I'm trying to add a IAM role to RDS instance via CloudFormation template. I could not find such option after looking into all attributes stated here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-database-instance.html.
You cannot assign role to DbInstances.
You need to create Aurora DbCluster (not instance) and specify the role for dbCluster. Here is the example cloudformation:
"DBClusters": [
{
...
"AssociatedRoles": [
{
"Status": "ACTIVE",
"RoleArn": "<role-arn>"
}
],
...
}
]
Related
I'm trying to update an existing role definition with the following command that is run in a DevOps pipeline
$roleDef = az role definition update --role-definition $r.FullName | ConvertFrom-Json
The $r variable holds the path to the custom role definition shown below:
{
"Name": "DevOps Pipeline",
"Description": "Used for deploying web application code, but not creating resources",
"AssignableScopes": [
"/subscriptions/sub-id-here"
],
"Actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ContainerRegistry/registries/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/components/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/certificates/*",
"Microsoft.Web/listSitesAssignedToHostName/read",
"Microsoft.Web/serverFarms/join/action",
"Microsoft.Web/serverFarms/read",
"Microsoft.Web/sites/*",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Cdn/profiles/endpoints/Purge/action",
"Microsoft.Web/connections/write",
"Microsoft.Logic/workflows/write"
],
"NotActions": [],
"DataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/deleteBlobVersion/action",
"Microsoft.AppConfiguration/configurationStores/*/read",
"Microsoft.AppConfiguration/configurationStores/*/write",
"Microsoft.AppConfiguration/configurationStores/*/delete"
],
"NotDataActions": []
}
My problem is, when this is run the following exception is thrown:
ERROR: 'Microsoft.Cdn/profiles/endpoints/Purge/action' does not match
any of the actions supported by the providers.
The answer from #Stringfellow seems to be the same for me. The cause was due deployment change on the Azure side - nothing to do with my devops pipeline.
When I use az login using service principal
e.g az login --service-principal -u “12121” -p “1212” --tenant “12121”
It will show the all the list of subscriptions which it has access like
[
{
"cloudName": "AzureCloud",
"homeTenantId": "123",
"id": "215645",
"isDefault": true,
"managedByTenants": [],
"name": "Sub1",
"state": "Enabled",
"tenantId": "123",
"user": {
"name": "123456",
"type": "servicePrincipal"
}
},
{
"cloudName": "AzureCloud",
"homeTenantId": "123",
"id": "rr",
"isDefault": false,
"managedByTenants": [
{
"tenantId": "123"
}
],
"name": "Sub2",
"state": "Enabled",
"tenantId": "123",
"user": {
"name": "123456",
"type": "servicePrincipal"
}
},
...
...
]
Among the list for some sub the SPN have direct reader access(RBAC) to the subscription. But for the other sub (lets say sub2) the access is not directly given to the subscription level, instead the access has been given to resource(s) level.
Question: How to get all the list of resources within sub2 that have access provided to the service principal ?in other words, I have to find(list) what kind of access the service principal assigned to any/all the resources within sub2.
I know azure cli doing this behind the scene to retrieve this information.That why it can show all the list of subscription after the successful login. But i don't know what that is
Is there any cli command or graph API to retrieve that information ?
P.S:I don't know the scope or resource where the SPN is assigned too
If you want to list the role assignments for a specific user, you can use the az role assignment list command.
az role assignment list --assignee {assignee}
Note: To view role assignments for the current subscription and below, add the --all parameter:
az role assignment list --assignee {assignee} --all
If you are already logged in with the service principal, you can omit the --assignee parameter
AWS MSK supports IAM based authentication, but not through resource based policy like S3. So we are trying to come up with Policy creation dynamically and attach it to an existing IAM roles of corresponding applications. Say there are two applications, Application1 with IAM_Role1 is producer and Application2 with IAM_Role2 is consumer. Now, the producer policy looks like
{
"Version": "2012-10-17",
"Statement": [
{
"sid": "mskproducer_policy",
"Effect": "Allow",
"Action": [
"kafka-cluster:Connect",
"kafka-cluster:DescribeTopic",
"kafka-cluster:WriteData"
],
"Resource": "arn:aws:kafka:${var.region}:${data.aws_caller_identity.current.account_id}:topic/${var.cluster_name}/*/${topic-name}"
}
]
}
Similarly consumer policy looks like
{
"Version": "2012-10-17",
"Statement": [
{
"sid": "mskproducer_policy",
"Effect": "Allow",
"Action": [
"kafka-cluster:Connect",
"kafka-cluster:DescribeTopic",
"kafka-cluster:ReadData"
],
"Resource": "arn:aws:kafka:${var.region}:${data.aws_caller_identity.current.account_id}:topic/${var.cluster_name}/*/${topic-name}"
}
]
}
Now planning for a map as input variable which looks like
variable "topic_permissions" {
type = list(any)
default = [{
"app_iamrole" = "iam-role-1"
"producer" = ["topic3"]
"consumer" = ["topic4"]
},
{
"app_iamrole" = "iam-role-2"
"producer" = ["topic5"]
"consumer" = ["topic6"]
}]
}
Option1: By Using Terraform
data "aws_iam_policy_document"
and dynamic "statement" block, I can construct these policies into corresponding producer or consumer policy.json and create these resource policies and output their arn. So in this case I would get two policy arns.
Since these two policies now belong to different IAM roles, how to attach them back into the corresponding IAM role? Meaning how to map which IAM role gets what policy arn dynamically?
"Resource: aws_iam_role_policy_attachment"
expects policy_arn and corresponding role arn
Option 2: As suggested in comments below, another option is to use inline policy.
resource "aws_iam_role_policy".
But again the same problem arises where I'm not sure how to attach the policies formed dynamically; back into the corresponding IAM roles as inline policies.
Option 3: Write a bash or python scripts to form the dynamic policies and return the output as JSON which can then be looped through in
resource "aws_iam_role_policy".
I'm using Terraform
data "external"
After TF apply, the output JSON results in following error; though when running the Python module individually and verifying the contents through jsonlint, says its perfect JSON.
Error: command "python" produced invalid JSON: json: cannot unmarshal
object into Go value of type string
Terraform version being used is 0.13
My Azure AD application expose scope Roles.ReadWrite.All(Delegated permission). Now I want to use machine to machine communication, So I need to expose Application Permission. From the official documentation How to: Add app roles in your application and receive them in the token, I have created a AppRoles. Now I can give another application Application permission to the application.
But the issue is, I want to use the same value for Application Permission and Delegated Permission, As Microsoft is already doing this with their Microsoft Graph application's AccessReview.Read.All permission. But when I want to create appRoles, it shows an error -
Failed to update Backend API application. Error detail: It contains duplicate value. Please Provide unique value. []
I can only create same permission value if I keep the id, description and display name same for both appRoles and oauth2Permissions. But Microsoft Graph is using two different ID but the same value!
...
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "ebfcd32b-babb-40f4-a14b-42706e83bd28", // AccessReview.Read.All
"type": "Scope"
},
{
"id": "d07a8cc0-3d51-4b77-b3b0-32704d1f69fa", // AccessReview.Read.All
"type": "Role"
}
]
},
{
"resourceAppId": "96954c3d-fbb4-4899-be79-582b810acb7b",
"resourceAccess": [
{
"id": "fbeb72c6-dfcb-45b6-b83a-db2929314e70",
"type": "Scope"
},
{
"id": "42b90870-bbe2-46c6-a221-4f8981c559ae", // Roles.ReadWrite.All
"type": "Scope"
},
{
"id": "42b90870-bbe2-46c6-a221-4f8981c559ae", // Roles.ReadWrite.All
"type": "Role"
}
]
}
],
...
As it is shown in the above Manifest snippet, Graph API's AccessReview.Read.All has two different id for Delegated and Application permission, Where my Roles.ReadWrite.All has same ID as a result same Display Name and Description
I'm afraid that what you need is not supported currently.
As you have tested, if we use the same value for "AppRoles" and "OAuth2Permission", it will show this error: It contains duplicate value. Please Provide unique value.
When we set the same ID for "AppRoles" and "OAuth2Permission", we will be required to set the same value for (description, adminConsentDescription),(displayName, adminConsentDisplayName),(isEnabled, isEnabled),(origin, origin),(value, value).
In this case, we can say that we get the same object for "AppRoles" and "OAuth2Permission". But it will not affect your use. The access token can return the correct Delegated permission or Application permission.
I use circleci to build and push the application to aws. I have now managed to create and register a new task definition in the circleci config using the aws cli. This works well. The problem or case i´am having is how do I overwrite the placeholder values using the cli?
Here is how i read the task definition:
aws ecs register-task-definition --cli-input-json file://.circleci/taskdefinition.json
The task definition file:
{
"containerDefinitions": [
{
"cpu": 10,
"environment": [
{
"name": "Secret_api_key",
"value": "placeholder_value"
}
],
"image": "<Image>",
"name": "app-dev"
}
],
"placementConstraints": [],
"memory": "512",
"family": "pp-dev",
"networkMode": "bridge"
}
What I want to know is, how do I update the placeholder_value which I have retrieved from aws secrets manager?
Use sed to replace the placeholders with secret valuables from private environment variables.