amazon-iam

问题 What is the suggested way to pass IAM role to a Docker container on EC2? I have a mlflow project running in a docker environment on EC2. The python code needs to read and write from S3. The following is the error (sometimes other types of error also indicating no s3 access from the container, for example s3 resourece not found error) botocore.exceptions.ProfileNotFound: The config profile (xxx) could not be found To solve the s3 access issue, I already created an IAM role that allows access

问题 I'm trying to allow users to execute codebuild:StartBuild , while restricting iam:PassRole to pass the custom codebuild role only to the CodeBuild service. The canned policies never restrict iam:PassRole , and even use "Resource":"*" , effectively allowing passing of any role to any service. This strikes me as a bit sloppy, but maybe it's just me. The policy below is an excerpt – codebuild:StartBuild , codebuild:List* , etc, are all allowed. { "Version": "2012-10-17", "Statement": [ { "Effect

问题 I have one Cognito User Pool with a custom attribute organisation_id. One Organisation may have multiple users. There can be multiple organisations. Another Dynamodb table is used to maintain Categories which has _id and organisation_id as partition key. Categories can be owned by Organisation so that users belong to that particular Organisation perform some operation in those categories only. Now, how can I create the IAM policy so that it takes the organisation_id instead of sub/user_id as

问题 I'm trying to narrow down the minimal policy to run a predefined machine image. The image is based on two snapshots and I only want "m1.medium" instance types to be launched. Based on that and with the help of this page and this article, I worked out the following policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1385026304010", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Condition": { "StringEquals": { "ec2:InstanceType": "m1.medium" } }, "Resource": [ "arn:aws:ec2:us

问题 In all of the IAM Policy examples, they mention using wildcards ( * ) as placeholders for "stuff". However, the examples always use them at the end, and/or only demonstrate with one wildcard (e.g. to list everything in folder "xyz" with .../xyz/* ). I can't find anything definitive regarding the use of multiple wildcards, for example to match anything in subfolders across multiple buckets: arn:aws:s3:::mynamespace-property*/logs/* to allow something to see any log files across a "production"

问题 In all of the IAM Policy examples, they mention using wildcards ( * ) as placeholders for "stuff". However, the examples always use them at the end, and/or only demonstrate with one wildcard (e.g. to list everything in folder "xyz" with .../xyz/* ). I can't find anything definitive regarding the use of multiple wildcards, for example to match anything in subfolders across multiple buckets: arn:aws:s3:::mynamespace-property*/logs/* to allow something to see any log files across a "production"

问题 In all of the IAM Policy examples, they mention using wildcards ( * ) as placeholders for "stuff". However, the examples always use them at the end, and/or only demonstrate with one wildcard (e.g. to list everything in folder "xyz" with .../xyz/* ). I can't find anything definitive regarding the use of multiple wildcards, for example to match anything in subfolders across multiple buckets: arn:aws:s3:::mynamespace-property*/logs/* to allow something to see any log files across a "production"

问题 I have read the documentation about IAM roles and IAM groups but I am missing something simple: I don't understand what you can do with IAM roles that you cannot do with IAM groups. In other words, considering these alternatives: Using IAM groups, I grant a group permissions to perform certain actions, and then when I want a user to be able to perform those actions, I grant them membership in that group Using IAM roles, I grant a role permissions to perform certain actions, and then when I

问题 I tried to give permission required to create an ES domain in AWS to an IAM account but I couldn't find any existing policy to attach except AdministratorAccess. Is there a custom policy or something I can assign to the IAM account? I searched the web but couldn't find anything helpful either. 回答1: Amazon ES supports three types of access policies: Resource-based Policies Identity-based Policies IP-based Policies To get detailed information, about how to create your own custom policies you

问题 While launching on-demand instance from AWS I'm getting the following error: An error occurred (UnauthorizedOperation) when calling the RunInstances operation: You are not authorized to perform this operation. With some Encoded authorization failure message. But I'm unable to replicate the actual issue from the response as the decoded JSON message has an empty failure object although I'm able to launch spot-instance from the same IAM Policy. "allowed": false, "explicitDeny": false,