One of the things that drives me nuts is that AWS has loads of docs about the format of an ARN, but doesn't have any kind of generator to make you confident that the ARN is correct.
In IAM, I'm trying to set up a policy to allow access to an API Gateway and I've read the following docs about it:
http://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html#api-gateway-control-access-using-iam-policies
http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-apigateway
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html
But I can't get any ARN to validate, even just a wide open API Gateway ARN. See screenshot:
What am I doing wrong here?
From the documentation: To create an IAM policy using the Policy Generator in the IAM console, select Manage Amazon API Gateway as AWS Service to set permissions statements for apigateway and select Amazon API Gateway as AWS Service to set permission statements for execute-api.
If you are creating a policy to manage creating/editing your API, then you will need to select Manage - Amazon API Gateway and then use * to give permission for all resources. If you want to give permissions for specific resources, then use this format: (note that the service name is apigateway)
arn:aws:apigateway:region::resource-path-specifier.
If you are creating a policy to manage invoking your API, then you will need to select Amazon API Gateway and then use * to give permission for all resources. If you want to give permissions for specific resources, then use this format: (note that the service name is execute-api)
arn:aws:execute-api:region:account-id:api-id/stage-name/HTTP-VERB/resource-path-specifier.
Related
I have resources like below:
Account A: API Gateway REST API
Account B: AppSync API
Now I want to use AppSync API in account B to call my API Gateway from account A. How should the permissions be set up?
I know for sure that it works with usage of resource policy in API Gateway and then in AppSync I need to have IAM attached to data source that allows invoking my resources.
But wanted to do it using IAM Roles since they give me more flexibility.
I've created role in Account A that provides policy to invoke API Gateway and I've added Account B in trust relationship, now how can I assume this role in my AppSync Account? I cannot do it while creating data source (HTTP endpoint) because it gives me Cross-account pass role is not allowed. Is this even possible to do this using roles?
We have started initially by defining roles with admin access policy attached. But now we want them to have policy with only specific permissions that are minimum and does not create any issues for using these roles.
Looking at "Access Advisor" tab on each role under AWS IAM console, it gives good amount of information that exactly which AWS services getting used and permission level information only for EC2, IAM, Lambda, and S3 management actions services. But for rest of other AWS services, missing that what specific permission for that particular service is required.
Also not having AWS Organizations master account access as mentioned in this tutorial: Viewing last accessed information for Organizations.
So is there a way I can get the permissions level info for services other than EC2, IAM, Lambda, and S3 management actions?
Thanks.
So is there a way I can get the permissions level info for services other than EC2, IAM, Lambda, and S3 management actions?
Sadly, there is no such way provided by AWS. So basically its try-and-see approach to get what you want. You can try some third party tools, which may be helpful, such as zero-iam, but ultimately, you will need custom solution to match your requirements.
There is also IAM Access Analyzer which is different then Access Advisor. But its also limited to some services only.
I want to call api gateway from our own backend which is a ECS cluster, and I want to use IAM authorization, is there any way to not manually sign the request using Access Key and Secret Key?
For example when Lambda call KMS to decrypt environment variables, no need to configure the AWS SDK. Wondering if there's similar thing for API gateway.
It is definitely possible, even more - it's a security best practice. You can assign IAM roles to all computing services of AWS: Lambda, EC2, ECS, Beanstalk etc. On ECS you can assign IAM roles to your tasks.
It gives a great benefit, which is well described in official docs:
Benefits of Using IAM Roles for Tasks
Credential Isolation: A container can only retrieve credentials for the IAM role that is defined in the task definition to which it belongs; a container never has access to credentials that are intended for another container that belongs to another task.
Authorization: Unauthorized containers cannot access IAM role credentials defined for other tasks.
Auditability: Access and event logging is available through CloudTrail to ensure retrospective auditing. Task credentials have a context of taskArn that is attached to the session, so CloudTrail logs show which task is using which role.
This link will help you: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
What is the easiest way to get the user/role used to update/upload an object to S3?
I object is still in the bucket. Just want to know who did it.
tried CLI didn't find anything. CloudTrail could be an option as well I guess.
The easiest way would be to enable S3 server access logging:
AWS Console -> S3 -> Choose your bucket -> Properties -> Choose target bucket (where wou want your logs to be stored) -> Save
Each request is saved as one row in logs. It's not just for get requests, it's for all types of requests.
In logs, you would look for Requester:
The canonical user ID of the requester, or a - for unauthenticated requests. If the requester was an IAM user, this field returns the requester's IAM user name along with the AWS root account that the IAM user belongs to. This identifier is the same one used for access control purposes.
You can see more details in official documentation:
https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
From Logging Amazon S3 API Calls by Using AWS CloudTrail - Amazon Simple Storage Service:
Amazon S3 is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon S3. CloudTrail captures a subset of API calls for Amazon S3 as events, including calls from the Amazon S3 console and from code calls to the Amazon S3 APIs.
I am new to AWS infra and currently doing some POC/Feasibility for new work.
So I have created a S3 bucket in Ireland server, train and publish Sagemaker endpoint in Ireland server and its giving result in Jupyter notebook there. Now I want to use that endpoint in my browser javascript library to show some graphics. When I try to test my endpoint in Postman then its giving region specific error
{
"message": "Credential should be scoped to a valid region, not 'us-east-1'.
Credential should be scoped to correct service: 'sagemaker'. "
}
My AWS account is not yet enterprise managed so I am using as 'root user', Whenever I go to my profile>Security_Credential page and generate any security credential then it always create for 'us-east-1' region, As Sagemaker is region specific service, I am not able to find the way to create region specific security key for root user, can someone please help
You should create an IAM role first that defines what should be permitted (mainly calling the invoke-endpoint API call for SageMaker runtime). Then you should create an IAM user, add the above role to that user, and then generate credentials that you can use in your Postman to call the service. Here you can find some details about the IAM role for SageMaker that you can use in this process: https://docs.aws.amazon.com/sagemaker/latest/dg/using-identity-based-policies.html
A popular option to achieve external access to a SageMaker endpoint, is to create an API Gateway that calls a Lambda Function that is then calling the invoke-endpoint API. This chain is giving you various options such as different authentication options for the users and API keys as part of API-GW, processing the user input and inference output using API-GW and Lambda code, and giving the permission to call the SageMaker endpoint to the Lambda function. This chain removes the need for the credentials creation, update and distribution.