amazon-iam

问题 Is it possible, to have two statements for the same action in an IAM role? For different actions, it works fine, but when creating a new statement for the same actions it's not working. Example: IamDeploymentRole: Type: "AWS::IAM::Role" Properties: RoleName: "iam-deployment" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: "Allow" Principal: AWS: - !Sub "arn:aws:iam::${ManagementAccountID}:root" Action: - "sts:AssumeRole" Condition: IpAddress: X - Effect: "Allow" Principal

问题 I need more local disk than available to EC2Resources in an AWS Data Pipline. The simplest solution seems to be to create and attach an EBS volume. I have added EC2:CreateVolume og EC2:AttachVolume policies to both DataPipelineDefaultRole and DataPipelineDefaultResourceRole. I have also tried setting AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for an IAM role with the same permissions in the shell, but alas no luck. Is there some other permission needed, is it not using the roles it says it

问题 I need more local disk than available to EC2Resources in an AWS Data Pipline. The simplest solution seems to be to create and attach an EBS volume. I have added EC2:CreateVolume og EC2:AttachVolume policies to both DataPipelineDefaultRole and DataPipelineDefaultResourceRole. I have also tried setting AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY for an IAM role with the same permissions in the shell, but alas no luck. Is there some other permission needed, is it not using the roles it says it

问题 My understanding is, Service control policy and resource based policies are mainly used to allow/deny cross account access to resources. From the policy evaluation procedure explained here, I learned that IAM permission policy(managed or inline) is used to grant/deny permissions to Principal within an AWS account . { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::*:role/Somerole", "Effect": "Allow" } ] } But above is the IAM permission policy,

问题 I'm building a IdP in my local and I configured the IdP in AWS IAM settings, now I'd like to start an IdP initial SSO from my local and login AWS, however the error always shows in AWS page: Response has expired (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ExpiredTokenException; Request ID: 18fc7e20-97eb-11e9-97e4-0f55a663916e). Please try again. error page screenshot What should I do for this situation? Any help would be appreciated. Here is the SAML Response <saml2p

问题 In my use case, I want to access DynamoDB table created in AWS account A and Lambda created in account B. For this I have followed many references on Internet which suggests me to use AWS assume role feature. I have added following permission in Lambda execution role { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::aws-account-A-number:role/test-db-access" } } Following is the trust relationship of Lambda { "Version": "2012-10

问题 I created a rotation function manually and linked it to Secret Manager, I've managed to enable the rotation but when I checked the logs in CloudWatch for this rotation lambda, it showing me error: [ERROR] ClientError: An error occurred (AccessDeniedException) when calling the DescribeSecret operation: User: arn:awsxxxxxxx:assumed-role/xxxxx-lambda-exec-role/ MyLambdaName is not authorized to perform: secretsmanager:DescribeSecret on resource: MysecretARN I know something is wrong with my

问题 I have an s3 bucket in my account which has SSE enabled using default aws-kms key. I wish to provide read access to another account to my bucket. I have followed the following link to provide access: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/ I am using aws s3 ls <s3://bucket_name> and aws s3 cp <path to s3 object> . to download the object I tried providing cross-account access to a bucket without SSE enabled. I was successfully able to

问题 Using the serverless framework, I am trying to build a Lambda function that periodically rotates a secret stored in AWS Secrets Manager. I am having trouble configuring the roles needed for the Secret Manager to execute the Lambda. In my serverless.yml I have defined the following resources: resources: Resources: RotateKeysRole: Type: AWS::IAM::Role Properties: RoleName: rotate-keys-role ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

问题 I am working on a Cloudformation template for an IAM role that grants cross account read only access. It uses a managed policy for Readonly access as well. So far, I've resolved several errors, but now I'm getting a "'null' values are not allowed in templates" error when I try to validate the template. I think it's a space or syntax thing, but I cannot be sure as it's my first time creating a cloudformation template from scratch and using YAML. AWSTemplateFormatVersion: '2010-09-09'