User, Role and Policy
Assign Policy to the Role
Assign Role to the User
Set condition on the Role, that only Users with MFA can assume that Role
Config's should live in S3 bucket
configure a LAMBDA to check the user's role membership and output the result to S3 bucket.
Just trying to figure out where do I start from ? I have a very limited programming experience (can do a bit of PHP).
I have a AWS account, created a user and gave him 'AdministratorAccess' also have user keys for CLI access.
Should I be suing 1)AWS CLI 2) Powershell 3) AWS SDK's 4) AWS API?
Appreciate any help/direction to achieve the above.
Thanks
S
To programmatically create IAM Roles you can use AWS PHP SDK. Refer the IAM Create User section in SDK API reference for more details.
Aside from using specific language AWS SDKs such as suggested by #Ashan, you can do so by using AWS REST API with the following example request:
https://iam.amazonaws.com/?Action=CreateUser
&Path=/division_abc/subdivision_xyz/
&UserName=Bob
&Version=2010-05-08
&AUTHPARAMS
Source - CreateUser