I have multiple IAM role (up to 100) required to use this KMS key.
Instead of listing all the IAM role in the KMS key policy. Is there any way I can wildcard or condition it?
{
"Sid": "Enable IAM Role",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxx:role/a1",
"AWS": "arn:aws:iam::xxxxxxxxxx:role/a2",
"AWS": "arn:aws:iam::xxxxxxxxxx:role/a3"
............
"AWS": "arn:aws:iam::xxxxxxxxxx:role/a100"
},
"Action": "kms:*",
"Resource": "*"
}
I tried using arn:aws:iam::xxxxxxxxxx:root or using condition with stringLike, sourceArn,"arn:aws:iam::xxxxxxxxxx:role/a*"
but none of them work.
Would like to ask around if there is any alternative instead of listing all the iam role down?
This will help you
{
"Sid": "Enable IAM Role",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "kms:*",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam::xxxxxxxxxx:role/a1*"
}
}
}
Related
I have a bucket of user images on Amazon S3 and I would like to allow access only to my Facebook Messenger bot. It seemed like the best way to do this was to create a bucket policy with a condition that only allows referrals from a Facebook url. But this doesn't work - the images fail to load in the bot.
Here is the bucket policy I created (trying both facebook.com and graph.facebook.com):
{
"Version": "2012-10-17",
"Id": "Facebook referer policy",
"Statement": [
{
"Sid": "Allow get requests originating from Facebook Messenger",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://www.facebook.com/*",
"https://www.graph.facebook.com/*"
]
}
}
}
]
}
When I change the bucket policy back to public (as per below) then the images load fine so the problem must be an access one.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-bucket/*"
]
}
]
}
Anyone have any better solutions for how to do this?
Solved thanks to the comment above and the user agent documentation from Facebook
The working bucket policy is this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringLike": {
"aws:UserAgent": [
"facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)",
"facebookexternalhit/1.1",
"Facebot"
]
}
}
}
]
}
I am getting this error when executing below query:
" ERROR: HTTP 403. Permission denied. Check bucket or provided credentials as they may no longer be valid."
SELECT aws_s3.table_import_from_s3(
'test',
'a,b,c,d,e',
'(format csv)',
'my-bucket-info',
'outer/inner/Inbound/sample.csv',
'us-east-1'
);
Bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123213213:role/abc-www-role"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket-info/*",
"arn:aws:s3:::my-bucket-info"
]
}
]
}
can anyone help?
Instead of using "s3:*" as action parameter use only * i.e.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123213213:role/abc-www-role"
},
"Action": "*",
"Resource": [
"arn:aws:s3:::my-bucket-info/*",
"arn:aws:s3:::my-bucket-info"
]
}
]
}
I need to create an S3 bucket with public access, but restrict that access to only a specific IP.
I generated a policy using the policy generator for S3 buckets and then adapted it to my template by referencing the name of the bucket; however, CloudFormation keeps giving a "Policy has invalid resource" error.
Below is the relevant portion of the CloudFormation template I am using. "FirstS3BucketName" is the a parameter.
FirstS3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref FirstS3BucketName
PolicyDocument: |
{
"Id": "Policy1581542658034",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1581542655517",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::${FirstS3BucketName}/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "3.132.69.181/32"
}
},
"Principal": "*"
}
]
}
All you really need to do is add a !Sub on your PolicyDocument line. FYI, all that JSON can be turned into YAML as well.
FirstS3BucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref FirstS3BucketName
PolicyDocument: !Sub |
{
"Id": "Policy1581542658034",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1581542655517",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::${FirstS3BucketName}/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "3.132.69.181/32"
}
},
"Principal": "*"
}
]
}
I have a web application who gets videos from an s3 bucket. That bucket has a policy to only allow the access from certain domains. I now need an ionic app to access the same bucket, is there any way I can add this option to the policy?
Here is the policy as I have it now
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests originating from www.example.com.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*.mp4",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://www.example.com/*"
]
}
}
}
]
}
I've tried adding file://* to the urls array but won't work.
You can use User-Agent to identify request coming from your app.
Here is code for the Bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*.mp4",
"Condition": {
"StringLike": {
"aws:UserAgent": "*Any name"
}
}
}
]
}
Also you have to add in your config.xml
<preference name="AppendUserAgent" value="Any name" />
I have an app I am trying to move to a new k8s cluster, having a permissions issue when trying to ConfirmSubscription:
"sns confirmation failed. Reason: AuthorizationError: User: arn:aws:sts::-:assumed-role/-/- is not authorized to perform:
SNS:ConfirmSubscription on resource: arn:aws:sns:-:-:topicname
status code: 403, request id: 000d2844-3a3d-5544-922a-7d9e3db07a16"
The app was able to execute a confirm subscription in the old cluster, so I assume it's an IAM issue, but the role policy it's assuming is:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sns:ConfirmSubscription",
"sns:Subscribe"
],
"Effect": "Allow",
"Resource": [
"arn:aws:sns:::*"
]
}
]
}
I haven't been able to diagnose where the IAM issue is.
I was able to get this working by fully qualifying the sns topic to which I wanted to confirm subscription:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sns:ConfirmSubscription",
"sns:Subscribe"
],
"Effect": "Allow",
"Resource": [
"arn:aws:sns:us-east-1:000000000:full-topic-name-no-wildcard"
]
}
]
}