amazon-iam

问题 I've read a bunch of AWS documentation in the last day or two, but haven't yet come across anything that really answers the follow: If a mobile app is using AWS Cognito as the Authentication / Identity provider, I know that we can write AWS IAM policies that specify what AWS resources and actions a user can take. There are a brief few examples of policies that allow users to upload files to S3 directly, but only into "folders" named with their user identity. There is plenty of mention of

问题 I am trying to trigger a Lambda function to run on update to a s3 bucket. The s3 bucket that I am attempting to have trigger the Lambda is in a separate AWS account. The approach I have tried is setting up a role in the account that with the s3 bucket that has all the privileges on the s3 bucket. Then in the account with the Lambda I have a role with assumes the role in the other account like this: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ],

问题 I don't know how (or where also) to grant read and write permission to the user from AWS so users can post pictures on sample_app in production enviroment. This is final task in 11th chapter, it isn't covered by tutorial and I can't find solution anywhere. This is carrier_wave.rb file: if Rails.env.production? CarrierWave.configure do |config| config.fog_credentials = { # Configuration for Amazon S3 :provider => 'AWS', :aws_access_key_id => ENV['lalala'], :aws_secret_access_key => ENV[

问题 I'm trying to create an IAM role and assign it to an EC2 instance according to Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI. The policy looks like below: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } But it gives this error: This policy contains the following error: Has prohibited field Principal There is a similar question here but it couldn't fix this issue.

问题 I have files stored on S3 and wrote .ebextensions config to automatically copy the them to new instances. I'm receiving this error in the Elastic Beanstalk console: [Instance: INSTANCEID Module: AWSEBAutoScalingGroup ConfigSet: null] Command failed on instance. Return code: 1 Output: [CMD-AppDeploy/AppDeployStage0/EbExtensionPreBuild] command failed with error code 1: Error occurred during build: Failed to retrieve https://s3-us-west-1.amazonaws.com/MyBucket/MyFolder/_MyFile.txt: HTTP Error

问题 How can I access my S3 bucket from a container without having my AWS credentials in the code? My code also auto-deploy, so having it as an Env-variable is also no good (the deployment script is in the repository - and the credentials shouldn's be there either ) . I tried to look into IAM roles, but couldn't wrap my head around something that will help my use-case. 回答1: If you are running containers on an EC2 instance directly (without using ECS service) then you need to create an IAM role and

问题 I'm looking for a secure way to directly upload large files to S3 (for performance issue). After few hours of research, I've come to the (maybe incorrect) conclusion that I should use "Browser-Based Uploads Using POST". As referenced in this thread: Amazon S3 direct file upload from client browser - private key disclosure Before trying this directly, I thought about making a cURL POC with direct upload and signature computation. I've failed to make it work, and haven't found a successful POC

问题 I have two AWS accounts( Account A & B ). I want to allow few IAM users of Account B to access resources of Account A via AWS IAM roles. I have created the role and it works fine. However, I see that any IAM user who gets hold of the role name is able to switch roles and access the resources. Is there a way to allow only specific users of Account B to be able to switch to the role? The trust policy statement is as follows- { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow",

问题 Below is the SAM template, Resources: HelloWorldFunction: Type: AWS::Serverless::Function Properties: CodeUri: hello-world/ Handler: app.LambdaHandler Runtime: nodejs8.10 Policies: - AWSLambdaExecute for which, below is role(JSON) created for Lambda function: { "roleName": "somestack-HelloWorldFunctionRole-AAAAAAAA", "policies": [ {...}, # AWSLambdaExecute {...}, # AWSLambdaSQSQueueExecutionRole {....} # AWSLambdaBasicExecutionRole ], "trustedEntities": [ "lambda.amazonaws.com" ] } What is

问题 Is it possible to create an IAM policy in AWS S3 such that a user or group can access only certain objects in an S3 buckets with a specific tag attached to it and all other objects with no tags or different tags in the bucket are not accessible? 回答1: You can use s3:ExistingObjectTag/<tag-key> . Using this condition key, you can limit the permission to only on objects that have a specific tag key and value. For more info: Specifying Conditions in a Policy - Amazon Simple Storage Service 来源：