I have given my user role following custom permission
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:CreateRole",
"Resource": "*"
}
]
}
And when this user is deploying a cloudformation stack which creates an IAM role, I get following error message
failed to create CloudFormation stack, rollback requested (ROLLBACK_COMPLETE):
["The following resource(s) failed to create: [SecretsManagerRDSPostgreSQLRotationSingleUserRole].
Rollback requested by user." "API: iam:CreateRole User: arn:aws:iam::account:user/username
is not authorized to perform:
iam:CreateRole on resource: arn:aws:iam::account:role/role_name
with an explicit deny in an identity-based policy"
Related
I have setup EKS cluster and have configured the OIDC. I have then created the IAM role with the below trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::<account-id>:oidc-provider/oidc.eks.ap-south-1.amazonaws.com/id/55A76A4197643C67E88FD47738722195"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.ap-south-1.amazonaws.com/id/55A76A4197643C67E88FD47738722195:sub": "system:serviceaccount:default:aws-test",
"oidc.eks.ap-south-1.amazonaws.com/id/55A76A4197643C67E88FD47738722195:aud": "sts.amazonaws.com"
}
}
}
]
}
When I use the service account in the pod, and from within the Pod, when I run the aws s3 ls, I am getting the below error:
Could not connect to the endpoint URL: "https://sts.ap-south-1.amazonaws.com/"
How to troubleshoot this error
I created an AWS Lambda function that I want to call from an event trigger in my Aurora PostgreSQL database, but I'm having trouble even calling the Lambda function at all from within pgAdmin.
When I attempt to invoke the Lambda, I get this message:
ERROR: invoke API failed
DETAIL: AWS Lambda client returned 'User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/AuroraLambdaInvoker/dbc-role-mem-id-null is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-west-2:xxxxxxxxxxxxx:function:aws_lambda_arn_1 because no identity-based policy allows the lambda:InvokeFunction action'.
SQL state: XX000
But I have an IAM role (that I named AuroraLambdaInvoker) that gives the lambda:InvokeFunction permission attached to my database cluster. Here's the policy attached to that role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:us-west-2:xxxxxxxxxxx:function:TestLambda"
}
]
}
I'm not sure what to do since, the error message specifically mentions the AuroraLambdaInvoker role I created but says "no identity-based policy allows the lambda:InvokeFunction action," which is literally the only permission I have attached to that role. Is there something simple here that I'm missing for some reason?
Can you add below permission to your Action and try ?
lambda:InvokeFunction
lambda:InvokeFunctionConfiguration
lambda:GetFunctionConfiguration
or you can try with this also
"lambda:*"
Full Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:*"
],
"Resource": [
"arn:aws:lambda:us-west-2:xxxxxxxxxxx:function:TestLambda"
],
"Effect": "Allow"
}
]
}
we have the following stack policy that we use to deploy on both aws and aws china.
{
"Statement": [
{
"Effect": "Allow",
"Action": "Update:*",
"Principal": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"Update:Replace",
"Update:Delete"
],
"Principal": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ResourceType": [
"AWS::EC2::VPC",
"AWS::EC2::Subnet",
"AWS::S3::Bucket",
"AWS::RDS::DBCluster",
"AWS::RDS::DBInstance",
"AWS::KMS::Key",
"AWS::SecretsManager::Secret",
"AWS::Cognito::UserPool",
"AWS::Cognito::UserPoolClient",
"AWS::Cognito::IdentityPool",
"AWS::ApiGateway::RestApi"
]
}
}
}
]
}
However, the deployment fails only on the china enivronments with the following error:
An error occurred (ValidationError) when calling the SetStackPolicy
operation: Error validating stack policy: Unknown resource type
'AWS::SecretsManager::Secret' in statement {}
Same thing happens if I remove the SecretsManager entry for Cognito:UserPool this time.
That leads me to believe that the builds will fail until I remove the stack policy all together from the cn environments.
Is there a list where it shows the supported resources for the stack policy in china, or maybe stack policies aren't supported in general?
I can't read Chinese so I can't understand the aws cn documentation.
Also keep in mind that the stack policy works without any problems in the normal aws builds.
I am trying to set up cross account Postgres RDS IAM authentication. My use case is a python code that is containerized and executed by AWS Batch on the top of the ECS engine connects to the Postgres RDS in another AWS account. I tried to follow the route (single role in the account where DB connection is originated) that is described here but the connection fails with:
2020-06-12 19:41:10,363 - root - ERROR - Error reading data from data DB: FATAL: PAM authentication failed for user "db_user"
I also found this one and tried to set up something similar (a role per respective account but no EC2 instance as a connection source). Unfortunately it failed with the same error. Does anyone know any other AWS documentation that might match my use case?
I managed to sort it out with help of AWS support folks. These are the actions that I had to do:
Add the following policy to the IAM role applied to AWS Batch job (AWS account A):
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_B_ID:role/ecsTaskExecutionRole"
}
}
With a following trust policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Add the following IAM role within the AWS account that is used for RDS hosting (AWS account B):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:<region>:ACCOUNT_B_ID:dbuser:{rds-resource-id}/{batch-user}"
]
}
]
}
With a following trust policy:
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_A_ID:root",
"Service": "ecs-tasks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Update the code that is executed within the AWS Batch container:
sts_client = boto3.client('sts')
assumed_role_object=sts_client.assume_role(
RoleArn="arn:aws:iam::ACCOUNT_B_ID:role/ROLE_TO_BE_ASSUMED",
RoleSessionName="AssumeRoleSession1"
)
credentials=assumed_role_object['Credentials']
client = boto3.client(
'rds',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'],
region_name=REGION )
#client = boto3.client('rds')
token = client.generate_db_auth_token(DBHostname=ENDPOINT, Port=PORT, DBUsername=USR, Region=REGION)
I have an app I am trying to move to a new k8s cluster, having a permissions issue when trying to ConfirmSubscription:
"sns confirmation failed. Reason: AuthorizationError: User: arn:aws:sts::-:assumed-role/-/- is not authorized to perform:
SNS:ConfirmSubscription on resource: arn:aws:sns:-:-:topicname
status code: 403, request id: 000d2844-3a3d-5544-922a-7d9e3db07a16"
The app was able to execute a confirm subscription in the old cluster, so I assume it's an IAM issue, but the role policy it's assuming is:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sns:ConfirmSubscription",
"sns:Subscribe"
],
"Effect": "Allow",
"Resource": [
"arn:aws:sns:::*"
]
}
]
}
I haven't been able to diagnose where the IAM issue is.
I was able to get this working by fully qualifying the sns topic to which I wanted to confirm subscription:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sns:ConfirmSubscription",
"sns:Subscribe"
],
"Effect": "Allow",
"Resource": [
"arn:aws:sns:us-east-1:000000000:full-topic-name-no-wildcard"
]
}
]
}