My IAM account has "admin" privilege, at least supposedly. I can perform all operations as far as I can tell in web console. For example,
Recently I downloaded aws-cli and quickly configured it by supplying access keys, default region and output format. I then tried to issue some commands and found most of them, but not all, have permission issues. For example
$ aws --version
aws-cli/1.16.243 Python/3.7.4 Windows/10 botocore/1.12.233
$ aws s3 ls s3://test-bucket
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
$ aws ec2 describe-instances
An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation.
$ aws iam get-user
{
"User": {
"Path": "/",
"UserName": "xxx#xxx.xxx",
"UserId": "xxxxx",
"Arn": "arn:aws:iam::nnnnnnnnnn:user/xxx#xxx.xxx",
"CreateDate": "2019-08-21T17:09:25Z",
"PasswordLastUsed": "2019-09-21T16:11:34Z"
}
}
It appears to me that cli, which is authenticated using access key, has a different permission set from web console, which is authenticated using MFA.
Why is permission inconsistent between CLI and GUI? How to make it consistent?
It turns out following statement in one of my policies blocked CLI access due to lacking MFA.
{
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
},
"Resource": "*",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Sid": "DenyAllExceptListedIfNoMFA"
},
If you replace BoolIfExists with Bool, it should work. Your CLI requests would not be denied because of not using MFA.
Opposite of https://aws.amazon.com/premiumsupport/knowledge-center/mfa-iam-user-aws-cli/
To remain really secure check this good explanation: MFA token for AWS CLI
In few steps
Get a temporary 36 hours session token.
aws sts get-session-token --serial-number arn:aws:iam::123456789012:mfa/user --token-code code-from-token
{
"Credentials": {
"SecretAccessKey": "secret-access-key",
"SessionToken": "temporary-session-token",
"Expiration": "expiration-date-time",
"AccessKeyId": "access-key-id"
}
}
Save these values in a mfa profile configuration.
[mfa]
aws_access_key_id = example-access-key-as-in-returned-output
aws_secret_access_key = example-secret-access-key-as-in-returned-output
aws_session_token = example-session-Token-as-in-returned-output
Call with the profile
aws --profile mfa
Ps: Don't do the cron job as suggested, it goes again the security.
I had this same issue and I fixed it by adding my user to a new group with administrator access in IAM.
to do this go to IAM, Users, click on your user and then [add permissions]
in the next screen click [Create group] and then pick administrator access
Related
I cannot get a deployment of an Azure Function by private repository, using then new Github artifact repo for Docker to work (https://github.com/features/packages).
My linux_fx_version is:
'linux_fx_version': 'DOCKER|{}'.format(self.docker_image_id)
with docker_image_id having the value organisation/project-name/container-name:latest
For the other settings, I am using
{ "name": "DOCKER_REGISTRY_SERVER_PASSWORD", "value": self.docker_password },
{ "name": "DOCKER_REGISTRY_SERVER_USERNAME", "value": self.docker_username },
{ "name": "DOCKER_REGISTRY_SERVER_URL", "value": self.docker_url },
with the docker_url being https://docker.pkg.github.com/, and the password being the token with read:packages
Things look good, and yet I get the following (I am not able to fetch any deployment logs as the runtime is unreachable).
Error:
Azure Functions Runtime is unreachable. Click here for details on storage configuration.
Solution found.
Use https://docker.pkg.github.com/ as the docker URL,
and docker.pkg.github.com/<org>/<project-name>/<container-name>:<version> as the linux_fx_version
I can't find a way to list IAM users with the following info:
Username
Key age
Password age
Last login
MFA Enabled
last use
key Active?
I have tried aws iam list-users but that doesn't tell me much.
Is this possible using the AWS CLI? If so, how?
I will put in an answer, since 4 people have voted, unfairly I think, to close the question.
The short answer is, no, there's no one command you can use to do this, and I can understand why that's confusing and surprising.
Some of this info can be found in the credential report using:
aws iam generate-credential-report
aws iam get-credential-report
See the docs for how to programmatically obtain the credentials report (ref).
From there you can get:
mfa_active
access_key_1_active
access_key_1_last_used_date
access_key_1_last_rotated
password_last_used
password_last_changed
Some other info can be found in the list-access-keys subcommand:
▶ aws iam list-access-keys --user-name alex
{
"AccessKeyMetadata": [
{
"UserName": "alex",
"Status": "Active",
"CreateDate": "XXXX-XX-XXT01:33:31Z",
"AccessKeyId": "XXXXXXXX"
}
]
}
Thus, you can get the "Status" and "CreateDate" from here too using commands like:
aws iam list-access-keys --user-name alex \
--query "AccessKeyMetadata[].CreateDate" \
--output text
More info again can be found in:
▶ aws iam get-login-profile --user-name alex
{
"LoginProfile": {
"UserName": "alex",
"CreateDate": "XXXX-XX-XXT01:33:31Z",
"PasswordResetRequired": false
}
}
You can also get the access key last used date this way:
access_key_id=$(aws iam list-access-keys \
--user-name alex \
--query "AccessKeyMetadata[].AccessKeyId" \
--output text)
aws iam get-access-key-last-used \
--access-key-id $access_key_id
For example of output:
{
"UserName": "alex",
"AccessKeyLastUsed": {
"Region": "XXXXXX",
"ServiceName": "iam",
"LastUsedDate": "XXXX-XX-XXT05:28:00Z"
}
}
I think that covers all the fields you asked about. Obviously, you would need to write a bit of code around all this to get it all together.
I created a CodeBuild Project that uses a docker image for node8. The purpose of this CodeBuild project is to do unit testing. It takes an input artifact from CodeCommit. And in the buildspec.yml it runs a test command.
This is my (simple) buildspec file:
version: 0.2
phases:
install:
commands:
- echo "install phase started"
- npm install
- echo "install phase ended"
pre_build:
commands:
- echo "pre_build aka test phase started"
- echo "mocha unit test"
- npm test
- echo "mocha unit test ended"
build:
commands:
- echo "build phase started"
- echo "build complete"
The build is failing at the DOWNLOAD_SOURCE phase with the following:
PHASE - DOWNLOAD_SOURCE
Start time 2 minutes ago
End time 2 minutes ago
Message Access Denied
The only logs in the build logs are the following
[Container] 2018/01/12 11:30:22 Waiting for agent ping
[Container] 2018/01/12 11:30:22 Waiting for DOWNLOAD_SOURCE
Thanks in advance.
Screenshot of the CodeBuild policies.
I found a fix. It was a problem with my permissions. I added this to make it work.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"arn:aws:logs:eu-west-1:723698621383:log-group:/aws/codebuild/project",
"arn:aws:logs:eu-west-1:723698621383:log-group:/aws/codebuild/project:*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-eu-west-1-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm:eu-west-1:723698621383:parameter/CodeBuild/*"
}
]
}
I had the same error, a permissions issue accessing S3 bucket url. Originally I used an auto-generated codepipeline-us-west-2-* bucket name with the policy:
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::codepipeline-us-west-2-*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
]
}
After changing to my own bucket name, the policy had to be updated to:
{
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::project-name-files/*"
],
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetBucketAcl",
"s3:GetBucketLocation"
]
}
I had similar error and will post my fix in case it helps anyone else. I was using CodePipeline and had two separate builds happening. Build #1 would complete its build and the output artifact for that was to be the input artifact for Build #2. Build #2 was failing on the the DOWNLOAD_SOURCE phase with the following error:
AccessDenied: Access Denied status code: 403
The problem was that in my build spec for Build #1, I didn't have the artifacts defined. After calling out the artifact files/folders in Build #1, then Build #2 was able to download the source without issue.
I was experiencing the same symptoms but my issue was due to the default encryption on the S3 bucket as described in this post.
So everything in S3 is encrypted at rest. When you don't specify how you want to encrypt them, objects in S3 will be encrypted by the default KMS key. And other accounts won't be able to get access to objects in the bucket because they don't have that KMS key for decryption. So to get around this issue, you need to create your own KMS key and use it to encrypt (let the CodeBuild to use this KMS Key you have created in this case). Then allow roles in other accounts to use this key by configure AssumeRole permissions. From what I see, most S3 access denial happens at not being able to decrypt objects. And this is specified here Troubleshoot S3 403 Access Denied - encrypted objects will also cause 403 Access Denied.
In my case, the keys that were being used were mismatched which was causing the decryption failure.
I faced the same issue.
My source was from an S3 folder. The fix involved putting a / at the end of the source path. It seems that without the / CodeBuild thinks it is a key.
Hope this helps someone save time.
In my case I fixed the issue that way - when I was creating a build project configuration there is a step in which you have to provide Service role and Role name. There are two options for that step 1) create new one and 2) choose existing one. I created a new one. After that I faced the issue author described. After some research I added this policies to that role in IAM module and the issue went away.
AWSCodeDeployRoleForECS AWS managed Permissions policy
AWSCodeDeployRole AWS managed Permissions policy
AWSCodeDeployRoleForCloudFormation AWS managed Permissions policy
AWSCloudFormationFullAccess AWS managed Permissions policy
AWSCodeDeployRoleForLambda AWS managed Permissions policy
I'm trying to configure a p-config-server instance to use GitLab.The account has a password. I have tried both the http and ssh urls with username and password for the http url and a private key for the ssh url.
The service reports that it failed to start. But I can't get any more information as to why it failed.
How do I configure this correctly to connect to a GitLab instance?
Where are the logfiles for the service failure so that I can find the issues?
Cheers
The username and password eventually worked.
I used -c with a file containing :-
{
"git": {
"uri": "http://host:port/xyz.git",
"label": "master",
"username": "demo",
"password": "demouser"
}
}
I've got an ASG that assigns an IAM Role to each of the instances that join it. Therefore, each instance has the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables baked-in, which will be used upon instantiation to download and decrypt credentials that are stored in an S3 bucket and encrypted using KMS keys.
So I'll have the following components:
An S3 bucket called top-secret.myapp.com
All objects in this bucket are encrypted using a KMS key called My-KMS-Key
An IAM instance role with inline policies attached granting it the ability to interact with both the bucket and the KMS key used to encrypt/decrypt the contents of the bucket (see below)
A user data script that installs the aws-cli upon instantiation and then goes about attempting to download and decrypt an object from the top-secret.myapp.com bucket.
The User Data Script
Upon instantiation, any given instance runs the following script:
#!/bin/bash
apt-get update
apt-get -y install python-pip
apt-get -y install awscli
cd /home/ubuntu
aws s3 cp s3://top-secret.myapp.com/secrets.sh . --region us-east-1
chmod +x secrets.sh
. secrets.sh
shred -u -z -n 27 secrets.sh
IAM Role Policies
The IAM role for my ASG instances has three policies attached inline:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::top-secret.myapp.com"
]
},
{
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::top-secret.myapp.com/secrets.sh"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": "arn:aws:kms:us-east-1:UUID-OF-MY-SECRET-KEY-HERE"
}
]
}
The first policy is essentially a full-root-access policy with no restrictions. Or so I thought, but it doesn't work. So I thought it might be that I need to explicitly apply policies that allow interaction with S3 encryption and/or KMS, makes sense.
So I added the second policy that allows the IAM instance role to list the top-secret.myapp.com bucket, and LIST and GET the secrets.sh object within the bucket. But this produced the error illustrated below.
The (Unknown) Error I'm Getting
download failed: s3://top-secret.myapp.com/secrets.sh to ./secrets.sh
A client error (Unknown) occurred when calling the GetObject operation: Unknown
Anyone have any idea what could be causing this error?
Note: This method for transferring encrypted secrets from S3 and decrypting them on-instance works fine using the standard Amazon S3 service master key
For me, the issue was two-fold:
If you're using server-side encryption via KMS, you need to supply the --sse aws:kms flag to the aws s3 cp [...] command.
I was installing an out-of-date version of awscli (version 1.2.9) via apt, and that version didn't recognize the --sse aws:kms command
Running apt-get remove awscli and installing via pip install awscli gave me version 1.10.51, which worked.
EDIT:
If you're using a different KMS key than the default master key for your account, you will need to also add the following flag:
--sse-kms-key-id [YOUR KMS KEY ID]