amazon-iam

S3 Cross Account Access With Role

我是研究僧i 提交于 2019-12-08 04:49:56
问题 I need to create a cross account role to access the resources of S3 bucket from another aws account that I owns. Please help me to implement this using the cross account IAM role without using Access or secret keys. 回答1: Let's say you have: Role A in Account A Instance A in Account A that is associated with Role A Bucket B in Account B You wish to allow an application on Instance A to access the content of Bucket B. The Request Information That You Can Use for Policy Variables documentation

Amazon API Gateway User keys

自古美人都是妖i 提交于 2019-12-08 01:04:22
问题 I have an API deployed on AWS API Gateway. I will have multiple subscribers using my API and each customer would be unique. Is it possible that each customer will have a separate API key unique to him? Or will I have to create those many IAM users in order for them to be unique? If yes for the IAM users, then what is the upper limit of the number of users? I will be doing all this programmatically. 回答1: By unique, if you mean that you should be able to identify which request came from who,

Enabling AWS IAM Users access to shared bucket/objects

隐身守侯 提交于 2019-12-07 23:40:01
问题 Is it possible to expose Amazon S3 account bucket (shared by ACL setings) to the users setup using new Amazon AIM API under different account? I'm able to create working IAM policy when related to the users and objects belonging to a single account. But as it seems this no longer works when two different accounts are involved - despite account 2 being able to access account 1's bucket directly. Sample policy is: { "Statement": [ { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn

IAM user policy returning 403 Forbidden on Amazon S3 bucket

若如初见. 提交于 2019-12-07 11:41:52
问题 I am struggling to get a AWS S3 IAM user policy to work, this is my current IAM user's policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1424859689000", "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::vault-us/*" ] } ] } When I do a post to create a new object in my S3 bucket I get a 403 Forbidden error but when I use the Managed Policy called 'AmazonS3FullAccess' then everything works just fine. What I am trying to

Allow AWS IAM user to launch only one ec2 instance

僤鯓⒐⒋嵵緔 提交于 2019-12-07 07:31:09
问题 In Amazon AWS, I would like to give my IAM-registered (Windows) user a small API-based program that will launch a custom AMI-based instance and then connect her machine to it. Easy - but if the same user should try to launch another instance while the first is still running (from the same or another machine), the second and subsequent attempts must fail. The AMI will be shared between multiple users. The instance will be unique to the user. Note that this problem differs from some similar

Proper s3 permissions for users uploading image files with carrierwave

ぐ巨炮叔叔 提交于 2019-12-07 06:00:57
问题 At the end of Chapter 11 of The Rails Tutorial by Michael Hartl I successfully managed to enable user uploads to Amazons S3 service by creating a bucket, using IAM to set a user and granting the user an AmazonS3FullAccess policy. It feels dirty and very insecure to allow an unknown user on my website to have full access to a bucket for image upload on my website and I'm not sure if I should feel this way. I created a custom policy at http://awspolicygen.s3.amazonaws.com/policygen.html Which

How to check for custom OpenID claim in an IAM role's trust policy?

社会主义新天地 提交于 2019-12-07 04:49:47
问题 I am authenticating users with auth0 to receive a id token containing the following claim "http://myapp.com/scope": "write" Using a Cognito identity pool with an OpenID authentication provider (namely, auth0), I am able to successfully get temporary credentials to access aws services. However, I want to restrict access to these services based on my custom claim above. I believe the proper way to do this is by editing the trust policy associated with my identity pool, but I am not sure how to

What is the smallest subnet one can create on AWS in the VPC?

我是研究僧i 提交于 2019-12-07 01:31:02
问题 I want to limit the number of instances that can run in a subnet to the smallest number of instances possible. This in combination with an IAM role will allow me to limit how many instances a user can create on my AWS account (see https://forums.aws.amazon.com/thread.jspa?threadID=174503 requirement #4 which reflects my motivations). What is the smallest subnet one can create on AWS in the VPC and what would the IPv4 CIDR be? 回答1: 16 IPs is the smallest range for a VPC Subnet -- /28 netmask.

How to (properly) use external credentials in an AWS Lambda function?

两盒软妹~` 提交于 2019-12-07 00:23:06
问题 I have a (extremely basic but perfectly working) AWS lambda function written in Python that however has embedded credentials to connect to: 1) an external web service 2) a DynamoDB table. What the function does is fairly basic: it POSTs a login against a service (with credentials #1) and then saves part of the response status into a DynamoDB table (with AWS credentials #2). These are the relevant parts of the function: h = httplib2.Http() auth = base64.encodestring('myuser' + ':' +

IAM Group Policy for S3 bucket: deny folders but not files

白昼怎懂夜的黑 提交于 2019-12-06 15:16:48
this question references the same aws blog I've been trying to leverage in order to meet my needs, but without any success. I've been hacking on the solution in that answer AND the example policies it references all day without any success. I'm basically looking to allow different IAM groups full access to a common subfolder object within a bucket while selectively allowing/denying access to OTHER subfolders object based on group membership. Bucket structure: my-finance-bucket\ my-finance-bucket\files my-finance-bucket\Our-Finance-Team\ my-finance-bucket\Our-Finance-Team\files my-finance
订阅 amazon-iam