amazon-iam

问题 I'm running a app on an EC2 using a role with the the permissions: "sts:GetSessionToken", "sts:AssumeRole" When I try to obtain temporary credentials using that role, I get the error: Cannot call GetSessionToken with session credentials (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Am I missing one or more permissions for the role to be able to obtain temporary session credentials? 回答1: According to AWS support, roles cannot request temporary credentials. Only

问题 I'm running a app on an EC2 using a role with the the permissions: "sts:GetSessionToken", "sts:AssumeRole" When I try to obtain temporary credentials using that role, I get the error: Cannot call GetSessionToken with session credentials (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Am I missing one or more permissions for the role to be able to obtain temporary session credentials? 回答1: According to AWS support, roles cannot request temporary credentials. Only

问题 Looking at this post this guy used a policy (applied to a role) to let an instance tag itself. I want EXACTLY the same thing. I could use this policy, but it would be nice if the instance could only tag itself and not other instances. I can't use ${ec2:SourceInstanceARN} as the resource so I'm trying to use a condition that matches the arn that policy variable evaluates to. This policy won't validate: ( Syntax errors in policy ) { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2

问题 Looking at this post this guy used a policy (applied to a role) to let an instance tag itself. I want EXACTLY the same thing. I could use this policy, but it would be nice if the instance could only tag itself and not other instances. I can't use ${ec2:SourceInstanceARN} as the resource so I'm trying to use a condition that matches the arn that policy variable evaluates to. This policy won't validate: ( Syntax errors in policy ) { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2

问题 Looking at this post this guy used a policy (applied to a role) to let an instance tag itself. I want EXACTLY the same thing. I could use this policy, but it would be nice if the instance could only tag itself and not other instances. I can't use ${ec2:SourceInstanceARN} as the resource so I'm trying to use a condition that matches the arn that policy variable evaluates to. This policy won't validate: ( Syntax errors in policy ) { "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2

问题 What I want to implement: I have a Cognito User-Pool and I have some Users and some Groups. I want that certain Users have access to API Gateway functions, some Users can access some functions and others have no access. What I did: I created three groups and assigned the Users to each of the groups. I gave each of the groups an IAM role and gave each roled spezific policies. The permission for the group for all users looks like this: { "Version": "2012-10-17", "Statement": [ { "Sid":

问题 Context This was a CodeStar project initially, and then it grew into something bigger. We reused the Beanstalk application to create the stage and prod environments and kept the initially-created dev environment as-is. We updated the CodePipeline to deploy to our new environments using "Elastic Beanstalk" as the Provider. (While CodeStar had setup a deployment using CloudFormation for the environment it automatically provisioned in the Beanstalk application.) The problem The deployment fails

问题 Is there a way to enforce tagging while creating EC2-Instances? I,e user cannot launch an instance without certain tags. And can I use that tags to give control to particular instance depending on the tag? 回答1: Yes, you have to use the "ec2:CreateAction" condition to limit the tag creating while creating the resource (instance/volume) and "aws:RequestTag" condition to control which tag key-value is required to create the resource. There are example policies here and for more information,

问题 I'm trying to set up CodePipeline with an ECS blue/green deployment where the deployment is in a different AWS account. I've been using the two guides for ECS Blue/Green and CodePipeline cross-account deployments. CodePipeline lives in Account A along with its KMS Key, S3 artifact bucket and ECR repository. The ECS cluster lives in Account B with the CodeDeploy setup. The ECR, KMS key and S3 buckets have cross-account permissions (these give a different error when wrong). The cluster starts

问题 I have a bucket with empty bucket policy, block public access turned ON (ACLs and Bucket) and trying to list buckets using IAM policy tied to user using STS AssumeRole with following attached policy. { "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:GetObject", "s3:GetBucket*", "s3:ListBucket*", "s3:ListAllMyBuckets" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::my-test-bucket/*" ] } ] } The assumed role credentials are used during the STS session in python (boto3) s3c = boto3