amazon-iam

问题 I've successfully configured IAM-authenticated access to my Lambda function with AWS API Gateway front-end, but unable to find how to pass IAM user identity to my Lambda function. I need exactly IAM user identity and can not run Lambda function under calling IAM-user credentials. All I need - is to get calling IAM-user identity in my Lambda function. Is there option for that? 回答1: Support for accessing identity and other information from the Amazon API Gateway request context hadn't been

问题 I want to create a group with a user who only has the ability to manage payment for services - e.g. input credit card information for the account, etc. I don't want this user to have access to any of the other tools in the console. How do I do this? 回答1: Unfortunately this is not possible with AWS Identity and Access Management (IAM) the way you might have envisioned it - IAM enables Controlling User Access to Your AWS Account Billing Information, but this only includes granting IAM users

问题 I'm having trouble understanding how to use fine-grained access control on DynamoDB when logged in using Cognito User Pools. I've followed the docs and googled around, but for some reason I can't seem to get it working. My AWS setup is listed below. If I remove the condition in the role policy, I can get and put items no problem, so it seems likely that the condition is the problem. But I can't figure out how or where to debug policies that depend on authenticated identities - what variables

问题 I want to create a new user in IAM, and allow him to be able to create new EC2 instances, but be able to view/administer only those instances that he creates. Is this possible with IAM? This is the group policy I tried: { "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeSecurityGroups", "ec2:DescribeAvailabilityZones" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DescribeInstances","ec2:RunInstances", "ec2

问题 I'm new to AWS. I'm build chatbot using aws lex and aws lambda c#. I'm using sample aws lambda C# program namespace AWSLambda4 { public class Function { /// <summary> /// A simple function that takes a string and does a ToUpper /// </summary> /// <param name="input"></param> /// <param name="context"></param> /// <returns></returns> public string FunctionHandler(string input, ILambdaContext context) { try { return input?.ToUpper(); } catch (Exception e) { return "sorry i could not process

问题 We have a service in AWS-Account-A which will copy some files with ACL: 'bucket-owner-full-control' to a s3 bucket in AWS-Account-B . Now there is a AWS-Account-C which already have a assumeRule ( which a S3 Read access policy is attached to it ) from AWS-Account-B, and S3 bucket policy already gave read access to AWS-Account-C rules, So the problem is, AWS-Account-C : Can't read those files which uploaded from AWS-Account-A and only CAN read files which uploaded using AWS-Account-B itself. I

问题 All my calls to spark.sql("") fails with the error in the stacktrace (1) below Update - 2 I have zeroed in on the problem, it is AccessDenied for sts:AssumeRule, any leads appreciated User: arn:aws:sts::00000000000:assumed-role/EMR_EC2_XXXXX_XXXXXX_POLICY/i-3232131232131232 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::00000000000:role/EMR_XXXXXX_XXXXXX_POLICY When the same location is accessed with spark.read.parquet("s3a://xxx.xxx-xxx-xx.xxxxx-xxxxx/xxx/") I was

问题 By googling, I found this tutorial on accessing S3 from EC2 instance without credential file. I followed its instructions and got the desired instance. The aws web console page looks like However, I don't want to do it manually using the web console every time. How can I create such EC2 instances using boto3? I tried s = boto3.Session(profile_name='dev', region_name='us-east-1') ec2 = s.resource('ec2') rc = ec2.create_instances(ImageId='ami-0e297018', InstanceType='t2.nano', MinCount=1,

问题 Perhaps I'm going a bridge to far here but heres what I got: An AWS API Gateway Method that has AWS_IAM set for Authorization. A Policy that allows access to that Method. An EC2 Role that has that policy attached to it. An EC2 Launched with that Role. I would like to have my NodeJS program (or any language for that matter) on that EC2 to be able to call that API without hardcoding an AccessKey and SecretKey in the code. I have used this approach to use the aws-sdk to put/get records on S3,

问题 In my S3 logs I see multiple requests from NSPlayer and all the requests are like below: [29/Feb/2016:23:07:27 +0000] 188.71.221.62 - 07231C9924A44C67 REST.GET.OBJECT 16639/tracks/7ed00e05502aeb383d8a1abde2.mp3 "GET /bucket/16639/tracks/7ed00e05502aeb383d8a1abde2.mp3 HTTP/1.1" 200 - 4122705 5639543 6305 58 "http://m.xxxxxxw.com /" "NSPlayer/12.00.9651.0000 WMFSDK/12.00.9651.0000" - I want to deny access to this useragent and I have written the bucket policy as well as the user policy to deny