amazon-iam

问题 In my AWS project, I use the serverless framework to deploy lambda function and IAM roles. So I created 6 lambda functions, all using the same IAM Role below: functions: auto-delete-identity: handler: src/auto-delete-identity.handler role: arn:aws:iam::123456789012:role/lambdaIAMRole name: auto-delete-identity auto-move-to-user-group: handler: src/auto-move-to-user-group.handler role: arn:aws:iam::123456789012:role/lambdaIAMRole name: auto-move-to-user-group auto-validate-user-creation:

问题 In my AWS project, I use the serverless framework to deploy lambda function and IAM roles. So I created 6 lambda functions, all using the same IAM Role below: functions: auto-delete-identity: handler: src/auto-delete-identity.handler role: arn:aws:iam::123456789012:role/lambdaIAMRole name: auto-delete-identity auto-move-to-user-group: handler: src/auto-move-to-user-group.handler role: arn:aws:iam::123456789012:role/lambdaIAMRole name: auto-move-to-user-group auto-validate-user-creation:

问题 I am trying to create an AWS CodePipeline that deploys the production code to a separate account. The code consists of a lambda function which is setup using a sam template and cloudformation. I have it currently deploying to the same account without error. I added another stage that has a manual approval action and after approval it should deploy to the other account. It fails with the following error: Cross-account pass role is not allowed (Service: AmazonCloudFormation; Status Code: 403;

问题 I'm following http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html in order to authenticate from an EC2 to RDS. I am able to run the generate-db-auth-token command to retrieve a token, but I'm not sure what to do with it after that (the instructions inexplicably end). I've tried simply passing the regurgitated string (as well as logical substrings of the returned fields) as the password of a mysql client connection, but this doesn't seem to work.. The returned

问题 I have below keys under the bucket demo.for.customers demo.for.customers/customer1/ demo.for.customers/customer2/ Now I have 2 customers namely customer1 and customer2 . This is what I want: Grant them access to only demo.for.customers bucket. customer1 should be able to access only demo.for.customers/customer1/ and customer2 should be able to access only demo.for.customers/customer2/ . And I am able to achieve this with below policy ( I am creating policy for each customer. Hence I am

问题 I am trying to give a programmatic IAM user access to a single bucket. I setup the following policy and attached it to the user: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::mybucket" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::mybucket/*" ] } ] } Trying to programatically upload a file I got a 403. I got this policy from here: Writing IAM

问题 I use this Policy { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1385026304010", "Effect": "Allow", "Action": [ "ec2:RunInstances" ], "Condition": { "StringEquals": { "ec2:InstanceType": "t2.medium" } }, "Resource": [ "arn:aws:ec2:us-east-1:*:instance/*", "arn:aws:ec2:us-east-1:*:image/ami-81c603ea", "arn:aws:ec2:us-east-1:*:key-pair/CodeDeploy", "arn:aws:ec2:us-east-1:*:security-group/sg-5ace243d", "arn:aws:ec2:us-east-1:*:volume/*" ] } ] } But it show error message , Initialization

问题 Below is the policy template created to restrict any Principal to do only below actions: Resources: MyPolicy: Type: AWS::IAM::ManagedPolicy Properties: Description: RulesToCreateUpdatePolicy ManagedPolicyName: some-policy PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - "iam:CreatePolicy" - "iam:DeletePolicy" - "iam:CreatePolicyVersion" Resource: - !Sub "arn:aws:iam::${AWS::AccountId}:policy/xyz-lambda-*" on a policy resource that starts with name xyz-lambda- . This

问题 In the below rule: { "Condition": { "StringLikeIfExists": { "iam:PassedToService": "lambda.amazonaws.com" } }, "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::${AWS::AccountId}:role/some-role*" ], "Effect": "Allow" } We are using this rule for cloud formation stack creation of SAM template( sam deploy ). SAM template has lambda and custom roles for lambda. What exactly are we saying with the above rule? 回答1: In short, the statement says that you can assign role with name that starts

问题 I'm generating credentials via keybase.io PGP in my Terraform config. I can confirm access via aws-cli is successful for the new user. However, Console access remains disabled. Is there a way to create a user with Terraform with the console access enabled? I appreciate that's a bit of an anti-pattern for Terraform, but I'd like my new user to be able to log in to the Console UI to validate/debug. UPDATE 1 Terraform module: https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/0