How custom role(of Lambda) works with EC2 role policy?

前端 未结 1 1130
终归单人心
终归单人心 2021-01-24 12:28

Below is the custom execution role(some-role-serv-LogicalID-GDGGGGGBMW2) created for lambda function(AWS::Serverless::Function) written using SAM templ

1条回答
  •  孤街浪徒
    2021-01-24 13:02

    The error states that your EC2 instance, entity that is calling sam deploy action does not have permissions to perform iam:GetRolePolicy which really is the case here.

    Problem is that while you can restrict the other 4 actions with this condition

    "Condition": {
        "StringEquals": {
            "iam:PermissionsBoundary": "arn:aws:iam::111222333444:policy/some-permission-boundary"
        }
    }
    

    You can't do the same for GetRolePolicy. This actions can't be restricted by that condition otherwise its effect is nullified. The only service level condition applicable to this action is iam:ResourceTag.

    If you go to management console and try to create such IAM policy, you can see this warning caused by combination of your condition with iam:GetRolePolicy action.

    This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition.

    Solution is to split your statement into two. First with that condition to restrict creation of IAM Roles that do not have necessary permission boundaries together with the other IAM actions except of the mentioned iam:GetRolePolicy. Then you should create second statement containing just iam:GetRolePolicy without that condition.

        {
            "Condition": {
                "StringEquals": {
                    "iam:PermissionsBoundary": "arn:aws:iam::111222333444:policy/some-permission-boundary"
                }
            },
            "Action": [
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:DetachRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::111222333444:role/some-role*"
            ],
            "Effect": "Allow"
        }
    

    and

       {
            "Action": [
                "iam:GetRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::111222333444:role/some-role*"
            ],
            "Effect": "Allow"
        }
    

    And to answer your second question. Yes, you can use iam:PermissionsBoundary condition key together with iam:CreateRole to prevent roles without a specific permission boundary from being created.

    0 讨论(0)
提交回复
热议问题