I spent the last 2 hours trying to create a policy that would give all the permissions to an user for a specific load balancer.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "elasticloadbalancing:*",
"Resource": "arn:aws:elasticloadbalancing:eu-west-1:123456789012:loadbalancer/core"
}
]
}
I checked '123456789012' multiple times to be the correct. I took the 'Account Id' attribute from here.
I checked 'core' multiple times and even tried to replace it with '*' but it didn't work.
I also double checked the region to make sure it's the correct one.
On the other hand, if I replace the whole ARN with '*', it works but I don't want this, I want it to be specific to a load balancer.
Thanks,
Gabriel
the name was correct, the problem was about how AWS works. You have to let the user describe the resource before giving him permissions. Here is a policy that works:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:*"
],
"Resource": "arn:aws:elasticloadbalancing:eu-west-1:123456789012:loadbalancer/core"
}
]
}
Thanks
Related
We are using AWS MediaConverter to convert videos to mp4 format. But MediaConvrter is giving this error in the job:
Unable to write to output file [s3://{path_to_file}]: [Failed to write data: Access Denied]
Obviously, MediaConverter doesn't have write access to bucker, but I don't know how to give them to it.
We have following policy for S3:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{CloudFront-origin}"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::{S3-bucket}/*"
},
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{role-for-our-API}",
"arn:aws:iam::{MediaConverter-role}"
]
},
"Action": "*",
"Resource": "arn:aws:s3:::{S3-bucket}/*"
}
]
}
Our ACL gives Write, List permission only for Bucket Owner. Previously everyone could List and Write objects and MediaConverter worked, but we found this we could not accept List and Write permissions for everyone.
Block public access is off for every point.
IAM user that we using for API and Role that we are using for MediaConverter have all the permissions for S3 (AmazonS3FullAccess).
Appreciate any help, thank you.
I would like to make sure you have set the AccessControl to BUCKET_OWNER_FULL_CONTROL in Mediaconvert job settings. It sounds like this isn't being set in the job settings and since the bucket requires the objects to be set with the Bucket owner full control ACL.
Setting can be found under all the Output Group settings, under destination settings.
"DestinationSettings": {
"S3Settings": {
"AccessControl": {
"CannedAcl": "BUCKET_OWNER_FULL_CONTROL"
}
}
Regards
Michael
#uliaadamchuk Try to create a new role(ex: media-converter) and add the Role ARN to the Job Setting:
Step 1: Go to IAM Role > Create Role > look for MediaConverter and attach AmazonS3FullAccess and AmazonAPIGatewayInvokeFullAccess (optional) policies or use JSON version below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
Step 2: In the Media Converter Job Settings > Settings> Add IAM Role> add the Role ARN: ex- "arn:aws:iam::741xxxxxx:role/media-converter"
Step 3: Create the job and check whether now its working or not !!
I believe that the configuration should be as follow. Please note the changes in "Action" and "Resource" where you were missing top level bucket.
{
"Sid": "2",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{role-for-our-API}",
"arn:aws:iam::{MediaConverter-role}"
]
},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::{S3-bucket}","arn:aws:s3:::{S3-bucket}/*" ]
}
I had the same problem. I was using the default MediaConvert role which I had modified and it didn't have permission for what I was trying to do.
So, I made a new role for MediaConvert.
Name it MediaConvertRole.
Policies
Note: click "Attach policies" button, these are pre-made policies provided by Amazon. You don't have to create these from scratch yourself.
AmazonS3FullAccess
Whose policy looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "*"
}
]
}
AmazonAPIGatewayInvokeFullAccess
Whose policy looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke",
"execute-api:ManageConnections"
],
"Resource": "arn:aws:execute-api:*:*:*"
}
]
}
When you create your MediaConvert job, make sure to select the right role:
I initially tried with all the json policies in the below link.
https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/iam-identity-based-access-control-cwl.html#customer-managed-policies-cwl
And i finally got a solution of giving "list, read, write" access to one specific loggroup for an IAM user by using below JSON policy. But it is able to see the list of other log groups as well. As per the below JSON policy i tired limiting the resource for listing as well. It didn't work.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"logs:GetLogRecord",
"logs:DescribeLogGroups"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"logs:Describe*",
"logs:FilterLogEvents",
"logs:GetLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:XXXXXXXXXXXX:log-group:/aws/lambda/XXXX:log-stream:*"
}
]
}
But then i found the tagging as a solution and tried tagging the loggroup and user with same tag and tried below JSON policy. That didn't work either.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:*"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringLike": {
"logs:ResourceTag/Team": "Green"
}
}
}
]
}
Please can someone kindly suggest a way where i could give access to one specific IAM user for only one group to either, list&read or list,read&write. But that user should not be able to see the other log groups.
But it is able to see the list of other log groups as well
That's not something you can do typically within AWS. Generally IAM permissions can't affect on the result of an API action. It can't filter it to only show something in particular. This is one the reasons AWS recommends to isolate workloads by using different accounts, as API calls are only scoped to one account.
In this case, you can either not give access at all or give access to list everything.
Should an IAM User say called User1 be given full access like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Could it also be used to create Amazon API calls? Is this a security risk or should I create another user just to access the Amazpn API Gateway?
You should never give an IAM user full privileges. So many things could go wrong, and yes it may very well be a security risk.
If you need to manage (create, configure, or deploy) your API in API Gateway with this IAM user, you can give the user this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": "arn:aws:apigateway:*::/*"
}
]
}
Or, if you only need to invoke the API, you can use this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": "arn:aws:execute-api:*:*:*"
}
]
}
I need to create policy that would allow user to create spot requests, but with specific subnet and security group only. This is what I did:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RequestSpotInstances",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:image/ami-*",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-af016c92",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-12a34d3c",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-f0e844cd",
"arn:aws:ec2:us-east-1:123456789012:subnet/subnet-026ae728",
"arn:aws:ec2:us-east-1:123456789012:key-pair/*",
"arn:aws:ec2:us-east-1:123456789012:security-group/sg-b5dd94cd",
"arn:aws:ec2:us-east-1:123456789012:security-group/sg-3bda8c42"
]
}
]
}
But my spot request creation still fails:
botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the RequestSpotInstances operation: You are not authorized to perform this operation.
What is the minimum subset of permissions for RequestSpotInstances action?
Is there some possibility to debug this?
I know this is an old issue, but I just ran across the same issue in my environment. The solution for me was adding an IAM permission for "PassRole"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1479335761363",
"Action": [
"ec2:DescribeInstances",
"ec2:RequestSpotInstances",
"ec2:RunInstances",
"iam:PassRole"
],
"Effect": "Allow",
"Resource": "*"
}]
}
According to the EC2 docs (here), ec2:RequestSpotInstances is an action which falls into the category of "Unsupported Resource-Level Permissions." Unfortunately, you will have to set the resource tag to all resources, like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RequestSpotInstances",
"Resource": [ "*" ]
}
]
}
As far as debugging goes, don't forget about the IAM policy simulator, which can be accessed from the AWS Console => IAM => User page.
I follow this link documentation
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#ex5
I want to provide a user specific Image Launch permission which specified tag, "department=dev".
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:region::image/ami-*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/department": "dev"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:region:account:instance/*",
"arn:aws:ec2:region:account:volume/*",
"arn:aws:ec2:region:account:key-pair/project_keypair",
"arn:aws:ec2:region:account:security-group/sg-1a2b3c4d"
]
}
]
}
I also added a separated Describe police because i am using interface not cli .
But when i launch instances its show initialization failed and stop . I decode the error message and it provide me
{
"DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"it
ems\":[]},\"context\":{\"principal\":{\"id\":\"AIDAJXOEQNA64A677DGQO\",\"name\":\"DevOps1\",\"arn\":\"arn:aws:iam::95524
6940111:user/DevOps1\"},\"action\":\"ec2:RunInstances\",\"resource\":\"arn:aws:ec2:us-east-1:955246940111:network-interf
ace/*\",\"conditions\":{\"items\":[{\"key\":\"ec2:Subnet\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:us-east-1:955
246940111:subnet/subnet-9d25b5b6\"}]}},{\"key\":\"ec2:Region\",\"values\":{\"items\":[{\"value\":\"us-east-1\"}]}},{\"ke
y\":\"ec2:AvailabilityZone\",\"values\":{\"items\":[{\"value\":\"us-east-1c\"}]}},{\"key\":\"ec2:Vpc\",\"values\":{\"ite
ms\":[{\"value\":\"arn:aws:ec2:us-east-1:955246940111:vpc/vpc-ebeed48e\"}]}}]}}}"
Please help
Try adding
"arn:aws:ec2:us-east-1:955246940111:network-interface/*"
to the resource list in the policy.
That's what the decoded auth message is reporting as missing/wrong.
Also make sure you replace any instances of region and account with the actual values in your policy, assuming you haven't already.