AWS malformed policy error - amazon-web-services

I am trying to set an AWS group policy via the AWS CLI like so:
aws iam put-group-policy --group-name my-group --policy-name \
s3-full-access --policy-document /tmp/policy.json
This is the content of /tmp/policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
},
{
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket*"
}
]
}
I keep getting the following error:
A client error (MalformedPolicyDocument) occurred when calling the PutGroupPolicy operation: The policy is not in the valid JSON format.
I do not know how to proceed, the error is too unspecific. Anyone able to help?

Solved this riddle!
There has to be a file:// prefix in front of the policy file name:
aws iam put-group-policy --group-name my-group --policy-name s3-full-access --policy-document file:///tmp/policy.json
The original error message is very misleading, as you get the same message if you provide a filename that does not exist at all.
So it is not the syntax of the policy in the file but the fact that the CLI does not see the file at all, that causes the error.

I was facing the same issue on window 10 and this help me.
**file** : followed by **two Forward slash** like :"file://"
**Path on window 10** : followed by **Backward slash** like
:"c:\Users\Anand\Desktop\anand-jan19.json"
C:\Users\Anand>aws iam create-policy --policy-name anand-jan19 --policy-document file://c:\Users\Anand\Desktop\anand-jan19.json
{
"Policy": {
"PolicyName": "anand-jan19",
"PolicyId": "EQWEQBV33ewrwYCRCS",
"Arn": "arn:aws:iam::56433378:policy/anand-jan19",
"Path": "/",
"DefaultVersionId": "v1",
"AttachmentCount": 0,
"PermissionsBoundaryUsageCount": 0,
"IsAttachable": true,
"CreateDate": "2019-02-10T04:03:32Z",
"UpdateDate": "2019-02-10T04:03:32Z"
}
}

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PS command: Example 1.
aws iam create-role --role-name vmimport --assume-role-policy-document file:///policy/trust-policy.json
****Actual path******: C:\policy\trust-policy.json
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PS command: Example 2.
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document file:///policy/role-policy.json
****Actual path******: C:\policy\role-policy.json
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Related

Why can't I access my bucket from an assumed role?

I have an S3 bucket with no attached ACLs or policies. It was created by terraform like so:
resource "aws_s3_bucket" "runners_cache" {
bucket = var.runners_cache.bucket
}
I created a role and attached a policy to it; see the following console log for details
$ aws iam get-role --role-name bootstrap-test-bootstrapper
{
"Role": {
{
"Role": {
"Path": "/bootstrap-test/",
"RoleName": "bootstrap-test-bootstrapper",
"RoleId": "#SNIP",
"Arn": "arn:aws:iam::#SNIP:role/bootstrap-test/bootstrap-test-bootstrapper",
... #SNIP
$ aws iam list-attached-role-policies --role-name bootstrap-test-bootstrapper
{
"AttachedPolicies": [
{
"PolicyName": "bootstrap-test-bootstrapper",
"PolicyArn": "arn:aws:iam::#SNIP:policy/bootstrap-test/bootstrap-test-bootstrapper"
},
... #SNIP
$ aws iam get-policy --policy-arn arn:aws:iam::#SNIP:policy/bootstrap-test/bootstrap-test-runner
{
"Policy": {
"PolicyName": "bootstrap-test-runner",
"PolicyId": "#SNIP",
"Arn": "arn:aws:iam::#SNIP:policy/bootstrap-test/bootstrap-test-runner",
"Path": "/bootstrap-test/",
"DefaultVersionId": "v7",
... #SNIP
$ aws iam get-policy-version --policy-arn arn:aws:iam::#SNIP:policy/bootstrap-test/bootstrap-test-runner --version-id v7
{
"PolicyVersion": {
"Document": {
"Statement": [
{
"Action": [
"s3:AbortMultipartUpload",
"s3:CompleteMultipartUpload",
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::#SNIP-runners-cache/*",
"arn:aws:s3:::#SNIP-cloud-infrastructure-terraform-states/*"
]
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
}
],
"Version": "2012-10-17"
},
"VersionId": "v7",
"IsDefaultVersion": true,
"CreateDate": "2022-08-18T14:16:33+00:00"
}
}
tl;dr this role has an attached policy that allows full access to s3 within the account.
I can successfully assume this role:
$ aws sts assume-role --role-arn arn:aws:iam::#SNIP:role/bootstrap-test/bootstrap-test-bootstrapper --role-session-name test123
{ ... #REDACTED }
$ export AWS_ACCESS_KEY_ID=ASIA2 #REDACTED
$ export AWS_SECRET_ACCESS_KEY=8 #REDACTED
$ export AWS_SESSION_TOKEN=IQoJb #REDACTED
$ aws sts get-caller-identity
{
"UserId": "#SNIP",
"Account": "#SNIP",
"Arn": "arn:aws:sts::#SNIP:assumed-role/bootstrap-test-bootstrapper/test123"
}
However, once I do this, I no longer have access to S3:
$ aws s3 ls #SNIP-runners-cache
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
$ aws s3 ls
An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
What am I missing? Is there some default behavior that prevents access to S3? How should I go about debugging these 403 errors?
It is easy to get over-obsessed with the details of the policy and forget about the role itself. In this case the permissions boundary went unnoticed in the CLI, but it is quite easy to see in the web console:
Indeed, #luk2302 was right, the limiting factor was a permissions boundary. After removing it from the role, access to S3 was restored.

Getting "Invalid json" error when creating iam-role using aws cli

I'm getting an error when trying to create a new role using aws cli.
Here is the error message.
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json
In other to crate a role, I run following command.
aws iam create-role --path /role-service/ --role-name Test-Role --assume-role-policy-document policy.json
and the policy.json is
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "cognito-idp.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "d611c8fd-0fd1-469a-a5ea-b02186042023"
}
}
}
]
}
You should be using file:// as explained in:
Loading AWS CLI parameters from a file
Therefore, you can try the following if policy.json in your current working directory:
aws iam create-role --path /role-service/ --role-name Test-Role --assume-role-policy-document file://policy.json

Invalid policy role due to malformed Json? AWS

I am following this tutorial: https://bernhardwenzel.com/articles/using-clojure-with-aws-lambda/
the json for the policy is as shown:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
but when I run
aws iam create-role \
--role-name basic_lambda_role \
--assume-role-policy-document fileb://resources/trust_relationship.json
I get
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json
Not sure what the problem is here.
I tried fixing the file path or removing the b but I can't seem to figure it out.
Your policy is fine.
I think the error comes from fileb which should be used for binary data, such as UserData in ec2.
The following form should be used (use file, not fileb):
aws iam create-role \
--role-name basic_lambda_role \
--assume-role-policy-document file://resources/trust_relationship.json

An error occurred (ValidationError) when calling the PutRolePolicy operation: The specified value for policyDocument is invalid

I am about creating a aws cluster so I wanted to set Up an IAM Role for the Cluster. I have followed the tuto but once I typed this command
aws iam put-role-policy --role-name UdacityFlaskDeployCBKubectlRole --policy-name eks-describe --policy-document file:///tmp/iam-role-policy
I got this error -_-:
An error occurred (ValidationError) when calling the PutRolePolicy operation: The specified value for policyDocument is invalid. It must contain only printable ASCII characters.
This is the command I used to create the policy
echo '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:Describe*", "ssm:GetParameters" ], "Resource": "*" } ] }' > /tmp/iam-role-policy
I still stack here any help!
I have used another way to encounter the error.
Using Git bash Terminal
Create a role policy document that also allows the actions "eks:Describe*" and "ssm:GetParameters". You can do this by setting an environment variable with the role policy:
I have used the var instead of redirecting to a file that caused the issue for me.
EKS_DESCRIBE="{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Action\": [ \"eks:Describe*\", \"ssm:GetParameters\" ], \"Resource\": \"*\" } ] }"
Check if EKS_DESCRIBE was really created by running this command echo $EKS_DESCRIBE
$ echo $EKS_DESCRIBE
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "eks:Describe*", "ssm:GetParameters" ], "Resource": "*" } ] }
Attach the policy to role
aws iam put-role-policy --role-name UdacityFlaskDeployCBKubectlRole --policy-name eks-describe --policy-document "$EKS_DESCRIBE"
Another possible way using windows cmd is
Using Windows cmd
Crate the policy using set cmd
set EKS_DESCRIBE="{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Action\": [ \"eks:Describe*\", \"ssm:GetParameters\" ], \"Resource\": \"*\" } ] }"
check the var
echo %EKS_DESCRIBE%
Attach the policy to the 'UdacityFlaskDeployCBKubectlRole'. You can do this using awscli:
aws iam put-role-policy --role-name UdacityFlaskDeployCBKubectlRole --policy-name eks-describe --policy-document %EKS_DESCRIBE%

Invalid policy role JSON

I am following this tutorial:
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-cli-tutorial-fargate.html
the json for a policy is as shown:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
but when I run:
aws iam --region us-west-2 create-role --role-name ecsTaskExecutionRole --assume-role-policy-document task-execution-assume-role.json
I get:
An error occurred (MalformedPolicyDocument) when calling the
CreateRole operation: This policy contains invalid Json
I know the filepath is right, because if it's wrong I get a different error. At first I thought it was "invalid json" because "sid" is an empty string, I removed that property and got the same error.
anyone know what's wrong here?
You need to specify the assume-role-policy-document as file://task-execution-assume-role.json.
From the documentation you linked
aws iam --region us-west-2 create-role --role-name ecsTaskExecutionRole --assume-role-policy-document file://task-execution-assume-role.json
it's not a very intuitive error that the cli throws because of the missing file://...
aws iam --region us-west-2 create-role \
--role-name ecsTaskExecutionRole \
--assume-role-policy-document task-execution-assume-role.json
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json
With the added file:// the create goes through
aws iam --region us-west-2 create-role \
--role-name ecsTaskExecutionRole \
--assume-role-policy-document file://task-execution-assume-role.json
{
"Role": {
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
]
},
"RoleId": "AROA2ZHAP3GUV5UTOV5ZF",
"CreateDate": "2019-07-31T23:15:04Z",
"RoleName": "ecsTaskExecutionRole",
"Path": "/",
"Arn": "arn:aws:iam::*******:role/ecsTaskExecutionRole"
}
}
Yes, this is not clearly documented - you need to provide the file path to the json AFTER the file:// tag
For example file:///Users/user/Desktop/trust-policy.json
If you have the file in the same folder you can execute it as follows.
aws iam create-role --role-name TestRole --assume-role-policy-document file://./IAM_Trust_Policy.json --profile XXX-XXX
Here the file IAM_Trust_Policy.json is located in the same folder and being referred as file://./IAM_Trust_Policy.json
{
"Id": "Policy1650533705078",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1650533484709",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::mys3staticwebstiehosting/",
"Principal": ""
}
]
}