I have setup EKS cluster and have configured the OIDC. I have then created the IAM role with the below trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-id>:oidc-provider/oidc.eks.ap-south-1.amazonaws.com/id/55A76A4197643C67E88FD47738722195"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.ap-south-1.amazonaws.com/id/55A76A4197643C67E88FD47738722195:sub": "system:serviceaccount:default:aws-test",
"oidc.eks.ap-south-1.amazonaws.com/id/55A76A4197643C67E88FD47738722195:aud": "sts.amazonaws.com"
}
}
}
]
}
When I use the service account in the pod, and from within the Pod, when I run the aws s3 ls, I am getting the below error:
Could not connect to the endpoint URL: "https://sts.ap-south-1.amazonaws.com/"
How to troubleshoot this error
Related
I have an EFS policy statement attached as below,
policy_statements = [
{
sid = "${var.cluster_name}"
actions = ["elasticfilesystem:ClientMount",
"elasticfilesystem:ClientRootAccess",
"elasticfilesystem:ClientWrite"]
principals = [
{
type = "AWS"
identifiers = ["arn:aws:iam::xxxx:role/efs-test-role"]
}
]
}
]
If I use "*" for Identifier it works.
I tried to create the role arn:aws:iam::xxxx:role/efs-test-role with oidc Federation,
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::xxxx:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/xxxx"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-west-2.amazonaws.com/id/xxxx:aud": "sts.amazonaws.com"
}
}
}
]
}
I created a ServiceAccount with annotation with this role,
eks.amazonaws.com/role-arn: arn:aws:iam::xxxx:role/efs-test-role
When I created pods with EFS volume mount using Persistant volume, got error as,
Output: Could not start amazon-efs-mount-watchdog, unrecognized init system "aws-efs-csi-dri"
b'mount.nfs4: access denied by server while mounting 127.0.0.1:/'
I even tried to follow https://docs.amazonaws.cn/en_us/efs/latest/ug/manage-efs-utils-with-aws-sys-manager.html#configure-sys-mgr-iam-instance-profile to add AmazonElasticFileSystemsUtils to EKS worker nodes instance profiles. But it still threw same error..
I am not sure what I am missing. Please advice.
I am trying to set up cross account Postgres RDS IAM authentication. My use case is a python code that is containerized and executed by AWS Batch on the top of the ECS engine connects to the Postgres RDS in another AWS account. I tried to follow the route (single role in the account where DB connection is originated) that is described here but the connection fails with:
2020-06-12 19:41:10,363 - root - ERROR - Error reading data from data DB: FATAL: PAM authentication failed for user "db_user"
I also found this one and tried to set up something similar (a role per respective account but no EC2 instance as a connection source). Unfortunately it failed with the same error. Does anyone know any other AWS documentation that might match my use case?
I managed to sort it out with help of AWS support folks. These are the actions that I had to do:
Add the following policy to the IAM role applied to AWS Batch job (AWS account A):
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_B_ID:role/ecsTaskExecutionRole"
}
}
With a following trust policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Add the following IAM role within the AWS account that is used for RDS hosting (AWS account B):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:<region>:ACCOUNT_B_ID:dbuser:{rds-resource-id}/{batch-user}"
]
}
]
}
With a following trust policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_A_ID:root",
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Update the code that is executed within the AWS Batch container:
sts_client = boto3.client('sts')
assumed_role_object=sts_client.assume_role(
RoleArn="arn:aws:iam::ACCOUNT_B_ID:role/ROLE_TO_BE_ASSUMED",
RoleSessionName="AssumeRoleSession1"
)
credentials=assumed_role_object['Credentials']
client = boto3.client(
'rds',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'],
region_name=REGION )
#client = boto3.client('rds')
token = client.generate_db_auth_token(DBHostname=ENDPOINT, Port=PORT, DBUsername=USR, Region=REGION)
I have a web application who gets videos from an s3 bucket. That bucket has a policy to only allow the access from certain domains. I now need an ionic app to access the same bucket, is there any way I can add this option to the policy?
Here is the policy as I have it now
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests originating from www.example.com.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*.mp4",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://www.example.com/*"
]
}
}
}
]
}
I've tried adding file://* to the urls array but won't work.
You can use User-Agent to identify request coming from your app.
Here is code for the Bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket-name/*.mp4",
"Condition": {
"StringLike": {
"aws:UserAgent": "*Any name"
}
}
}
]
}
Also you have to add in your config.xml
<preference name="AppendUserAgent" value="Any name" />
I have an app I am trying to move to a new k8s cluster, having a permissions issue when trying to ConfirmSubscription:
"sns confirmation failed. Reason: AuthorizationError: User: arn:aws:sts::-:assumed-role/-/- is not authorized to perform:
SNS:ConfirmSubscription on resource: arn:aws:sns:-:-:topicname
status code: 403, request id: 000d2844-3a3d-5544-922a-7d9e3db07a16"
The app was able to execute a confirm subscription in the old cluster, so I assume it's an IAM issue, but the role policy it's assuming is:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sns:ConfirmSubscription",
"sns:Subscribe"
],
"Effect": "Allow",
"Resource": [
"arn:aws:sns:::*"
]
}
]
}
I haven't been able to diagnose where the IAM issue is.
I was able to get this working by fully qualifying the sns topic to which I wanted to confirm subscription:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sns:ConfirmSubscription",
"sns:Subscribe"
],
"Effect": "Allow",
"Resource": [
"arn:aws:sns:us-east-1:000000000:full-topic-name-no-wildcard"
]
}
]
}
I'm deploying some REST apis using API Gateway and Lambda Functions. Because of some architectural restrictions, the API must be available only by REST endpoints. On top of the API's I need to implement a GraphQL interface to allow part of our users to query this data. To deploy the GraphQL endpoints I'm using AWS AppSync. Based on that restrictions, I created the AppSync HTTP DataSource pointing to API Gateway stage url (https://api-gateway-api-id.execute-api.eu-central-1.amazonaws.com). It worked fine. Then I secured the API Gateway REST endpoint to use AWS_IAM, created a role for the datasource with permissions to invoke-api on the selected api inovocation arn and configured the HTTP Datasource using aws cli.
For example, here is my Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "appsync.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
And here is the policy attached to this role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:eu-central-1:9999999999:api-gateway-api-id/*/*/*"
}
]
}
And after all of that I updated my data source from aws cli with the following config:
{
"dataSource": {
"dataSourceArn": "arn:aws:appsync:eu-central-1:99999999999:apis/appsync-pi-id/datasources/Echo",
"name": "Echo",
"type": "HTTP",
"serviceRoleArn": "arn:aws:iam::99999999999:role/roleName",
"httpConfig": {
"endpoint": "https://api-gateway-api-id.execute-api.eu-central-1.amazonaws.com",
"authorizationConfig": {
"authorizationType": "AWS_IAM",
"awsIamConfig": {
"signingRegion": "eu-central-1",
"signingServiceName": "appsync"
}
}
}
}
}
Now when I try to make a query, I get the following error:
Credential should be scoped to correct service: 'execute-api'
As I understand, the correct service to be used to formulate the signature is the execute-api. I have some experience creating AWSV4 Signatures and knows that for this case it would be this one.
Somebody knows where I'm making a mistake?
With help from Ionut Trestian I found the error. I changed the configuration to use a different signatureService, like the following:
{
"dataSource": {
"dataSourceArn": "arn:aws:appsync:eu-central-1:99999999999:apis/appsync-pi-id/datasources/Echo",
"name": "Echo",
"type": "HTTP",
"serviceRoleArn": "arn:aws:iam::99999999999:role/roleName",
"httpConfig": {
"endpoint": "https://api-gateway-api-id.execute-api.eu-central-1.amazonaws.com",
"authorizationConfig": {
"authorizationType": "AWS_IAM",
"awsIamConfig": {
"signingRegion": "eu-central-1",
"signingServiceName": "execute-api"
}
}
}
}
}
Apparently I didn't understand correctly the configuration values. In my defense, I didn't found any documentation regarding this options, only a few examples scattered through the web. :-)
In case anyone else ends up here as I did wondering what else can be placed as a signingServiceName (I was looking for s3 specifically), I found this helpful blog post https://blog.iamjkahn.com/2019/12/invoking-even-more-aws-services-directly-from-aws-appsync.html