I want to copy the data in on-pre to S3.
I tried to use the following command for that.
hadoop fs -Dfs.s3a.access.key=******* -Dfs.s3a.secret.key=******* -cp -f hdfs://on-pre/cluster/mydata/dt=20200601/ s3a://some-bucket/somewhere/
When I run this command, I get the following error (The path are all fakes):
cp: s3a://some-bucket/somewhere/dt=20200601/000000_0.gz: getFileStatus on s3a://some-bucket/somewhere/dt=20200601/000000_0.gz: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: xxxxxxxxxxxxx), S3 Extended Request ID: xxxxxxxxxxxxxxxxxxxxxxx
I set S3 policies following.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::9999999999:user/john"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::some-bucket/somewhere/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::9999999999:user/john"
},
"Action": "s3:List*",
"Resource": "arn:aws:s3:::some-bucket",
"Condition": {
"StringLike": {
"s3:prefix": [
"somewhere/*"
]
}
}
}
]
}
What S3 policy should I set to use hadoop fs cp?
A ListBucket was needed for the subdirectory itself
The necessary permissions may change as noted in the comments.
However, here's the code that solved it for your reference
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::9999999999:user/john"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::some-bucket/somewhere/*"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::9999999999:user/john"
},
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::some-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"somewhere",
"somewhere/*"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::9999999999:user/john"
},
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::some-bucket"
]
}
]
}
Note This IAM declaration worked on June 5 2020 with Hadoop 3.2.1 or earlier. Future Hadoop releases may change the rules as they or AWS change the connector's or S3's capabilities respectively.
Related
Is there a way to design a Lambda execution role policy to restrict access by using Lambda alias name. For example, I want to have an alias "Prod" and only executions of function with that alias would have permissions to write to a particular bucket.
I tried using the new lambda:SourceFunctionArn condition, but it does not seem to include the alias, or I am not using it correctly. In the example below I am trying to achieve ability of all variants of my function to write into my-bucket-test, but only Prod alias to be able to write to my-bucket-data. Is there a way to achieve this?
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Logging",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/MyLambda_*"
},
{
"Sid": "S3",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::my-bucket-test/*"
]
},
{
"Sid": "S3Prod",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket-data/*",
"Condition": {
"StringLike": {
"lambda:SourceFunctionArn": "*Prod"
}
}
}
]
}
Thanks,
Alex
I'm trying to figure out how to restrict users to only be able to launch instances using a specific launch template. Here is my current policy so far:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"ec2:InstanceType": "t2.micro"
},
"ArnEquals": {
"ec2:LaunchTemplate": ""
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeAddresses",
"ec2:GetEbsEncryptionByDefault",
"ec2:DescribeVolumesModifications",
"ec2:DescribeSnapshots",
"kms:DescribeCustomKeyStores",
"ec2:DescribeInstanceTypeOfferings",
"ec2:StartInstances",
"ec2:DescribeAvailabilityZones",
"ec2:CreateSnapshot",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:DescribeKeyPairs",
"ec2:DescribeInstanceStatus",
"ec2:TerminateInstances",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DescribeLaunchTemplateVersions",
"ec2:AssignPrivateIpAddresses",
"ec2:StopInstances",
"ec2:DescribeSecurityGroups",
"ec2:CreateVolume",
"ec2:DescribeImages",
"kms:ListKeys",
"ec2:CreateSnapshots",
"ec2:DescribeVpcs",
"kms:ListAliases",
"ec2:DescribeInstanceTypes",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}
I am trying to use the condition "ArnEquals": {"ec2:LaunchTemplate": "" but I don't believe launch templates have an ARN. I tried using the launch template ID but that did not work. Any help would be appreciated!
I want to execute a lambda function whenever an item gets uploaded on S3. My function was invoked but there seem to be access error. What is the mistake?
I have defined a role lambdas3. Its trusted entity is lambda. It has following policy called s3lambda
Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1509114309000",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::mybucketname"
]
},
{
"Sid": "Stmt1509114340000",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
}
]
}
This is the lambda function
var aws = require('aws-sdk');
var s3 = new aws.S3();
exports.handler = function(event,context){
var bucket = event.Records[0].s3.bucket.name;
var key = decodeURIComponent(
event.Records[0].s3.object.key.replace(/\+/g,''));
var params = {
Bucket:bucket,
Key:key
};
s3.getObject(params,function(err,data){
if(err){
console.log(err);
context.fail('Error getting object'+
key+' from bucket'+bucket);
}else{
context.succeed('hello '+data.Body);
}
});
};
The function takes lambdas3 role during execution.
You need to add /* at the Resource S3 ARN in GetObject policy. S3:GetObject works for S3’s object ARN. For instance:
arn:aws:s3:::mybucketname/*
If you want to give permission to all objects in the bucket then you have to give full permission ('*' in Resource). Please find the update policy below,
Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1509114309000",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::mybucketname/*"
]
},
{
"Sid": "Stmt1509114340000",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:*"
]
}
]
}
I am trying to create an IAM policy that gives a user full admin rights to all EC2 and RDS resources tagged with sf_env:dev.
I can't seem to figure out the syntax.
The AWS policy simulator displayed
Parse error on line 10: ..._env":"dev"}}}]}{"Statement": [{"A -------------------^ Expecting 'EOF', '}', ',', ']', got '{'
{
"Version": "2012-10-17",
"Statement": [{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {"StringEquals": {"ec2:ResourceTag/sf_env":"dev"}}
}
]
}
{
"Statement": [{
"Action": "rds:"*",
"Effect": "Allow",
"Resource": "*",
"Condition": {"StringEquals": {"ec2:ResourceTag/sf_env":"dev"}}
}
]
}
Thanks. I used the AWS policy simulator which also checks your syntax automatically. I used this article to find out what I did wrong. http://blogs.aws.amazon.com/security/post/Tx1LYOT2FQML4UG/-Back-to-School-Understanding-the-IAM-span-class-matches-Policy-span-Grammar. I had multiple policy statements in one statement block which was an issue. I made one policy block with a single statement of arrays.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/sf_env": "dev"
}
}
},
{
"Effect": "Allow",
"Action": [
"rds:*"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/sf_env": "dev"
}
}
}
]
}
I am new to IAM in AWS. I have created a policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": "ec2:DescribeImages",
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:109027:instance/*",
"arn:aws:ec2:us-east-1:10927:image/*",
"arn:aws:ec2:us-east-1:109027:security-group/Test_hin",
"arn:aws:ec2:us-east-1:109027:subnet/subnet-b",
"arn:aws:ec2:us-east-1:109527:key-pair/*",
"arn:aws:ec2:us-east-1:10903527:network-interface/vpc-e4",
"arn:aws:ec2:us-east-1:107:volume/*"
]
}
]
}
whenever I am trying to launch an instance using console, It gives me an error that i am not authorized to perform this action.
Thanks
Try with the key pair and the network interface resources (Looks like you are trying to launch into a VPC). Also, allow the volume resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:acct:instance/*",
"arn:aws:ec2:us-east-1:acct:image/*",
"arn:aws:ec2:us-east-1:acct:security-group/*",
"arn:aws:ec2:us-east-1:acct:subnet/*",
"arn:aws:ec2:us-east-1:acct:key-pair/*",
"arn:aws:ec2:us-east-1:acct:network-interface/*",
"arn:aws:ec2:us-east-1:acct:volume/*"
]
}
]
}