I am trying to connect boxfuse to my aws account
i am getting the below. Any help is highly appreciated
`Role with ARN arn:aws:iam::535880694150:role/Boxfuse-access has not been properly configured. Please check your configuration and try again. (AWSSecurityTokenService: AccessDenied -> User: arn:aws:iam::762186188748:user/boxfuse-console is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::535880694150:role/Boxfuse-access)`
I followed the instructions as provided by Boxfuse, Am i missing something, Do i need to do anything special.I used the policy provide by boxfuse
{"Version": "2012-10-17","Statement":[
{"Sid":"allow","Effect":"Allow","Resource":["*"],
"Action":["ec2:*","elasticloadbalancing:*","autoscaling:*","rds:*","cloudwatch:*","iam:ListInstanceProfiles","iam:PassRole"]},
{"Sid":"ec2Deny","Effect":"Deny",
"Action":["ec2:*"],"Resource":["*"],"Condition":{"StringEquals":{"ec2:ResourceTag/boxfuse:ignore":"true"}}},
{"Sid":"rdsDeny","Effect":"Deny",
"Action":["rds:*"],"Resource":["*"],"Condition":{"StringEquals":{"rds:db-tag/boxfuse:ignore":"true"}}}]}
This is how my trust relationship in Iam role policy looks like
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::762186188748:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "uxvmGXwfII4944dh"
},
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
As stated in the instructions, multi-factor access should be turned off. In your case this can be fixed by updating the policy document to:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::762186188748:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "uxvmGXwfII4944dh"
}
}
}
]
}
Related
How to update the IAM policy below so that the IAM role, arn:aws:iam::7574333677569:role/dev-abc-webserver, also have permissions?
{
"Version": "2012-10-17",
"Id": "Policy1517260196123",
"Statement": [
{
"Sid": "Stmt1432661968133",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::pdf.abc.com/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"24.237.272.151/32",
"42.69.252.185/32",
]
}
}
}
]
}
The issue I faced is that The IAM role doesn't have permission with it currently,
I want the IAM role to have the same permission set as the IPs have.
We don't need to change the policy
, We need to expand what it already grants access to the provided IAM role.
So ""Condition": {" needs to be expanded so we are checking for our IPs or the IAM role.
I am not able to figure out how to provide access via the IAM role yet.
I did check some aws documentation but not able to figure it out .
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html
Could anyone Help me with this issue, any help should be appreciated?
Since multiple conditions within a statement are always ANDed and never ORed you need a second statement to grant the permission to other entities. That statement will have a different Principal and the Condition can be removed.
{
"Version": "2012-10-17",
"Id": "Policy1517260196123",
"Statement": [
{
"Sid": "Stmt1432661968133",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::pdf.abc.com/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"24.237.272.151/32",
"42.69.252.185/32",
]
}
}
}, {
"Sid": "StmtForRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::7574333677569:role/dev-abc-webserver"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::pdf.abc.com/*"
}
]
}
I have a Terraform code that generates a trusted entity like this that is attached to a role for cross-account access:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::444555666:root",
"Service": "backup.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "444-555-666-777-888"
}
}
}
]
}
If I intend to allow the AWS account with an externalId to assume the role and I also want the AWS backup service to adopt the role, is the generated resource policy correct?
I don't know if the policies engine will pick the condition and try to apply it to the account and also to the service, which is not desired.
Anybody knows if this is correct? are these kind of more complex rules documented by AWS?, I only have found info about simpler rules
I guess a way to ensure the correctness would be to separate both needs into different statements, but this is what the Terraform generates out of the provided HCL.
thanks
The statement will not be in effect until the condition is meet according to the AWS condition documentation.
You will need to have another trust statement such as the example below.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "backup.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "backup.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "444-555-666-777-888"
}
}
}
]
}
I am using Terraform to deploy a service role for CodeBuild using a trust policy from this guide.
The service role mentioned in the guide set conditions on the trust policy to avoid the confused deputy problem, but with those conditions CodeBuild is not able to assume the role with this error:
CodeBuild is not authorized to perform: sts:AssumeRole on arn:aws:iam::<account-ID>:role/<my-role>
Without the conditions everything works fine.
Any suggestions?
Trust policy from the guide:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "<account-ID>"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:codebuild:<region-ID>:<account-ID>:project/<project-name>"
}
}
}
]
}
Generated trust policy in my role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "<account-ID>"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:codebuild:us-west-2:<account-ID>:project/<my-project>"
}
}
}
]
}
I have created an IAM user (without MFA) and attached the below policy to the user. This is to make sure that the calls to the S3 use MFA. But, when I use the AccessKeys for this user via the AWS CLI, I am able to perform the S3 operation aws s3 ls with out any authorization error.
Am I doing something wrong or is it a bug in AWS?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
Not exactly sure why the policy statement in the OP is not working. But,
I did attach the AmazonS3FullAccess policy with one of the below policy and it behaves as expected. For the long-term credentials I am not able to perform S3 operations and for the temporary credentials when authenticated with MFA I am able to perform the S3 operations.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
{
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Effect": "Deny",
"Resource": "*",
"Action": "s3:*",
"Condition": {
"Null": {
"aws:MultiFactorAuthAge": true
}
}
}
]
}
You are using Allow, but you should be using Deny as explained in AWS docs. Example:
{
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/taxdocuments/*",
"Condition": { "Null": { "aws:MultiFactorAuthAge": true }}
}
]
}
Read the AWS docs carefully, as you can lock yourself out of the bucket if you use Deny incorrectly.
I was trying to enforce a policy that allows only SSL access.
However, after attaching the Policy, now I get "You don't have permissions" on every single thing in this bucket, including the Permissions tab and Bucket Policy section.
I am the admin and I do have all access permissions to S3 in IAM for my user.
This is the policy:
{
"Id": "Policy98421321896",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MustBeEncryptedInTransit",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::cf-templates-98d9d7a96z21x-us-east-1",
"arn:aws:s3:::cf-templates-98d9d7a96z21x-us-east-1/*"
],
"Condition": {
"ArnEqualsIfExists": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}
]
}
Question is:
How do I restore permissions to this bucket?
And how should I correctly set this policy?
When you want to add a condition which checks for Boolean values then it should be "Bool" key with valid value.
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
What you are trying to achieve is mentioned in this blog and you can use it according to your need.
https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/
{
"Id": "ExamplePolicy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSSLRequestsOnly",
"Action": "s3:*",
"Effect": "Deny",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
},
"Principal": "*"
}
]
}
About your 2nd part of the question, you can reset the permission using your root account as it should have god level permissions. But it is strange that updating a bucket policy changes your IAM policies and you can't access certain parts of S3 config. Maybe something else is missing here..