amazon-iam | 易学教程

How do I get AWS cross-account KMS keys to work?

阅读更多关于 How do I get AWS cross-account KMS keys to work?

问题 I'm trying to set up cross-account access to allow for an external account to use my KMS key to decrypt data from an S3 bucket. I have the key, policies, roles set up with what I believe is the correct grants but I can't describe the key from the external account. Hoping to get some input as to what I'm doing wrong. Account 111: Key with policy grant to root of external account (999) { "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions",

Running Spark EC2 scripts with IAM role

阅读更多关于 Running Spark EC2 scripts with IAM role

问题 I am trying to run Spark EC2 scripts to launch a cluster under an IAM role which my user under my root account can assume. According to this JIRA ticket, we can now specify --profile when running Spark EC2 scripts, and the comments on the pull request say that the --profile option refers to what I believe as the AWSCLI profile. When I run the scripts as ec2/spark-ec2 -k key-name -i key-name.pem -s 1 --profile myprofile --instance-type=t2.medium launch test-cluster I get Profile "myprofile"

aws CAPABILITY_AUTO_EXPAND console web codepipeline with cloudformation

阅读更多关于 aws CAPABILITY_AUTO_EXPAND console web codepipeline with cloudformation

问题 I am trying to complete a codepipeline with the cloudformation service and this error is generated. It must be said that the separate cloudformation service works well. The complete error is: JobFailed Requires capabilities: [CAPABILITY_AUTO_EXPAND] (Service: AmazonCloudFormation; Status Code: 400; Error Code: InsufficientCapabilitiesException; Request ID: 1a977102-f829-11e8-b5c6-f7cc8454c4d0) The solutions I have is to add the CAPABILITY_AUTO_EXPAND --capabilities parameter but that only

How to create a new user in AWS

阅读更多关于 How to create a new user in AWS

问题 I'm trying to figure out how to create a new user with AWS APIs for Java, but i can't figure out what i need to do. So far i managed to write this code that gives me a CreateUserRequest, a CreateAccessKeyRequest and a BasicAWSCredentials with all the fields filled. I just can't figure out what to do next. Do I have to use CreateUserResult? How? CreateUserRequest user = new CreateUserRequest("userName"); CreateAccessKeyRequest key = new CreateAccessKeyRequest(); BasicAWSCredentials cred = new

How to provide multiple StringNotEquals conditions in AWS policy?

阅读更多关于 How to provide multiple StringNotEquals conditions in AWS policy?

问题 I am trying to write AWS S3 bucket policy that denies all traffic except when it comes from two VPCs. The policy I'm trying to write looks like the one below, with a logical AND between the two StringNotEquals (except it's an invalid policy): { "Version": "2012-10-17", "Id": "Policy1415115909152", "Statement": [ { "Sid": "Allow-access-only-from-two-VPCs", "Action": "s3:*", "Effect": "Deny", "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"], "Condition": { "StringNotEquals": {

IAM user policy returning 403 Forbidden on Amazon S3 bucket

阅读更多关于 IAM user policy returning 403 Forbidden on Amazon S3 bucket

I am struggling to get a AWS S3 IAM user policy to work, this is my current IAM user's policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1424859689000", "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::vault-us/*" ] } ] } When I do a post to create a new object in my S3 bucket I get a 403 Forbidden error but when I use the Managed Policy called 'AmazonS3FullAccess' then everything works just fine. What I am trying to do is restrict certain IAM users to upload/downloads rights but am struggling to get this working. Any

How do I use Boto3 to launch an EC2 instance with an IAM role?

阅读更多关于 How do I use Boto3 to launch an EC2 instance with an IAM role?

问题 I can not figure out how to launch an EC2 instance in Boto3 with a specified IAM role. Here is some sampe code of how I have been able to successfully create an instance so far: import boto3 ec2 = boto3.resource('ec2', region_name='us-west-2') ec2.create_instances(ImageId='ami-1e299d7e', InstanceType='t2.micro',\ MinCount=1, MaxCount=1, SecurityGroupIds=['Mysecuritygroup'], KeyName='mykeyname') 回答1: Note : Some Boto3 versions accept either Arn or Name but all versions accept Name . I suggest

Proper s3 permissions for users uploading image files with carrierwave

阅读更多关于 Proper s3 permissions for users uploading image files with carrierwave

At the end of Chapter 11 of The Rails Tutorial by Michael Hartl I successfully managed to enable user uploads to Amazons S3 service by creating a bucket, using IAM to set a user and granting the user an AmazonS3FullAccess policy. It feels dirty and very insecure to allow an unknown user on my website to have full access to a bucket for image upload on my website and I'm not sure if I should feel this way. I created a custom policy at http://awspolicygen.s3.amazonaws.com/policygen.html Which is the following: { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1445501067518", "Action": [

How to check for custom OpenID claim in an IAM role's trust policy?

阅读更多关于 How to check for custom OpenID claim in an IAM role's trust policy?

I am authenticating users with auth0 to receive a id token containing the following claim "http://myapp.com/scope": "write" Using a Cognito identity pool with an OpenID authentication provider (namely, auth0), I am able to successfully get temporary credentials to access aws services. However, I want to restrict access to these services based on my custom claim above. I believe the proper way to do this is by editing the trust policy associated with my identity pool, but I am not sure how to add a condition to check for the above claim in my trust policy. The current default trust policy is {

How to (properly) use external credentials in an AWS Lambda function?

阅读更多关于 How to (properly) use external credentials in an AWS Lambda function?

I have a (extremely basic but perfectly working) AWS lambda function written in Python that however has embedded credentials to connect to: 1) an external web service 2) a DynamoDB table. What the function does is fairly basic: it POSTs a login against a service (with credentials #1) and then saves part of the response status into a DynamoDB table (with AWS credentials #2). These are the relevant parts of the function: h = httplib2.Http() auth = base64.encodestring('myuser' + ':' + 'mysecretpassword') (response, content) = h.request('https://vca.vmware.com/api/iam/login', 'POST', headers = {