Questions tagged [amazon-iam]

0

votes
0

answer
2

Views

How to pass a role to cli command “aws cloudformation deploy” or “sam deploy”?

I am creating a cloudformation stack using a SAM template and the CLI. I have successfully done this using an account that gets all the required permissions from policies directly attached to it. It's poor security practice to give this account all these permissions so I've created a role with the s...
Harfel Jaquez
1

votes
1

answer
301

Views

Cloudformation LaunchTemplate referencing IamInstanceProfile fails to create

I am trying to create a LaunchTemplate, which references an IamInstanceProfile, in my Cloudformation stack. Here is the code- i have omitted the irrelevant parts: ... Resources: ServerLaunchTemplate: Type: 'AWS::EC2::LaunchTemplate' Properties: LaunchTemplateData: InstanceType: !Ref InstanceType Sec...
1

votes
2

answer
43

Views

Access AWS services from Apache Nifi running on AWS

I have a Nifi instance running on an EC2 machine and I am trying to access a restricted s3 bucket. Because generating access keys manually is not recommended, I want to give the machine the proper IAM role for accessing the outside bucket. I gave the EC2 machine a role which seems to work for every...
Ethan McCue
1

votes
1

answer
31

Views

How do I create an IAM user with privileges to view the account's billing information?

I added both Administrator and Billing policies to the admin group that I created, and added a user admin1 to this group. When I login as admin1, I get an error message saying I don't have privileges to see billing information of the account. What am I missing? Use Case : In my startup, I want to...
karthiks
1

votes
0

answer
65

Views

S3: what is the correct design for invalidation of presigned urls?

As it turned out there is no API for invalidating of presigned urls, but it is possible to drop access from IAM policy. If I have a service with many users (in Cognito Userpool) - what is the correct design for some kind of url invalidation? Do I need to have as many IAM accounts as a users I have?...
Vitaly Zdanevich
1

votes
0

answer
1.3k

Views

python code gets error: botocore.exceptions.NoCredentialsError: Unable to locate credentials

I got a error like this botocore.exceptions.NoCredentialsError: Unable to locate credentials when I was running the following code: # setup AWS Connection details awsSession = boto3.Session(profile_name='opsdev') def getInfoFromDynamoDB(service): client = awsSession.client('kms') dynamodb = awsSessi...
Besides Penguin
1

votes
0

answer
62

Views

Setting IAM role for Lambda after login with Cognito on iOS

I'm getting a trouble when trying to connect AWSCognito to AWSLambda to pass an Auth role into it. My application has serverless architecture based on CognitoUserPool's, Lambda and IAM. So I have one configuration for all these things like the following: let credentialsProvider = AWSCognitoCredentia...
wolltone
1

votes
0

answer
159

Views

Unable to sts:AssumeRoleWithWebIdentity for a Cognito user

I have a simple use case to authenticate a user using AWS Cognito and the assume a role to be able to do something useful (read from S3 in my case). Apparently I am missing something very obvious. I am using pure web http client with cognito authentication (so Cognito can federate other identity pro...
gusto2
1

votes
0

answer
165

Views

How to give access an IAM Role access to an Elasticsearch domain in AWS?

I have an IAM Role for my Federated Identity Pool in Cognito. I want to give this role access to my Elasticsearch domain. I added an inline policy to give read access to my Elasticsearch domain name using the new visual editor. I've attached this policy below. I'm confused how to configure the acces...
Berry Blue
1

votes
2

answer
663

Views

Getting Access Denied for pulling object from S3 bucket from ECS using IAM Role

I am trying to get some encrypted connection parameter from s3 bucket in my sample Spring application. Here is the method I am using to run inside a container: public void encryptionOnly_KmsManagedKey() throws NoSuchAlgorithmException { AmazonS3Encryption s3Encryption = AmazonS3EncryptionClientBuild...
amiivas
1

votes
1

answer
242

Views

connect existing EC2 from lambda python boto api using IAM role

I want to connect SSH existing EC2 and execute command from lambda python(boto) code without using pem key and anything. Need to connect using IAM role. is there any way?
Nizamudeen
1

votes
0

answer
97

Views

Adapt AWS's Mobile React Starter Kit to give Read access to Unauthenticated Users?

The AWS Mobile React Starter Kit is great, but it doesn't let users see anything without logging in first. I'd like to build a web app where unauthenticated users can query parts of the database, but can't make any edits. I've tried poking around in the AWS configuration, but so far I've only brok...
carpiediem
1

votes
0

answer
48

Views

AWS ElasticSearch - restrict or filter data in Kibana

I have a managed ElasticSearch set up in AWS. I have researched how to apply resource or iam policies to restrict access to es domains, etc. However, what I was looking to do was possibly filter what an app team can see in the included Kibana dashboard based upon an iam policy. Is there some way to...
Mike
1

votes
1

answer
96

Views

AWS/Cognito/IAM Error with Unauth role

This message was originally posted on the AWS Developer Forums, but it seems like the AWS crowd is on SO, so I'm duplicating it here. Hi there, I'm an absolute AWS beginner so I'll try to be as clear as possible. I'm trying to use the JS API to allow any user on my site to upload videos to S3 (this...
Quentin
1

votes
1

answer
194

Views

AWS iam:ListRolePolicies permissions error on all IAM service

I have a problem. I'm using an AWS educate account, and when I try to follow tutorials (Lambda one in this case), I can't create/modify roles. So, I go in the IAM dedicated page, and in this page, i can't create, edit or delete Users / roles / Groups etc.. When I create a role, this role is always a...
Ar. Lie
1

votes
0

answer
97

Views

Get JUST ROLESESSIONNAME for use in an iam policy placeholder variable

In the context of an assumed role (in my case a role assumed by SAML logged in users) the ${aws:userid} in an iam policy maps to ROLEID:ROLESESSIONNAME. That sucks because I cant plug that in for Resources which I was planning on naming after the ROLESESSIONNAME (like iam user accounts for example)....
red888
1

votes
0

answer
347

Views

Unable to put object into S3 bucket after assuming role

I see the below error when trying to put an object into S3 bucket in a different account after assuming role. However I was able to list all the objects under the bucket. 'errorMessage': 'An error occurred (AccessDenied) when calling the PutObject operation: Access Denied', 'errorType': 'ClientErr...
Punter Vicky
1

votes
1

answer
895

Views

Managed policy for a role in an AWS cloud formation stack

Using AWS, I'm building a cloud formation stack defining: A Managed Policy called MyPolicy A Role called MyRole that should attach that policy The stack will be created by an admin ; and once created, the goal is to allow (from outside the stack) some users to assume MyRole. My question: How should...
Jav
1

votes
1

answer
130

Views

DynamoDB Fine-Grained Access Control and secondary indexes

So, I am currently making a DynamoDB table with multiple indexes and trying to manage access control. I have a key (organizationId) that I do not want to use as my secondary indexes partition or sort key, because it would be pretty much pointless query-wise. DynamoDB table Table name: Executions Par...
ElFitz
9

votes
2

answer
4.5k

Views

AWS Lambda triggered by PUT to s3 bucket in separate account

I am trying to trigger a Lambda function to run on update to a s3 bucket. The s3 bucket that I am attempting to have trigger the Lambda is in a separate AWS account. The approach I have tried is setting up a role in the account that with the s3 bucket that has all the privileges on the s3 bucket. Th...
BBS
1

votes
1

answer
53

Views

Variables in AWS ARN

I am currently trying out serverless for AWS lambda and I am currently stuck in the policy side in order to serverless to be able to deploy. I've search around what are the necessary policies needed and I've found this particular policy { 'Effect': 'Allow', 'Action': [ 'cloudformation:CreateStack',...
Karias Bolster
1

votes
0

answer
65

Views

Assume/switch role in aws toolkit for eclipse 2.0

I am using aws toolkit for eclipse 2.0. using the options ( window -> preference -> aws toolkit) I have configured IAM/login user api access key id and secret access key. According to our aws configuration, this IAM user has to assume role to view/access any resources in our environment. I am doing...
user12
1

votes
0

answer
239

Views

[fog][WARNING] Unable to fetch credentials: No route to host - connect(2) -(Errno::EHOSTUNREACH)

Hi I configured carrierwave with amazon s3 in ruby on rails. In the console show me this message [fog][WARNING] Unable to fetch credentials: No route to host - connect(2) -(Errno::EHOSTUNREACH) And my app is lag to load, but when i tried to upload a file the application hangs but the file is upload...
HalleyRios
1

votes
0

answer
476

Views

Connecting to Amazon Aurora with AWS IAM DB authentication

I know that with Amazon Aurora MySQL, we can authenticate to the DB instance or DB cluster using AWS IAM database authentication. I followed the instructions here and It is working as instructed. However, this solution still needs the AWS credentials to be stored on the EC2 instance. I thought the w...
Malgi
1

votes
0

answer
62

Views

Grant read access to S3 bucket owner for native backup across AWS accounts

In AWS, I create a SQL Server native backup to an S3 bucket owned by a secondary AWS account. How can I automatically give a secondary account role(s)/users read access to a backup file/object? During ordinary file-copy to a secondary S3 account, I can use (PowerShell) Set-S3ACL ... -CannedACLName '...
typpo
1

votes
0

answer
50

Views

Is there anyway to determine what IAM permissions I actually need for a CloudFormation template?

Just wondering whats the best practice for determining what permissions I should give for my CloudFormation template? After some time of trying to give the minimal permissions it require, I find that thats really time consuming and error prone. I note that depending on the state of my stack, really...
Jiew Meng
1

votes
0

answer
238

Views

Calling assume_role results in an “InvalidClientTokenId” error

I cannot give too many details due to confidentiality, but I will try to specify as best as I can. I have an AWS role that is going to be used to call an API and has the correct permissions. I am using Boto3 to attempt to assume the role. In my python code I have sts_client = boto3.client('sts') res...
Jake
1

votes
0

answer
51

Views

Spark - S3 - Access & Secret Key configured in code, is overridden with IAM Role

I am working on creating Spark job in Java which explicitly specifies IAM user with access & secret key in runtime. It can read or write to S3 with no issue in local machine using the keys. However, when I promote the job to Cloudera Oozie, it keeps picking up IAM role attached to EC2 instance (whic...
Yohan Chung
1

votes
2

answer
250

Views

AWS instance profile vs IAM user role

In terms of security, which option is better for handling permissions on a Jenkins EC2 instance, an instance profile or a IAM user with a role? An instance profile allows anyone who has access to the box to run the specified aws cli commands. With an IAM jenkins user, one could limit who is able to...
Colin
1

votes
1

answer
170

Views

AWS IAM: Restrict access for CLI, but not Management Console

When applying a permission policy to an IAM User, is it possible to restrict access to the client they are using? Specifically, AWS Management Console vs CLI? (Perhaps using a Resource Condition?) I want to allow a user to perform an action using the AWS Management Console, but not the CLI. My curre...
Jordan Arseno
1

votes
0

answer
144

Views

Accessing AWS athena service from databricks using athena JDBC Driver (Simba jdbc jar)

I created a java application to connect to athena using AthenaJDBC jar (v4.2) and running that jar from a databricks notebook for executing queries. It works fine but i need to pass the IAM user credentials (Access key and Secret Key) for making the connection to athena. I don't want to pass user c...
Dhruvajyoti Chatterjee
1

votes
0

answer
32

Views

Cannot connect to AWS MySQL using Java SDK and IAM Role / Instance Profile

I want to connect to an RDS Aurora instance using an Instance Profile that utilizes STS to assume a role so that I don't need to hard code my password in the solution. I'm getting an error that states my user doesn't have access. However, when I hard code the connection string with username and pa...
Dan
1

votes
1

answer
285

Views

AWS get role based credentials in golang

I want to use v4 signing for AWS requests. However, I need the credentials variable to use the signing process. Now, I can successfully sign the request using id and secret key (which I don't want to do). I have a lambda function that has a proper permission. So the question is how do I use that per...
kkesley
1

votes
2

answer
68

Views

Amazon IAM policy: restrict user to create group/role only if one of the attached policy is BaseDeny

I wanted to restrict IAM user from creating new group/roles and allow only if user attaches custom policy BaseDeny along with other policies. Meaning there has to be BaseDeny policy in every group/roles created by user in order for him to create new group/roles. I tried to add following policy to t...
prashant patankar
1

votes
1

answer
130

Views

Permissions for creating and attaching EBS Volume to an EC2Resource i AWS Data Pipeline

I need more local disk than available to EC2Resources in an AWS Data Pipline. The simplest solution seems to be to create and attach an EBS volume. I have added EC2:CreateVolume og EC2:AttachVolume policies to both DataPipelineDefaultRole and DataPipelineDefaultResourceRole. I have also tried sett...
Knut Hellan
1

votes
1

answer
40

Views

Writing python tests for unauthorized users of AWS services

I'm writing python tests to make sure Amazon S3 (the service in general) works as intended. The setup: CodePipeline uses CodeBuild to create an S3 bucket using a CloudFormation template, then it kicks off another CodeBuild job to run the python tests against the S3 created in the previous step. I ne...
David
1

votes
0

answer
444

Views

AWS Cloudformation Role is not authorized to perform AssumeRole on Role

I am trying to execute a cloudformation stack which contains the following resources: Codebuild project Codepipeline pipeline Roles needed While trying to execute the stack, it fails with the following error: arn:aws:iam::ACCOUNT_ID:role/CodePipelineRole is not authorized to perform AssumeRole on r...
jprivillaso
1

votes
1

answer
183

Views

Using AWS lambda function to call lex chat bot

I am trying to use boto3 from within AWS lambda function in order to do post_text to a Lex chat bot. Python code: client = boto3.client('lex-runtime') data = 'string input' response = client.post_text( botName='xxx', botAlias='yyy', userId='id', inputText= data) but i get: An error occurred (AccessD...
Avihai Aharon
1

votes
0

answer
13

Views

DynamoDB fine grained access control - group membership

I'm building an app where users should only be able to access entries in a table that belong to them. It's straightforward to achieve this by adding an IAM condition that the leading keys must equal the user's login ID, for example, from Cognito or Facebook login. However, now I'm trying to add a fu...
Bill Feng
1

votes
1

answer
98

Views

Scheduling pods onto nodes only af kube2iam is up and running

On our AWS based Kubernetes cluster, we use kube2iam to provide pod level IAM roles. There's an edge case we're dealing with where pods load before kube2iam is ready and they get the default instance role, and are therefore unable to operate. I can think of a few solution which I dislike: Requirin...
Rotem Tamir

View additional questions