I am trying to create an IAM policy that gives a user full admin rights to all EC2 and RDS resources tagged with sf_env:dev.
I can't seem to figure out the syntax.
The AWS policy simulator displayed
Parse error on line 10: ..._env":"dev"}}}]}{"Statement": [{"A -------------------^ Expecting 'EOF', '}', ',', ']', got '{'
{
"Version": "2012-10-17",
"Statement": [{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*",
"Condition": {"StringEquals": {"ec2:ResourceTag/sf_env":"dev"}}
}
]
}
{
"Statement": [{
"Action": "rds:"*",
"Effect": "Allow",
"Resource": "*",
"Condition": {"StringEquals": {"ec2:ResourceTag/sf_env":"dev"}}
}
]
}
Thanks. I used the AWS policy simulator which also checks your syntax automatically. I used this article to find out what I did wrong. http://blogs.aws.amazon.com/security/post/Tx1LYOT2FQML4UG/-Back-to-School-Understanding-the-IAM-span-class-matches-Policy-span-Grammar. I had multiple policy statements in one statement block which was an issue. I made one policy block with a single statement of arrays.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/sf_env": "dev"
}
}
},
{
"Effect": "Allow",
"Action": [
"rds:*"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/sf_env": "dev"
}
}
}
]
}
Related
Is there a way to design a Lambda execution role policy to restrict access by using Lambda alias name. For example, I want to have an alias "Prod" and only executions of function with that alias would have permissions to write to a particular bucket.
I tried using the new lambda:SourceFunctionArn condition, but it does not seem to include the alias, or I am not using it correctly. In the example below I am trying to achieve ability of all variants of my function to write into my-bucket-test, but only Prod alias to be able to write to my-bucket-data. Is there a way to achieve this?
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Logging",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/MyLambda_*"
},
{
"Sid": "S3",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::my-bucket-test/*"
]
},
{
"Sid": "S3Prod",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket-data/*",
"Condition": {
"StringLike": {
"lambda:SourceFunctionArn": "*Prod"
}
}
}
]
}
Thanks,
Alex
I'm trying to figure out how to restrict users to only be able to launch instances using a specific launch template. Here is my current policy so far:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"ec2:InstanceType": "t2.micro"
},
"ArnEquals": {
"ec2:LaunchTemplate": ""
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeAddresses",
"ec2:GetEbsEncryptionByDefault",
"ec2:DescribeVolumesModifications",
"ec2:DescribeSnapshots",
"kms:DescribeCustomKeyStores",
"ec2:DescribeInstanceTypeOfferings",
"ec2:StartInstances",
"ec2:DescribeAvailabilityZones",
"ec2:CreateSnapshot",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:DescribeKeyPairs",
"ec2:DescribeInstanceStatus",
"ec2:TerminateInstances",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DescribeLaunchTemplateVersions",
"ec2:AssignPrivateIpAddresses",
"ec2:StopInstances",
"ec2:DescribeSecurityGroups",
"ec2:CreateVolume",
"ec2:DescribeImages",
"kms:ListKeys",
"ec2:CreateSnapshots",
"ec2:DescribeVpcs",
"kms:ListAliases",
"ec2:DescribeInstanceTypes",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}
I am trying to use the condition "ArnEquals": {"ec2:LaunchTemplate": "" but I don't believe launch templates have an ARN. I tried using the launch template ID but that did not work. Any help would be appreciated!
I want to copy the data in on-pre to S3.
I tried to use the following command for that.
hadoop fs -Dfs.s3a.access.key=******* -Dfs.s3a.secret.key=******* -cp -f hdfs://on-pre/cluster/mydata/dt=20200601/ s3a://some-bucket/somewhere/
When I run this command, I get the following error (The path are all fakes):
cp: s3a://some-bucket/somewhere/dt=20200601/000000_0.gz: getFileStatus on s3a://some-bucket/somewhere/dt=20200601/000000_0.gz: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: xxxxxxxxxxxxx), S3 Extended Request ID: xxxxxxxxxxxxxxxxxxxxxxx
I set S3 policies following.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::9999999999:user/john"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::some-bucket/somewhere/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::9999999999:user/john"
},
"Action": "s3:List*",
"Resource": "arn:aws:s3:::some-bucket",
"Condition": {
"StringLike": {
"s3:prefix": [
"somewhere/*"
]
}
}
}
]
}
What S3 policy should I set to use hadoop fs cp?
A ListBucket was needed for the subdirectory itself
The necessary permissions may change as noted in the comments.
However, here's the code that solved it for your reference
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::9999999999:user/john"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::some-bucket/somewhere/*"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::9999999999:user/john"
},
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::some-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"somewhere",
"somewhere/*"
]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::9999999999:user/john"
},
"Action": [
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::some-bucket"
]
}
]
}
Note This IAM declaration worked on June 5 2020 with Hadoop 3.2.1 or earlier. Future Hadoop releases may change the rules as they or AWS change the connector's or S3's capabilities respectively.
I am trying to give lambda execution access to select members within a group. Users are authenticated via PingFederate. I am having issue granting this selective access to federated user.
I have a custom IAM policy (allow-lambda-invocation-selective) attached to this role. Although the policy seems to pass validation and policy simulation shows access is allowed, when I try to execute the lambda function I get message
Calling the invoke API action failed with this message: User:arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:123456789012:function:my-lambda-function
Here is my policy: allow-lambda-invocation-selective
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function",
"Condition": {
"StringEquals": {
"aws:userid": "arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:userid": "arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234"
}
}
}
]
}
Am i missing something?
I'm trying to understand your problem. Correct me if I made a wrong supposition.
Every group/user already have its own role.
When you authenticate your users, they have their assumed role. myuser1234, when authenticated, will receive arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234 role, right? Is it possible to create one role for each group and remove the conditions property (check item 2 explaining why)?
// role-for-grp-l2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*"
}
]
}
The problem with aws:userid
Reading the docs about the key aws:userid we can find this key has the value given by role id:caller-specified-role-name,
where role id is the unique id of the role and the caller-specified-role-name is specified by the RoleSessionName parameter passed to the AssumeRole request.
So aws:userid has value like AIDAJQABLZS4A3QDU576Q:SomeNameYouGive. Because this, your condition never match arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234 and then user cannot assume that actions.
Using conditions another way
Assuming RoleSessionName is the user name, you can use conditions this way:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function",
"Condition": {
"StringLike": {
"aws:userid": "*:myuser1234"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:userid": "*:myuser1234"
}
}
}
]
}
if you prefer, you may remove * wildcard getting role id using AWS CLI with the command:
aws iam get-role --role-name ROLE_NAME
and changing condition as follows:
"Condition": {
"StringEquals": {
"aws:userid": "ROLE_ID:myuser1234"
}
}
I am new to IAM in AWS. I have created a policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": "ec2:DescribeImages",
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:109027:instance/*",
"arn:aws:ec2:us-east-1:10927:image/*",
"arn:aws:ec2:us-east-1:109027:security-group/Test_hin",
"arn:aws:ec2:us-east-1:109027:subnet/subnet-b",
"arn:aws:ec2:us-east-1:109527:key-pair/*",
"arn:aws:ec2:us-east-1:10903527:network-interface/vpc-e4",
"arn:aws:ec2:us-east-1:107:volume/*"
]
}
]
}
whenever I am trying to launch an instance using console, It gives me an error that i am not authorized to perform this action.
Thanks
Try with the key pair and the network interface resources (Looks like you are trying to launch into a VPC). Also, allow the volume resources.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:us-east-1:acct:instance/*",
"arn:aws:ec2:us-east-1:acct:image/*",
"arn:aws:ec2:us-east-1:acct:security-group/*",
"arn:aws:ec2:us-east-1:acct:subnet/*",
"arn:aws:ec2:us-east-1:acct:key-pair/*",
"arn:aws:ec2:us-east-1:acct:network-interface/*",
"arn:aws:ec2:us-east-1:acct:volume/*"
]
}
]
}