amazon-iam

问题 I have a Kubernetes Cluster running on Azure (AKS / ACS). I created the cluster using the Portal. There a aadClient was created automatically with a client secret that now expired. Can somebody please tell me how to set the new client secret which I already created? Right now AKS is not able to update Loadbalancer values or mount persistant storage. Thank you! 回答1: AKS client credentials can be updated via command: az aks update-credentials \ --resource-group myResourceGroup \ --name

问题 I am trying to write a permission for a user to just be able to access the objects in ONE specific bucket. I currently have: { "Version": "2012-10-17", "Statement":[{ "Effect": "Allow", "Action": "s3:GetObject", "Resource": ["arn:aws:s3:::test", "arn:aws:s3:::test/*"] } ] } but the user can still access ALL my other buckets. Note that my other buckets don't have policy... I don't think it should matter. I just want that user's IAM to be allowed to that specific bucket. 回答1: Amazon S3 is one

问题 I have a instance which needs to read data from two different account s3. Bucket in DataAccount with bucket name " dataaccountlogs " Bucket in UserAccount with bucket name " userlogs " I have console access to both account, so now I need to configure bucket policy to allow instances to read s3 data from buckets dataaccountlogs and userlogs , and my instance is running in UserAccount . I need to access these two bucket both from command line as well as using spark job . 回答1: You will need a

问题 Below is the SAM template: Resources: HelloWorldFunction: Type: AWS::Serverless::Function Properties: CodeUri: hello-world/ Handler: app.LambdaHandler Runtime: nodejs8.10 Events: MySQSEvent: Type: SQS Properties: Queue: !GetAtt SomeQueue.Arn BatchSize: 10 PermissionsBoundary: "arn:aws:iam::${AWS::AccountId}:policy/AddPermission" SomeQueue: Type: AWS::SQS::Queue AddPermission: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Version: 2012-10-17 Statement: - Sid:

问题 I have the following IAM Role: AmazonEC2FullAccess Custom-Policy In my custom policy I have: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "iam:ListRoles", "Resource": "*", "Condition": { "IpAddress": { "aws:SourceIp": "10.0.0.0/16" } } } ] } Then I create a new EC2 instance and attach this role to it. Inside the EC2 Instance I try to do: aws iam list-roles But I get this error: An error occurred (AccessDenied) when calling the ListRoles

问题 We have set following options amidst creation of bucket: PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true to get below restriction for any user trying to change this option: We have also added below option: AccessControl: Private where possible values are: Private, PublicRead, PublicReadWrite, AuthenticatedRead, LogDeliveryWrite, BucketOwnerRead, BucketOwnerFullControl, or AwsExecRead This is a single zone VPC: 1)

问题 Background: With cross account role someaccountrole , I have access to aws account xyz . Case 1 To create a stack in account xyz , we upload the Cloudformation file through console. Amidst stack creation in Events tab, we see the very first event, as shown below: Case 2 We create EC2 instance in xyz account. Using sam deploy, where sam deploy is a wrapper of aws cloudformation deploy , we run below command from EC2, for stack creation: aws cloudformation deploy --template-file cfntemplate.yml

问题 I want to create an api for my app that is only accessible by my app. I have added the AWS Cognito identity to my appDelegate like so: AWSCognitoCredentialsProvider *credentialsProvider = [[DeveloperAuthenticationProvider alloc] initWithRegionType:AWSRegionUSEast1 identityPoolId:@"poolId"]; AWSServiceConfiguration *configuration = [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1 credentialsProvider:credentialsProvider]; AWSServiceManager.defaultServiceManager

问题 I have the following piece of code in Cloudformation template that defines role with policy for my task that need to pull an image from my ECR registry: TaskDefinition: Type: 'AWS::ECS::TaskDefinition' DependsOn: - TaskPolicy0 Properties: Family: !Sub '${EcsTaskDefFamily}' TaskRoleArn: !Ref EcsTaskRole ContainerDefinitions: - Name: !Ref NodeContName Essential: 'true' Image: !Ref ImageFullName ### PULLED IMAGE Memory: !Ref ContainerMemory MemoryReservation: !Ref ContainerMemoryReservation

问题 I'm trying to create a policy for an IAM role for my federated users (authenticating through my SAML provider). I'm following Creating a Role for SAML 2.0 Federation (Console) - AWS Identity and Access Management: { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRoleWithSAML", "Principal": {"Federated": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:saml-provider/PROVIDER-NAME"}, "Condition": {"StringEquals": {"SAML:aud": "https://signin.aws.amazon.com/saml"}} } }